Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: RE: Issues opeing firewall for SSH/SecureFTP?

RE: Issues opeing firewall for SSH/SecureFTP?

From: Bill Royds <broyds_at_rogers.com>
Date: Thu, 12 Aug 2004 15:44:39 -0400

 Whether VPN or SSH is appropriate really depends on the situation. A contractor
needing access to a particular server on your internal network would be better
served by a VPN directly to that server with a stack that blocks splitting the
routing when the VPN is up (no access to internal network when VPN is working).
They can look at the server fully including using something like Terminal Server
to run installs and diagnostics. This VPN would be through your firewall, not
terminated at your firewall.
  But if all they needed was a single purpose access, such as file transfer then
SFTP over SSH generally is appropriate. But remember that SSH is Secure SHELL.
It gives command line access to the remote machine, which means a lot of control
over your server. Some clients and servers can control it to only allow SFTP,
but one has to set things up carefully to avoid giving access to the system.

-----Original Message-----
From: firewall-wizards-admin_at_honor.icsalabs.com
[mailto:firewall-wizards-admin_at_honor.icsalabs.com] On Behalf Of Chris Conacher
Sent: Monday, August 09, 2004 3:35 PM
To: firewall-wizards_at_honor.icsalabs.com
Subject: [fw-wiz] Issues opeing firewall for SSH/SecureFTP?

Dear List

I am currently trying to move an organization's current solution of VPN for
external contractors performing file transfer, to SecureFTP.

My belief has always been that SecureFTP is the appropriate solution for
secure file transfer and the aim should always be to avoid giving remote
access to internal networks [especially non-employee] where it is not
specifically required.

My question is are there any other issues that I should be aware of with
allowing SecureFTP/SSH through the firewall as one of the standard pushes
(read knee jerk reactions) against this appears to be that another port is
opened on the firewall?

1. I have worked in a lot of different organizations where VPN seems to be
the norm for everyone even where the only requirement is file transfer
2. My belief is that this is because the organization does not appreciate
the implications of allowing non-employees access to the internal network
and does not understand that SecureFTP is an appropriate solution
3. I understand that SSH is a great opportunity for tunneling attacks if an
exploit is discovered, but I feel that there is it possible to manage this
exposure through the existence of a DMZ based bastion host, rather than
providing external people with access to the VPN.

Comments appreciated.

Chris

_________________________________________________________________
It's fast, it's easy and it's free. Get MSN Messenger today!
http://www.msn.co.uk/messenger

_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Aug 13 2004

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos