How can you classify differently between SSH and SCP?

bcturner · ‎01-20-2011

We have had trouble in the past with users launching SCP and taking up the queues designated for SSH flows. I understand the NBAR has some capabilities higher up the protocol stack to classify traffic. Can NBAR classify TCP 22 SSH and SCP differently so that SCP flows don't squash the interactive application queue?

mgalazka · ‎01-22-2011

To my knowledge there is no way to differentiate SCP from SSH in NBAR. The reason I believe this to be true is that both SSH and SCP utilize the same layer 4 connection, scp is just invoking a sub-process of ssh. Because the traffic is encrypted, I cannot think of a way NBAR or any sort of deep packet inspection could identify scp.

The only thing I can think of would be to utilize an ACL as part of your class-map matching statements to further classify based on important source or destination hosts/networks.

Hope this helps, and I am interested to see how others approach this.

Regards,

Matt

mmacdonald70 · ‎01-22-2011

It depends. Some SSH servers (ie Openssh) already mark the TOS bit on platforms that support it. I believe that they mark interactive (ie SSH) and bulk (ie SCP) with different TOS bits. If you trust the client, you could mark based on this. Other than that, the only option that I can see would be to use a product that can decrypt and inspect the traffic.

Filip Talpa · ‎01-22-2011

well you can also rate-limit ssjh and scp on input there really is not much need for more than a several kbps.

bcturner · ‎01-24-2011

Thanks for the suggestions all. I did some digging and found that one way around this is to assign a high port number to SSH. Then add this port into a protected class. Then publish this port to your user community to be used only by interactive SSH. Of course, if somebody wanted to be the bad guy they could use this port for SCP as well... But this is a manual way to differentiate the traffic.