RE: Help - SFTP port 22
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 6 Oct 2005 10:17:19 -0500
Hi Alex,
Sorry about the Andre thing. My bad.
Good we agree on the evils of tunneling. One way to two way, its all bad.
The RDP thing is was a joke -- RDP does data encryption, but not tunneling.
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
> -----Original Message-----
> From: Alexandre Gauthier [mailto:gauthiera@xxxxxxxxxxxxxxxxx]
> Sent: Thursday, October 06, 2005 9:52 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Help - SFTP port 22
>
> http://www.ISAserver.org
>
>
>
> Oooh, argument mode *on*, raising shields :P
>
>
> >Hi Andre,
>
> It's Alexandre, but you may use "Alex", the "andre" par
> usually confuses the
> heck out of English speakers, so they mangle it as "ander"
> anyways. Now
> let's not even get into the deformations my last name
> (Gauthier) can be seen
> under ;)
>
> >Agreed. Allowing outbound VPN connections of any kind from
> *my* network
> >from untrusted or low trust hosts is not allowed. It's a BIG
> security hole
> >and "rights to privacy" to d*mned.
>
> Here we agree. However the security implications of allowing
> outbound access
> to SSH are not the same as say, a PPtP VPN. And just so you
> know, an SSH
> tunnel doesn't go both ways, the "evil hosts" on the other
> side can't get
> back at you -- except maybe in a really unusual form of "you
> ran an evil
> thing and your client was vulnerable so a malicious SSH
> server overflowed
> it". It is single use only. It functions like telnet, but has
> broader uses
> :)
>
> >SSH is like a weak form of RDP :-)
>
> Uh-oh, here I take this as a personal insult :P
> But I know you're kidding, you wouldn't diss something you
> don't understand
> or have only seldom used, *would you*?
>
> I think RDP has more security implications than SSH, from the generic
> Network Analyst point of view.
>
>
> > -----Original Message-----
> > From: Alexandre Gauthier [mailto:gauthiera@xxxxxxxxxxxxxxxxx]
> > Sent: Thursday, October 06, 2005 9:19 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Help - SFTP port 22
> >
> > http://www.ISAserver.org
> >
> > Well, basically, as I have stated, SCP and SFTP just execute
> > commands on the
> > remote side and pipe you the output through the established
> > tunnel. (And SCP
> > is a bit of an ugly hack, at base).
> >
> > If you see an SSH tunnel as an horrible security issue from a
> > firewall admin
> > point of view, well then you might as well see IPSEC, PPtP
> and VPNs in
> > general as a security issue as well.
> >
> > SSH is not Telnet on steroids, it's much more powerful, just
> > keep that in
> > mind. I do use it to "bypass" the firewall here to connect to
> > my mail server
> > at home by binding port 25 to my local machine here, then
> > connecting to
> > that.
> >
> > -----Message d'origine-----
> > De : Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> > Envoyé : 6 octobre 2005 09:43
> > À : [ISAserver.org Discussion List]
> > Objet : [isalist] RE: Help - SFTP port 22
> >
> > http://www.ISAserver.org
> >
> > Hi Alexander,
> >
> > If everything is sent and received over an encrypted tunnel
> > (a horrible
> > security issue from a firewall admin's point of view) over a
> > single session,
> > then there are no secondary protocols and it should just work
> > allowing a
> > primary connection outbound on TCP port 22.
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://spaces.msn.com/members/drisa/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- ISA Firewalls
> >
> >
> >
> > > -----Original Message-----
> > > From: Alexandre Gauthier [mailto:gauthiera@xxxxxxxxxxxxxxxxx]
> > > Sent: Thursday, October 06, 2005 8:34 AM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: Help - SFTP port 22
> > >
> > > http://www.ISAserver.org
> > >
> > > *shy cough from the Unix guy in background*
> > >
> > > Uhm, I do not mean to intrude but they basically are the
> > same, they go
> > > through an SSH tunnel.
> > >
> > > SFTP is not more secure than SCP or vice-versa, they are only
> > > as secure as
> > > SSH itself. (Which means, it's fine. Basically.)
