Oh, don't get me started on the confusion between FTP over SSH versus FTP over TLS/SSL let alone ftp over ssh versus sftp. So many vendors and users use ftps or sftp indiscriminately to describe both and neither. By sftp, I mean ftp over ssh (not tunnelled) as an alternate to scp. I would personally prefer scp to sftp, but that isn't what is being deployed by our peers.
-----Original Message----- From: Randy Carpenter [mailto:rcarpen@network1.net] Sent: Thursday, February 03, 2011 4:32 PM To: Matthew Huff Cc: nanog@nanog.org; Valdis Kletnieks Subject: Re: quietly....
----- Original Message -----
Well, since ssh is a straight up tcp socket protocol on a well know port with no gimmicks needed like FTP, yeah, I would say it isn't a hack. FTP over TLS/SSL is much worse. In some implementations you can do an non-encrypted control channel and an encrypted data channel, so that a SPI firewall can "hack" it through, but unfortunately a lot of servers and/or clients won't negotiate that correctly and only allow both type of channels to be encrypted which is not possible to pass through a SPI firewall.
There are two other sorta widely implemented secure file transfer protocols, SCP and WebDav over TLS/SSL. Either works fine through a SPI firewall, but the consensus for file transfer (at least over the pub net) within the financial services community appears to be converging to FTP over ssh.
Do you mean sftp, or ftp over an ssh tunnel?
-Randy