ABOUT
Archive for the ‘Activity monitoring’ Category
SFTP proxy
I installed Google analytics on this blog, and as it seems a number of people come here looking for “SFTP proxy”, because of an old article I posted last July. Those interested primarily in my syslog-ng related articles may skip this post as this contains completely unrelated information, others please read on. 
For those who don’t know: SFTP is a file-system sharing protocol running on top of SSH. It is not yet an IETF standard, however more and more enterprises replaces the aging FTP protocol for SFTP. The reasons are numerous:
- FTP uses plain text passwords,
- FTP uses multiple TCP connections for file transfer,
- FTP has inherent problems like bounce attacks,
- FTP does not encrypt traffic,
- FTP only supports filesystem metadata (last modification time, etc.) via extensions
- and others.
All-in-all SFTP is newer, shinier and designed better. There’s one problem though: SFTP uses SSH and SSH is encrypted. But wait, I said this is a drawback for FTP. Right, using encryption is good and bad at the same time. Good, because it prevents eavesdropping, bad because it cannot be controlled by security devices at the network perimeter.
Sometimes is it quite useful to see what’s going on in a traffic crossing the network borders: you can restrict the usage of SFTP to a set of trustworthy clients, not for everyone. And even them can be controlled by enabling a full transaction log.
If your enterprise allows FTP traffic, there are tools to log FTP transfers, and in extreme cases to log actual data. For SFTP this is not so simple, once you permit outgoing port 22 (used for SSH), complete file system sharing can cross your firewall without you noticing. Scary, eh?
There are currently two solutions for this problem:
- Disable SSH and use FTP instead. This has the drawback that passwords travel in unencrypted form, and the traffic itself is easily sniffable.
- Use something like our Shell Control Box product, it is based on Zorp, with a complete SSH man-in-the-middle implementation, controls various SSH channels, limits what can get through, can log transaction data, and furthermore: at the end of the day the transmitted data is still encrypted on untrusted networks.
SCB is not using any of the OpenSSH code, it is a complete reimplementation of the SSH protocol stack, and because of Zorp all of it can run transparently (even in bridge mode) working in concert with your other firewalls/security devices.
So if you need to install proper SFTP controls, be sure to check it out.
Reasons of my silence
Apart from the previous entry I was not posting to this blog for two months. The reason was that I was heavily involved in the development of BalaBit Audit Player, a graphical application to replay RDP/SSH sessions, recorded by our SCB product.
BAP became much larger than I originally expected, it’s about 20k lines of code, and the end of the development was done in a rush to meet our deadline of Sep 1, 2007. We’ve slipped a couple of days, but we’ve released BAP 2.0.0 on 7th September. Then I spent a week in Karlsruhe on the 5th Netfilter Developer’s Workshop.
I returned to Hungary on Friday, I’m spending the weekend with my parents, and hopefully I can be more active on other things, like the syslog-ng mailing list, or this blog.
A release of syslog-ng GPL is long due, hopefully I can prepare it next week. I’ll also need to schedule some syslog-ng development time as there are some open feature requests by customers.
SFTP proxy
I was spending the last couple of hours to implement a simple SFTP proxy, that is capable of logging file transfers, into our Shell Control Box product line. The core idea behind SCB is to perform RDP/SSH screening independently from the end-systems. This SFTP functionality will be a small bonus: in addition to dumping the SSH traffic to an audit trail, we are going to be able to write log transactions to syslog, which is way easier to analyse, if all you want to know is the list of files accessed via SFTP.
I originally thought that SFTP was as simple as FTP, with a transaction being a complete file transfer.
On the contrary, SFTP is much closer to NFS (and other network file system protocols) in spirit: in FTP you have a “RETR” command that fetches a complete file, in SFTP you need to open the file and read it separately using a series of “READ” commands.
Now I understand how sshfs is possible. I thought I’d let you know
By the way, syslog-ng 2.0.5 has been released recently. Hopefully this will decrease the stream of “Syslog-ng does not compile, please help” complaints, which was caused by my lazyness to enable spoof-source support unconditionally by default, without writing a proper configure.in test whether libnet was present on the system.