Thanks guys - got the picture now. Will IDP/IDS drop that traffic if it's under
port 21? If my assumptions are correct... IDS will flag it, IDP will drop it
and see it as an anomaly if it isn't profiled.
-Dave
On 01/Nov/2005 13:59:13, Robert Hajime Lanning wrote:
You can move your SSH service to port 21, but this means that all
clients will need to
specifiy to connect to port 21. Port 21 is allocated for FTP, not SSH.
Clients would have to "sftp -p 21 ...", instead of just "sftp ...".
-Does SFTP encrypt payload?
Yes
-Does it use UDP/TCP?
TCP only
-Can you fully utilize a given bandwidth (i.e. 512kbit circuit) with one
session?
Yes, with the constraint that the endpoints need enough power to
handle the encryption
overhead. There are scaling issues for very high bandwidth (upwards
of DS3). This
deals with blocking issues within the SSH tunnel and TCP window issues.
SFTP is not FTP. It is a File Transfer Protocol, not THE File
Transfer Protocol.
It works by connecting to the SSH server. Then once connected and
authenticated, it
requests a new channel with the SFTP service. Everything is tunneled
across a single
SSH connection. (A single TCP connection.)
So, SFTP runs on top of SSH.
The SFTP client mimics the look and feal of the standard FTP client
for ease of use.
Do not get it mixed up with FTPS. FTPS is the legacy FTP with TLS
(Transport Layer Security) thrown in. FTPS uses two TCP connections. (Com
mand
and data) FTPS cannot go through a state based firewall. State based
firewalls look
into the command connection to find the negotiation for the data
connection. When
it sees this, it can precreate a state for the data connection to
pass. But, with FTPS
this negotiation is encrypted, so the firewall fails to allow the data
connection.
--
And, did Guloka think the Ulus were too ugly to save?
-Centauri
