Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
17998
Views
0
Helpful
9
Replies

Does SFTP need additional VPN to be secure ?

macca197cinque
Level 1
Level 1

‎03-12-2013 03:31 AM

Hi,

keeping in mind that the goal is to create a higly-secure connection from multiple locations to an internal server and that the purpose is ONLY to transfer files, is a SFTP (SSH File Transfer Protocol) server a sufficient secure transfer channel to transfer files or it is better to tunnel SFTP traffic over a VPN ?

SFTP is set up with user/password AND public key.

My guess is that tunneling an already encrypted traffic is a waste of resources and unnecessary even if we could set it up using our ASA fw.

What do you think ? Can you please help me to understand real advantages and/or disadvantages ?

Thank you.

Labels:
0 Helpful
9 Replies 9

david.tran
Level 4
Level 4

‎03-12-2013 04:04 AM

sFTP is good for encrypting communication over the Internet so it is also good for "intranet" as well.  Problem with sFTP over Intranet is that most IDS/IPS or DLP devices can not decrypt sFTP unless they have your keys which most security folks do not like because they can not see what you're doing

Now if you really want to to secure communication, you can do this to triple your security posture:

1- encrypt your file with PGP,

2- Use sFTP to transfer the files,

3- run this over VPN,

Even if someone can steal this data, it will take them several billion years to decrypt this data

0 Helpful

macca197cinque
Level 1
Level 1
In response to david.tran

‎03-12-2013 04:43 AM

Hi David and thanks for reply.

I see the triple security posture and it rocks. However our goal is to keep it simple. And secure of course.

Do you agree with me that tunneling sftp traffic into a vpn is not  required when looking for a secure file transfer ?

Can you please suggest me some paper and/or evidences to prove that ? I have to convince few people that setting up a vpn in this scenario is a thing that we can avoid.

Thanks !!

0 Helpful

olpeleri
Cisco Employee
Cisco Employee
In response to macca197cinque

‎03-12-2013 09:48 AM

I would say:

Protocol wise, SFTP uses the SSH framework.

  • Increase ServerKeyBits from 768 to 2048 in order to have a gigantic entropy.

To avoid password bruteforce attack do not use password but use DSA or EDCSA keys instead.

0 Helpful

Javier Portuguez
Level 9
Level 9
In response to macca197cinque

‎03-12-2013 10:05 AM

Hi Jok,

I have been checking for any known vulnerability and this protocol seems to be clear.

On the other hand, it is always recommended to protect your Data as much as possible, if this traffic is critical for your organization  I wouldn't doubt in sending it over a second VPN connection, so you make sure it will not get compromissed.

A LAN-to-LAN tunnel is a simple tunnel, not a big deal. SSH is a powerful protocol, but with a second VPN tunnel, people on the Internet will not even know that it is SSH.

Personally, I would not use this protocol for banking data or high-level military without a second security / encryption layer.

HTH.

Portu.

0 Helpful

david.tran
Level 4
Level 4
In response to Javier Portuguez

‎03-13-2013 04:09 AM 

Javier Portuguez wrote:
Personally, I would not use this protocol for banking data or high-level military without a second security / encryption layer.

than how do you explain that people do their banking everyday online using https (aka SSL)?  Are they at risk as well?

SSH is just as secure, if not more secure than SSL.  One thing I would avoid is to use password.  Instead you can use public/private key along with pass-phrase.  That is similar to two-factor authentication.  Something you have:  private key;  something you know:  the pass-phrase.

Financial services use sFTP to transfer BULK highly sensitive information over the Internet everyday.  One thing to keep to keep in mind.  With sFTP, you have end-point to end-point encryption but with regular site-to-site VPN, you do NOT have end-point to end-point encryption, only between VPN endpoint.

0 Helpful

Javier Portuguez
Level 9
Level 9
In response to david.tran

‎03-13-2013 10:30 AM

David,

I agree on what you said.

I just shared my personal opinion I am kinda paranoic in terms of security, that's all.

0 Helpful

david.tran
Level 4
Level 4
In response to Javier Portuguez

‎03-13-2013 11:01 AM 

Javier Portuguez wrote:
 I am kinda paranoic in terms of security, that's all.

Yes, paranoid in term of security is a very good thing.  Wish more people have the mentality like you.

0 Helpful

Javier Portuguez
Level 9
Level 9
In response to david.tran

‎03-13-2013 11:04 AM

We are in the same page

0 Helpful

JerryMartinez91550
Level 1
Level 1

‎11-09-2020 01:19 PM

I apologize for reviving an old thread but it was a top result when searching for "VPN + SFTP". The purpose of transferring files via SFTP through a VPN tunnel is to protect the server by enhancing the security of the connection not the transfer. Without a VPN, the SFTP port on the firewall would have to be open to the world or open to a set of IP addresses. When dealing with users whose IP addresses may change, maintaining this whitelist becomes unfeasible. With a VPN connection, the SFTP port on the firewall can remain closed.

0 Helpful
Customers Also Viewed These Support Documents