cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1115
Views
6
Helpful
24
Replies

What is SFTP used for?

tabrownz
Level 1
Level 1

What is SFTP used for in Cisco, and in general networking? How often, what for? thanks

1 Accepted Solution

Accepted Solutions

Hi Leo, SFTP, as I have found, is used for various applications or use cases such as Public facing SFTP gateways like AWS S3, Azure blob, Google cloud storage, and GoAnywhere MFT, and educational portals like CQU HPC and Harvard FASRC.

What is your use case. Why are you transferring files?

View solution in original post

24 Replies 24

Joseph W. Doherty
Hall of Fame
Hall of Fame

SFTP as in Secure File Transfer Protocol?

SFTP, or Secure File Transfer Protocol, is a secure file transfer protocol that uses secure shell (SSH) encryption to provide a high level of security for sending and receiving file transfers. It combines the secure authentication and encryption features of SSH with file transfer functionality, allowing users to securely upload, download, and manage files on remote servers using an encrypted connection.

Basically, if you have need to transfer files, between hosts, encrypted.

How often it's used, would be very dependent on your perceived security needs.

Thanks. I’d like to know how much its used and what it is used for. For example, FTP used to be used for transfer files with Cisco devices, and for upload files to a website. Is it still the same nowadays but with SFTP, or ….?

The answer I need is a difficult one I think as to get to the bottom of it I would need to survey a representative sample of small, medium and large businesses, enterprises, private and government, to best determine it. But if an individual worked in the area and had been at various organisations over a number of years, they may know the answer. 

Well, I've had worked decades in IT, across multiple organizations, and in my experience i don't recall anyone normally tracking usage of particular specific data transfer protocols.  Those dealing with maintaining customized QoS of firewalls might have some information, but especially for a protocol like SFTP, there may not be much detail usage information.  Anyone that has such information about detailed usage of SFTP I would suspect would be rare and unlikely to be representative of the industry as a whole.

A possible issue for even obtaining usage data on SFTP might be, can it even be distinguished from SSH console traffic or SCP?

"Difficult" might be an understatement.

Thanks. Not looking for tracking. More like, "oh yeah we use or used SFTP for ....", Or "we used FTP for .... and even though SFTP was available, there were more suitable means via HTTPS, cloud based services, and VPN". So, we don't use it anymore. 

From what I am hearing through my enquiries today, it seems to have niche type uses, not mainstream. Good where automation via scripting is needed, or very large file transfers outside of an organisations wider network. So, I'm thinking in comparison to say HTTPS, VPN, and cloud-based services that provide file transfer, SFTP use would be significantly less. What do you think?


I would suspect, but don't actually know that something like SFTP would be, as you say, niche usage.

Even going external, bulk data transfers, are possibly already encrypted by some feature of the application that uses the data or via an encrypted tunnel.

Automation of some kind, I agree would be a possible best usage case but as you also noted there are other options.  Plus inertia retards upgrades for existing working solutions.  For example, network device access via SSH vs. telnet, in my experience, was a slow adoption.  The reasoning for the last was it was believed being able to somehow log on to the device was more of a concern than transit traffic being viewed by a man in the middle.  (Oh, for those wondering wouldn't telnet expose logon credentials, it does, but passwords were keyed to hardware key each user had and were changed every few seconds.)

@tabrownz hi, SFTP is secured file transfer protocol. i assume you have idea about FTP which is famous for file transferring. SFTP is kind of same with encryption on top. so when you move files through the network you can avoid information leak for MITM attacks. this is recommended to use in all possible file transferring requirements due to security improvements. you can use any time with supported systems.

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

thanks. I know what SFTP does. What I don't know is how many of the millions of organisations in the world are using it, and what they are using if for, specifically. 

Most organizations today use SFTP as standard file transfer protocol, FTP is considered highly insecure as you can see information over FTP with a simple packet capture.

-hope this helps-

Doesn't help much, though thanks. I know what SFTP is. But where, when, how, is it being used specifically. What are the use cases. file transfer from cisco devices for example. Who or what has the need to have the control that SFTP provides for file transfer?

Network operators with a CSO/CISO will most likely have a policy requiring login creds to be sent as cyphertext. That policy would rule out using FTP (cleartext creds) or TFTP (no creds) to pull new NOS images into routers/switches. These operators would use scp/sftp instead when they want to upgrade the NOS.

Disclaimer: I am long in CSCO

Well lets say you don't use SFTP you want to use HTTPS, HTTPS is built for web based file sharing like transfer information between web servers and clients (usually web browsers).  File-sharing services (e.g., Dropbox, Google Drive) use HTTPS to ensure files are securely uploaded/downloaded between users and the web server. Also since this is over web a public CA trust is mandatory to maintain. 

Coming back to SFTP,  also most likely SFTP server is owned so Public CA trust is not needed, you can use internal PKI or just username/password for trust, you may also need to have permission to Supports file operations like reading, writing, and modifying files on the remote system, which may be well suited for things like backup, over riding backup, changing backup access permissions etc, which may not be available over other protocols.

Although this is a moving target, as a lot of vendor (specially cloud managed network providers) have started allowing web based upgrades, backups etc over HTTPS and modification over simple API calls, its more convenient. It may be well received by lot of customers, may not be by  Federal customers.

-hope this helps-


@tabrownz wrote:
 and what they are using if for, specifically.

In a nutshell:  Transfer files, from Points A to Points B (or vice versa), securely.

Each day or one week, the network engineer need to keep backup of network device config, these Config include sensitive info. Like password public IP, if engineers use tftp/ftp for these backup then man in middle can capture the data and know these sensitive info. This why engineers use scp or sftp to send backup data to server.

MHM

I'm about to mount my soapbox and touch upon the "need" for something like SFTP for network device backups, targeting a couple of points made by @MHM Cisco World , but I'm not targeting MHM.

"Each day or one week, the network engineer need to keep backup of network device config . . "

Yup, not bad practice, although I like systems that pick up device config changes shortly after they've been made.

". . . these Config include sensitive info."

True, but just how sensitive?

"Like password public IP . . ."

Hopefully config passwords are not in clear text or an easily breakable encryption format.

How secret is a "public" IP?

Regarding man-in-the-middle, if we're discussing internal networks, are your employees vetted?  Is access to network infrastructure devices behind locked doors/cabinets (i.e. can someone easily get in the middle of the network device and the config backup host)?

Again, how sensitive is the config?  Huge difference, I believe, in seeing a device config and being able to access the device.

Don't misunderstand, I'm not against security, just in my experience, many security folk focus on security to protect against all possible threats regardless of cost to do so.  For example, from a security standpoint, leaving under a dollar's worth of change in my unlocked desk drawer allows it to be easily stolen.  That's true.  But, conversely we probably don't need a ten ton safe, with time locks, and multiple person keys, to protect under a dollar of loose change.

In my experience, often is seems it's one extreme or the other, i.e. no one considers security threats at all or we need Fort Knox level of security for everything.

In the case MHM mentions, if I'm an attacker, and I really want to see multiple device configs, do I work at multiple man-in-the-middle attacks or do I work on breaching the security of the host containing all the backup config copies?

Again, I'm not arguing there's anything wrong in using SFTP for device config backups, and all else being equal, it's probably good to use host-to-host encryption, but it really needs to analyzed in the larger picture.

One issue that can be overlooked when using encryption, if data volume is a concern, generally it cannot be well compressed, unless compression is done before encryption (of course, a device config doesn't usually have the "volume" this would be an issue), but if a company is using SFTP willy-nilly, host to host, because it's more secure than FTP (true), it can preclude a network edge device doing both effective compression (e.g. WAFS, WAAS) with optional encryption.

Jim ( @Ramblin Tech ) mentions "Network operators with a CSO/CISO will most likely have a policy requiring login creds to be sent as cyphertext.", which is probably true in the larger network operators.  Possibly not as true in smaller network operators.

Anyway, my soapbox point is, consider the big picture, benefits vs. costs, operational impacts, security failure impact.

Also realize, perfection is often a worthwhile goal, but often not obtainable, at least at an acceptable cost, so some risk is often acceptable.

Review Cisco Networking for a $25 gift card