RE: Help - SFTP port 22
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 6 Oct 2005 09:32:18 -0500
Hi Andre,
Agreed. Allowing outbound VPN connections of any kind from *my* network from
untrusted or low trust hosts is not allowed. It's a BIG security hole and
"rights to privacy" to d*mned.
SSH is like a weak form of RDP :-)
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
> -----Original Message-----
> From: Alexandre Gauthier [mailto:gauthiera@xxxxxxxxxxxxxxxxx]
> Sent: Thursday, October 06, 2005 9:19 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Help - SFTP port 22
>
> http://www.ISAserver.org
>
> Well, basically, as I have stated, SCP and SFTP just execute
> commands on the
> remote side and pipe you the output through the established
> tunnel. (And SCP
> is a bit of an ugly hack, at base).
>
> If you see an SSH tunnel as an horrible security issue from a
> firewall admin
> point of view, well then you might as well see IPSEC, PPtP and VPNs in
> general as a security issue as well.
>
> SSH is not Telnet on steroids, it's much more powerful, just
> keep that in
> mind. I do use it to "bypass" the firewall here to connect to
> my mail server
> at home by binding port 25 to my local machine here, then
> connecting to
> that.
>
> -----Message d'origine-----
> De : Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Envoyé : 6 octobre 2005 09:43
> À : [ISAserver.org Discussion List]
> Objet : [isalist] RE: Help - SFTP port 22
>
> http://www.ISAserver.org
>
> Hi Alexander,
>
> If everything is sent and received over an encrypted tunnel
> (a horrible
> security issue from a firewall admin's point of view) over a
> single session,
> then there are no secondary protocols and it should just work
> allowing a
> primary connection outbound on TCP port 22.
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
>
>
>
> > -----Original Message-----
> > From: Alexandre Gauthier [mailto:gauthiera@xxxxxxxxxxxxxxxxx]
> > Sent: Thursday, October 06, 2005 8:34 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Help - SFTP port 22
> >
> > http://www.ISAserver.org
> >
> > *shy cough from the Unix guy in background*
> >
> > Uhm, I do not mean to intrude but they basically are the
> same, they go
> > through an SSH tunnel.
> >
> > SFTP is not more secure than SCP or vice-versa, they are only
> > as secure as
> > SSH itself. (Which means, it's fine. Basically.)
> >
> > They just use different interfaces, but they "work" the
> same, which is
> > inside an SSH tunnel. SFTP is just designed to "look and
> > taste" like an FTP
> > server to the end user, but it is not dual port or anything
> > either, it is
> > just a matter of what application you call on the other end
> of the SSH
> > connection. ISA would see both protocols as the same, from
> > its point of
> > view.
> >
> > And in any case... winSCP3 uses SFTP by default with fallback
> > to SCP if that
> > craps out. It's made like this because sometime
> > administrators will disable
> > one or the other in /etc/ssh/sshd_config for various reasons.
> >
> > Basically all you need to do is allow SSH (which means
> > outgoing connection
> > to port 22 on destination machine(s) (or the internet) and
> > you are set.
> > That's what I did here, and it works wonderfully, I can toss
> > and fetch files
> > from my Linux box at home in a really really strange
> fashion involving
> > tunneling SSH inside SSH to reach a machine behind my NAT ;)
> >
> >
> > Greg, I think you are confusing SFTP with FTPS, perhaps...
> >
> > SSH is such a great protocol, it is a shame the OpenSSH
> implementation
> > doesn't work fully on Windows Server 2003 yet. (At least last time I
> > checked). With the venue of MSH, it will be even more useful...
> >
> > (And don't you love tunneling clear-text protocols through
> > SSH? You can use
> > it as a "poor man's VPN" also.)
> >
> >
> > OH and FYI, ISA *does* support some amount of FTPS, it
> > depends of it is
> > implicit or explicit, I believe... (I.E. SSL on port 21
> > instead of on a
> > dedicated port).
> >
> > Now of course if you're talking about the FTP application
> > filter ... Seeing
> > how braindead the FTP client in windows is, I don't doubt it is not
> > supported :)
> >
> >
> >
> > -----Message d'origine-----
> > De : Greg Mulholland [mailto:gmulholland@xxxxxxxxxxxxxx]
> > Envoyé : 6 octobre 2005 02:06
> > À : [ISAserver.org Discussion List]
> > Objet : [isalist] RE: Help - SFTP port 22
> >
> > http://www.ISAserver.org
> >
> >
> > Noel
> >
> > What are you trying to achieve. My guess is you are trying to
> > dump files
> > to a linux box or a windows box running an ssh server,
> behind the ISA
> > firewall. Instead of using SFTP, try using SCP. It's a more secure
> > protocol. See if that works the same.
> >
> > Greg
> >
> >
> > -----Original Message-----
> > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> >
> > Sent: Thursday, 6 October 2005 3:05 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Help - SFTP port 22
> >
> > http://www.ISAserver.org
> >
> > SFTP uses TCP:989 & TCP:990; SSH uses TCP:22.
> > Which is it that you think you're using?
> >
> > No; ISA does not support FTPS.
> >
> > -----Original Message-----
> > From: Noel [mailto:noel.callander@xxxxxxx]
> > Sent: Wednesday, October 05, 2005 5:19 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] Help - SFTP port 22
> >
> > http://www.ISAserver.org
> >
> > question
> > is SFTP supported by ISA2000EE, i cant seem to get it to work i have
> > opened port 22 on the ISA server but it still fails. is
> there anything
> > else that needs to be configurd.i am using the winscp375
> gui on the XP
> > workstation.
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org
> Discussion List as:
> > jim@xxxxxxxxxxxx
> > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> > All mail to and from this domain is GFI-scanned.
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org
> Discussion List as:
> > gmulholland@xxxxxxxxxxxxxx To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > All mail to and from this network has been scanned for viruses
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org
> Discussion List as:
> > gauthiera@xxxxxxxxxxxxxxxxx
> > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion
> > List as: tshinder@xxxxxxxxxxxxxxxxxx
> > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> gauthiera@xxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
Other related posts:
