Does SFTP need additional VPN to be secure ?

J

joker197cinque

n00b
Joined
Mar 12, 2008
Messages
2
Hi,
keeping in mind that the goal is to create a higly-secure connection from multiple locations to an internal server and that the purpose is ONLY to transfer files, is a SFTP (SSH File Transfer Protocol) server a sufficient secure transfer channel to transfer files or it is better to tunnel SFTP traffic over a VPN ?
SFTP is set up with user/password AND public key.

My guess is that tunneling an already encrypted traffic is a waste of resources and unnecessary.

What do you think ? Can you please help me to understand real advantages and/or disadvantages ?

Thank you.
 
The VPN could add an extra layer but only if you are using an outdated version of ssh. If you setup the ssh server and force the version 2 protocols you should be fine without the VPN overhead.
 
Hi,
this is my thought too but some IT guys that should implement file transfer towards us told me the contrary.
I would like to take them some evidence and I found few internet threads about that ... but I think it is not enough. Any help about convincing other people of that ?
Thanks.
 
I would have them show you the purported deficiencies in the connection methods, and how using the combined method resolves those issues. I think using multiple layers of encryption is more a case of CYA and less a case of any technical reason (in this specific case).
I could tell you that IE 10 is horribly insecure, and how using IE 10 only in a virtualized environment, accessed via Chrome browser on a 256 bit SSL link is the only safe way to go. None of it changes the fact the whole argument is built on a fallacy.
 
There are many options out there when it comes to VPN and even under that umbrella term differences occur. My company has had really positive dealings with Vpnlux. https://www.vpnlux.com/vpn-prices/ outlines some of the prices and services. They are really brilliant at responding to questions with clear answers to ensure your need are satisfied. Hope that helps. Let me know what they say.
All the best.
 
RocketTech said:
I would have them show you the purported deficiencies in the connection methods, and how using the combined method resolves those issues. I think using multiple layers of encryption is more a case of CYA and less a case of any technical reason (in this specific case).
I could tell you that IE 10 is horribly insecure, and how using IE 10 only in a virtualized environment, accessed via Chrome browser on a 256 bit SSL link is the only safe way to go. None of it changes the fact the whole argument is built on a fallacy.
Click to expand...

How is IE 10 insecure compared to a browser that mostly runs in the cloud? :rolleyes:

Every browser is insecure and 256 bit encryption is not exactly fool proof for most application that are in search of stealing data.

Just use a VPN to stay... Safer... Ideally you should put something in your ACL's that says it can only send and receive from point a to b and vise versa. Even then I would still probably just use a VPN. All FTP send credentials in clear text, it makes no difference which method you use.

Also who wants to hack your data? Most people do not lose data because someone just felt like taking it, they lose it because someone really wanted to take the data. You cannot stop every attack ;)
 
Tee said:
All FTP send credentials in clear text, it makes no difference which method you use.
Click to expand...

He's talking about SFTP, not FTP. SFTP is based on SSH, which does not send credentials in the clear.
 
ChloeP said:
There are many options out there when it comes to VPN and even under that umbrella term differences occur. My company has had really positive dealings with Vpnlux. https://www.vpnlux.com/vpn-prices/ outlines some of the prices and services. They are really brilliant at responding to questions with clear answers to ensure your need are satisfied. Hope that helps. Let me know what they say.
All the best.
Click to expand...

When did "VPN" automatically become "VPN provider"? Your post is completely off-topic.
 
da sponge said:
He's talking about SFTP, not FTP. SFTP is based on SSH, which does not send credentials in the clear.
Click to expand...

Man-in-the-middle with an ARP request. You could inject data in to the packet header when a connection is trying to be established. Granted you would probably need the public key. This all still goes back to the fact that whatever is hosting the connection maybe vulnerable to something else, that allows the public key to be exploitable.

So.... Yeah. You are right, SSH is secure, just not the things hosting it, in most cases.
 
Tee said:
Man-in-the-middle with an ARP request. You could inject data in to the packet header when a connection is trying to be established. Granted you would probably need the public key. This all still goes back to the fact that whatever is hosting the connection maybe vulnerable to something else, that allows the public key to be exploitable.

So.... Yeah. You are right, SSH is secure, just not the things hosting it, in most cases.
Click to expand...

Please, if you have any evidence that this actually works, post a proof-of-concept. I doubt it. SSH treats the transport as completely hostile, AFAIK.
 
TCM said:
When did "VPN" automatically become "VPN provider"? Your post is completely off-topic.
Click to expand...
Hi there. I was just trying to be helpful as i wasn't aware that this was something you could set up yourself. If you could give me some ideas as to how to do that i would appreciate it.
Thanks,
 
Tee said:
Man-in-the-middle with an ARP request. You could inject data in to the packet header when a connection is trying to be established. Granted you would probably need the public key. This all still goes back to the fact that whatever is hosting the connection maybe vulnerable to something else, that allows the public key to be exploitable.

So.... Yeah. You are right, SSH is secure, just not the things hosting it, in most cases.
Click to expand...

SSH uses key continuity to combat MiTM, this would only theoretically work if the client had never connected to the server before and you had the clients public key. Assuming the attack could be pulled off in the first place. It wouldn't work at all if the servers host key was validated out-of-band before the first connection.

I agree with the other poster

Please, if you have any evidence that this actually works, post a proof-of-concept. I doubt it. SSH treats the transport as completely hostile, AFAIK.
Click to expand...
 
devman said:
SSH uses key continuity to combat MiTM, this would only theoretically work if the client had never connected to the server before and you had the clients public key. Assuming the attack could be pulled off in the first place. It wouldn't work at all if the servers host key was validated out-of-band before the first connection.

I agree with the other poster
Click to expand...

Lets just simplify this :D

The devices hosting the connection could still be vulnerable.

I am not going to Hijack this thread lol, so if anyone wants to converse with me about it private message me!

I'd still use a VPN, it is just one more thing you can say you did to protect the data, if anything at all were to ever happen.
 
Theoretically SFTP is "secure enough" - but would I advise anyone to put all their company data on an SFTP server just sitting out there? No way in hell.

Anything with a single layer of security is open to the potential of a single vulnerability opening up or bringing down the whole system. This is an acceptable risk to allow usability on systems like e-mail, HTTPS, etc - but definitely isn't the best possible security. And most of those systems that are actually important (should) have additional lines of security that aren't visible to a legit user.

If it's a HUGE deal to not have to connect via VPN before establishing the SFTP session (say, you have 30 clients that need to connect 4 times an hour for 10 seconds or something) then maybe the VPN makes it less usable and should be scrapped.

But it's a tiny "waste of resources" as I'm assuming the VPN concentrator is already established, and the overhead is pretty negligible unless you're running over dial-up.
 
Tee said:
How is IE 10 insecure compared to a browser that mostly runs in the cloud? :rolleyes:

Every browser is insecure and 256 bit encryption is not exactly fool proof for most application that are in search of stealing data.
Click to expand...

Reading Comprehension Failure- it was an example of a fallacious argument- None of it changes the fact the whole argument is built on a fallacy.
Personally I thought the example was patently ridiculous, which is why I used it.
 
Innocence said:
Anything with a single layer of security is open to the potential of a single vulnerability opening up or bringing down the whole system. This is an acceptable risk to allow usability on systems like e-mail, HTTPS, etc - but definitely isn't the best possible security. And most of those systems that are actually important (should) have additional lines of security that aren't visible to a legit user.
Click to expand...

I agree with Innoncence, and I would add that an efficient security policy isnt just about monitoring or configure 1 service. You have to consider everything in and out, to make an efficient security policy.
 
So is VPN a physical something you can set up yourself, or is it some type of software to install?
 
VPN is software. You can however buy appliances that manage VPN similar to firewall and router appliances.
 
You must log in or register to reply here.
Back
Top