Re: Alternatives to sftp?

[Brad Arlt <arlt () cpsc ucalgary ca>]

On Thu, Oct 16, 2003 at 01:47:17PM +0000, John Sec wrote:
> I wasn't even aware that sftp provided a way to transfer files
> without encryption.  Looking at the man page that I found online, I
> do not see this option.  How exactly can you tell it to force
> integrity without encrypting the file?  Do you think that encrypting
> the file with PGP and then using sftp to transfer the file (no
> encryption, only integrity) would save any CPU cycles?  I'm only
> asking out of curiosity now as it may come in handy in the future.

SSH offers many cyphers, and sftp uses ssh.  If you are using OpenSSH
the sftp option you need is -oCyphers=none.  I don't see any mention
of the none cypher in OpenSSH, so it may not be available.  I use the
SSH Communitications Security version which does support the none
cypher.  Experiment with the different cyphers, perhaps one is fast
enough for you.

Encypting with PGP will offer no (or very little) additional
performance, but it would allow encryption to happen at another time.
Perhaps with a lower priority over a longer period of time.

You will be using the CPU to encrypt the file, either at transmittion
or in preperation for transmittion.  Your performance problem stems
from you encrypting, not from the protocol overhead ssh adds.  If you
wish to see (slightly) better performance while encrypting you must
choose the right cypher and use a well optimized program.  If you are
using the stock compilation, try recompiling it with the compiler
optimizations increased.

The only way to see a large performance boost is to:

 - not encrypt
 - use a common information store (decide to not have the problem)
 - only transfer the changes (make a patch file using diff or xdelta)

Unless you are performing archive or backup functions (in which case,
live with the problem or get a dedicated network and skip the
encryption), you want to solve this problem with a common information
store.  You can do this via SAN, a database, or an LDAP server.
-----------------------------------------------------------------------
   __o          Bradley Arlt                    Security Team Lead
 _ \<_          arlt () cpsc ucalgary ca                University Of Calgary
(_)/(_)         Joyously Canadian               Computer Science

---------------------------------------------------------------------------
FREE Whitepaper: Better Management for Network Security

Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console

Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_security-basics_031015
----------------------------------------------------------------------------