> > >
> > > They just use different interfaces, but they "work" the
> > same, which is
> > > inside an SSH tunnel. SFTP is just designed to "look and
> > > taste" like an FTP
> > > server to the end user, but it is not dual port or anything
> > > either, it is
> > > just a matter of what application you call on the other end
> > of the SSH
> > > connection. ISA would see both protocols as the same, from
> > > its point of
> > > view.
> > >
> > > And in any case... winSCP3 uses SFTP by default with fallback
> > > to SCP if that
> > > craps out. It's made like this because sometime
> > > administrators will disable
> > > one or the other in /etc/ssh/sshd_config for various reasons.
> > >
> > > Basically all you need to do is allow SSH (which means
> > > outgoing connection
> > > to port 22 on destination machine(s) (or the internet) and
> > > you are set.
> > > That's what I did here, and it works wonderfully, I can toss
> > > and fetch files
> > > from my Linux box at home in a really really strange
> > fashion involving
> > > tunneling SSH inside SSH to reach a machine behind my NAT ;)
> > >
> > >
> > > Greg, I think you are confusing SFTP with FTPS, perhaps...
> > >
> > > SSH is such a great protocol, it is a shame the OpenSSH
> > implementation
> > > doesn't work fully on Windows Server 2003 yet. (At least
> last time I
> > > checked). With the venue of MSH, it will be even more useful...
> > >
> > > (And don't you love tunneling clear-text protocols through
> > > SSH? You can use
> > > it as a "poor man's VPN" also.)
> > >
> > >
> > > OH and FYI, ISA *does* support some amount of FTPS, it
> > > depends of it is
> > > implicit or explicit, I believe... (I.E. SSL on port 21
> > > instead of on a
> > > dedicated port).
> > >
> > > Now of course if you're talking about the FTP application
> > > filter ... Seeing
> > > how braindead the FTP client in windows is, I don't doubt
> it is not
> > > supported :)
> > >
> > >
> > >
> > > -----Message d'origine-----
> > > De : Greg Mulholland [mailto:gmulholland@xxxxxxxxxxxxxx]
> > > Envoyé : 6 octobre 2005 02:06
> > > À : [ISAserver.org Discussion List]
> > > Objet : [isalist] RE: Help - SFTP port 22
> > >
> > > http://www.ISAserver.org
> > >
> > >
> > > Noel
> > >
> > > What are you trying to achieve. My guess is you are trying to
> > > dump files
> > > to a linux box or a windows box running an ssh server,
> > behind the ISA
> > > firewall. Instead of using SFTP, try using SCP. It's a more secure
> > > protocol. See if that works the same.
> > >
> > > Greg
> > >
> > >
> > > -----Original Message-----
> > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> > >
> > > Sent: Thursday, 6 October 2005 3:05 PM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: Help - SFTP port 22
> > >
> > > http://www.ISAserver.org
> > >
> > > SFTP uses TCP:989 & TCP:990; SSH uses TCP:22.
> > > Which is it that you think you're using?
> > >
> > > No; ISA does not support FTPS.
> > >
> > > -----Original Message-----
> > > From: Noel [mailto:noel.callander@xxxxxxx]
> > > Sent: Wednesday, October 05, 2005 5:19 PM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] Help - SFTP port 22
> > >
> > > http://www.ISAserver.org
> > >
> > > question
> > > is SFTP supported by ISA2000EE, i cant seem to get it to
> work i have
> > > opened port 22 on the ISA server but it still fails. is
> > there anything
> > > else that needs to be configurd.i am using the winscp375
> > gui on the XP
> > > workstation.
> > >
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org
> > Discussion List as:
> > > jim@xxxxxxxxxxxx
> > > To unsubscribe visit
> > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> > > All mail to and from this domain is GFI-scanned.
> > >
> > >
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org
> > Discussion List as:
> > > gmulholland@xxxxxxxxxxxxxx To unsubscribe visit
> > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > All mail to and from this network has been scanned for viruses
> > >
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org
> > Discussion List as:
> > > gauthiera@xxxxxxxxxxxxxxxxx
> > > To unsubscribe visit
> > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion
> > > List as: tshinder@xxxxxxxxxxxxxxxxxx
> > > To unsubscribe visit
> > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> > >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org
> Discussion List as:
> > gauthiera@xxxxxxxxxxxxxxxxx
> > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion
> > List as: tshinder@xxxxxxxxxxxxxxxxxx
> > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> gauthiera@xxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
Other related posts:
