Re: [fw-wiz] Issues opeing firewall for SSH/SecureFTP?
From: Victor Williams (vbwilliams_at_neb.rr.com)
To: Chris Conacher <email@example.com> Date: Thu, 12 Aug 2004 18:54:27 -0500
On the contrary. In some organizations, people must have different
access to different resources, if they work there or not. What better
medium to control where people go network-wise other than a VPN solution
with some very restrictive access controls? Couple that with a very
restrictive network access policy, and I believe you have a better
solution than straight SSH/SFTP.
Because I'm anal, I not only make outside contractors VPN into the
network(s) I admin, but I then make them SSH/SFTP to the bastion host in
question. I do this for the external company who maintains our web
content. They have to VPN in (once they are in, the access list says
they can only get to the webserver), they then SSH/SFTP whatever they
need to do on the webserver itself in a jail basically...they can't get
out of the directory the staged web content is in.
If you're going to implement SFTP using the OpenSSH engine, you need to
make the user's shell /some/location/sftp-server. Otherwise, they will
have an interactive shell access to your machine.
In my opinion, the VPN works smoother--if it's already in place and
allows you to do granular access list based not only on network info,
but also who you are when you log in. For us, it's already in the list
of things the organization has to admin, why introduce another resource
Only other thing I would consider, is what is your risk in implementing
SSH vs VPN? For us, the chances are much lower that someone outside the
organization could get all the info they need to even get a VPN
connection to the network, let alone actually gain access to anything.
With SSH, you open a SSH or SFTP session and you're there...0 effort.
Now that we're there, how do we compromise this and make it work for us?
I just think it's a bit more difficult to do with a properly
configured VPN solution.
Bastion host or not, if there's data/info on it that prying eyes should
not see, it shouldn't be directly on the internet.
> I am currently trying to move an organization's current solution of VPN
> for external contractors performing file transfer, to SecureFTP.
> My belief has always been that SecureFTP is the appropriate solution for
> secure file transfer and the aim should always be to avoid giving remote
> access to internal networks [especially non-employee] where it is not
> specifically required.
> My question is are there any other issues that I should be aware of with
> allowing SecureFTP/SSH through the firewall as one of the standard
> pushes (read knee jerk reactions) against this appears to be that
> another port is opened on the firewall?
> 1. I have worked in a lot of different organizations where VPN seems to
> be the norm for everyone even where the only requirement is file transfer
> 2. My belief is that this is because the organization does not
> appreciate the implications of allowing non-employees access to the
> internal network and does not understand that SecureFTP is an
> appropriate solution
> 3. I understand that SSH is a great opportunity for tunneling attacks if
> an exploit is discovered, but I feel that there is it possible to manage
> this exposure through the existence of a DMZ based bastion host, rather
> than providing external people with access to the VPN.
> Comments appreciated.
firewall-wizards mailing list