01-20-2011 02:42 PM - edited 03-04-2019 11:09 AM
We have had trouble in the past with users launching SCP and taking up the queues designated for SSH flows. I understand the NBAR has some capabilities higher up the protocol stack to classify traffic. Can NBAR classify TCP 22 SSH and SCP differently so that SCP flows don't squash the interactive application queue?
01-22-2011 05:29 AM
To my knowledge there is no way to differentiate SCP from SSH in NBAR. The reason I believe this to be true is that both SSH and SCP utilize the same layer 4 connection, scp is just invoking a sub-process of ssh. Because the traffic is encrypted, I cannot think of a way NBAR or any sort of deep packet inspection could identify scp.
The only thing I can think of would be to utilize an ACL as part of your class-map matching statements to further classify based on important source or destination hosts/networks.
Hope this helps, and I am interested to see how others approach this.
Regards,
Matt
01-22-2011 12:58 PM
It depends. Some SSH servers (ie Openssh) already mark the TOS bit on platforms that support it. I believe that they mark interactive (ie SSH) and bulk (ie SCP) with different TOS bits. If you trust the client, you could mark based on this. Other than that, the only option that I can see would be to use a product that can decrypt and inspect the traffic.
01-22-2011 01:21 PM
well you can also rate-limit ssjh and scp on input there really is not much need for more than a several kbps.
01-24-2011 08:21 AM
Thanks for the suggestions all. I did some digging and found that one way around this is to assign a high port number to SSH. Then add this port into a protected class. Then publish this port to your user community to be used only by interactive SSH. Of course, if somebody wanted to be the bad guy they could use this port for SCP as well... But this is a manual way to differentiate the traffic.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide