RE: [fw-wiz] Issues opeing firewall for SSH/SecureFTP?

From: Bill Royds (
Date: 08/12/04

  • Next message: John Babwell: "Re: [fw-wiz] Dumb newbie question"
    To: <>
    Date: Thu, 12 Aug 2004 15:44:39 -0400

     Whether VPN or SSH is appropriate really depends on the situation. A contractor
    needing access to a particular server on your internal network would be better
    served by a VPN directly to that server with a stack that blocks splitting the
    routing when the VPN is up (no access to internal network when VPN is working).
    They can look at the server fully including using something like Terminal Server
    to run installs and diagnostics. This VPN would be through your firewall, not
    terminated at your firewall.
      But if all they needed was a single purpose access, such as file transfer then
    SFTP over SSH generally is appropriate. But remember that SSH is Secure SHELL.
    It gives command line access to the remote machine, which means a lot of control
    over your server. Some clients and servers can control it to only allow SFTP,
    but one has to set things up carefully to avoid giving access to the system.

    -----Original Message-----
    [] On Behalf Of Chris Conacher
    Sent: Monday, August 09, 2004 3:35 PM
    Subject: [fw-wiz] Issues opeing firewall for SSH/SecureFTP?

    Dear List

    I am currently trying to move an organization's current solution of VPN for
    external contractors performing file transfer, to SecureFTP.

    My belief has always been that SecureFTP is the appropriate solution for
    secure file transfer and the aim should always be to avoid giving remote
    access to internal networks [especially non-employee] where it is not
    specifically required.

    My question is are there any other issues that I should be aware of with
    allowing SecureFTP/SSH through the firewall as one of the standard pushes
    (read knee jerk reactions) against this appears to be that another port is
    opened on the firewall?

    1. I have worked in a lot of different organizations where VPN seems to be
    the norm for everyone even where the only requirement is file transfer
    2. My belief is that this is because the organization does not appreciate
    the implications of allowing non-employees access to the internal network
    and does not understand that SecureFTP is an appropriate solution
    3. I understand that SSH is a great opportunity for tunneling attacks if an
    exploit is discovered, but I feel that there is it possible to manage this
    exposure through the existence of a DMZ based bastion host, rather than
    providing external people with access to the VPN.

    Comments appreciated.


    It's fast, it's easy and it's free. Get MSN Messenger today!

    firewall-wizards mailing list

    firewall-wizards mailing list

  • Next message: John Babwell: "Re: [fw-wiz] Dumb newbie question"

    Relevant Pages

    • Re: Windows 2003 VPN wont respond to packets forwarded by Linux router
      ... Win2K3 server? ... Do you have correctly marked external and internal network ... problem is in certificates, use MS CHAP v2 for test, till it works with MS ... > forwarded VPN traffic to a Windows 2000 Pro workstation. ...
    • Re: Windows 2K RRAS VPN on DMZ cant authenticate users
      ... Internal network, it's then controlled via ACL's to allow only that server ... DMZ can see the LAN in certain circumstances, ie doing what I'm doing, ... It's a Remote Access VPN with clients connecting to it using PPTP nothing ...
    • RE: VPN Connection Problems
      ... Note that we are able to successfully VPN into the office. ... to browse the network, RDP to the server or even ping the server. ... > This newsgroup only focuses on SBS technical issues. ...
    • RE: VPN issue on SBS2003
      ... I understand that you encountered VPN connection issue when you use VPN to ... Internet clients or VPN to external VPN Server from SBS Client computers? ... Configure E-mail and Internet Connection Wizard ... Total GRE packets sent = 1 ...
    • Re: Best practices for internal/external servers
      ... >> the internal server as though they were on the internal network. ... >> (basically replace the dialup with VPN). ... On the other-hand poking holes through the firewall for IMAP access permits ...