Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Issues opeing firewall for SSH/SecureFTP?

From: Victor Williams <vbwilliams () neb rr com>
Date: Thu, 12 Aug 2004 18:54:27 -0500
On the contrary. In some organizations, people must have different access to different resources, if they work there or not. What better medium to control where people go network-wise other than a VPN solution with some very restrictive access controls? Couple that with a very restrictive network access policy, and I believe you have a better solution than straight SSH/SFTP. 

Example:
Because I'm anal, I not only make outside contractors VPN into the network(s) I admin, but I then make them SSH/SFTP to the bastion host in question. I do this for the external company who maintains our web content. They have to VPN in (once they are in, the access list says they can only get to the webserver), they then SSH/SFTP whatever they need to do on the webserver itself in a jail basically...they can't get out of the directory the staged web content is in.
If you're going to implement SFTP using the OpenSSH engine, you need to make the user's shell /some/location/sftp-server. Otherwise, they will have an interactive shell access to your machine.
In my opinion, the VPN works smoother--if it's already in place and allows you to do granular access list based not only on network info, but also who you are when you log in. For us, it's already in the list of things the organization has to admin, why introduce another resource to maintain?
Only other thing I would consider, is what is your risk in implementing SSH vs VPN? For us, the chances are much lower that someone outside the organization could get all the info they need to even get a VPN connection to the network, let alone actually gain access to anything. With SSH, you open a SSH or SFTP session and you're there...0 effort. Now that we're there, how do we compromise this and make it work for us? I just think it's a bit more difficult to do with a properly configured VPN solution.
Bastion host or not, if there's data/info on it that prying eyes should not see, it shouldn't be directly on the internet.
I am currently trying to move an organization's current solution of VPN for external contractors performing file transfer, to SecureFTP.
My belief has always been that SecureFTP is the appropriate solution for secure file transfer and the aim should always be to avoid giving remote access to internal networks [especially non-employee] where it is not specifically required.
My question is are there any other issues that I should be aware of with allowing SecureFTP/SSH through the firewall as one of the standard pushes (read knee jerk reactions) against this appears to be that another port is opened on the firewall?
1. I have worked in a lot of different organizations where VPN seems to be the norm for everyone even where the only requirement is file transfer
2. My belief is that this is because the organization does not appreciate the implications of allowing non-employees access to the internal network and does not understand that SecureFTP is an appropriate solution
3. I understand that SSH is a great opportunity for tunneling attacks if an exploit is discovered, but I feel that there is it possible to manage this exposure through the existence of a DMZ based bastion host, rather than providing external people with access to the VPN. 

Comments appreciated.

Chris


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: