[136602] in North American Network Operators' Group
Re: quietly....
daemon@ATHENA.MIT.EDU (Randy Carpenter)
Thu Feb 3 16:31:53 2011
X-RC-FROM: <rcarpen@network1.net>
Date: Thu, 3 Feb 2011 16:31:43 -0500 (EST)
From: Randy Carpenter <rcarpen@network1.net>
To: Matthew Huff <mhuff@ox.com>
In-Reply-To: <483E6B0272B0284BA86D7596C40D29F9011F76964E9C@PUR-EXCH07.ox.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
----- Original Message -----
> Well, since ssh is a straight up tcp socket protocol on a well know
> port with no gimmicks needed like FTP, yeah, I would say it isn't a
> hack. FTP over TLS/SSL is much worse. In some implementations you can
> do an non-encrypted control channel and an encrypted data channel, so
> that a SPI firewall can "hack" it through, but unfortunately a lot of
> servers and/or clients won't negotiate that correctly and only allow
> both type of channels to be encrypted which is not possible to pass
> through a SPI firewall.
>
> There are two other sorta widely implemented secure file transfer
> protocols, SCP and WebDav over TLS/SSL. Either works fine through a
> SPI firewall, but the consensus for file transfer (at least over the
> pub net) within the financial services community appears to be
> converging to FTP over ssh.
Do you mean sftp, or ftp over an ssh tunnel?
-Randy
