SFTP and Stateful Firewalls


So I have an internal server that will be automatically grabbing files from an external FTP server via SFTP.  It will be going through a stateful firewall.  I was able to configure it with the help of a coworker, but I am trying to get an understanding of how a stateful firewall can cause difficulties in an SFTP connection.  Is it dumb to say that SFTP = encrypted port 21 traffic ?  Any helpful explanation or URLs to resources would be appreciated.  Google was not being very helpful.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Actually, SFTP should be encrypted traffic on port 22, if not chosen differently.
Usually, SFTP uses SSH as an encrypted layer, which usually is on port 22.
Elemental12Author Commented:
I understood that part.  I just need some background about it's interaction with a stateful firewall, and some of the possible issues that can occur.
For clarity:

1. SFTP - simple file sharing protocol
2. sFTP - Secure File transfer protocol (Uses SSH/SCP commands)
3. FTPs - File transfer protocol over SSL (Uses FTP commands NO SSH here)

Now take a look here:


This explains what the stateful firewall is and how it works. After taking the previously stated into consideration andt he actual type of protocol you are using you can see where some packets would be filtered out. BUT this should affect any kind of un secured traffic.
Challenges in Government Cyber Security

Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!

Elemental12Author Commented:
Thank you for the article.  So my question then becomes if a user names an sFTP connection outbound through the firewall, stateful inspection running on the firewall would require that the return traffic be on the exact same port number?
"the firewall must accept incoming UDP packets. But the port number on the clients can be dynamically assigned
from anywhere between 1024 and 64K. Stateless firewall cannot accommodate this dynamic information. To enable
important UDP-based service, stateless firewall will allow UDP packets for all ports that are between 1024 and
64K. This opens security holes. For example, an attacker can set up a UDP daemon on a compromised host with a
port between 1024 and 64K, say 5000. The attacker will be able to connect to this host on port 5000 to remotely
control it even if there is a stateless firewall protecting this host.
For TCP connections, the port problem is a little bit better. TCP connections require SYN packet to set up
connections. So stateless firewall can just block any incoming TCP packets whose SYN flag is set in order to get
rid of the problem shown above for UDP. Unfortunately, sometimes we indeed need incoming TCP connections
and its port is dynamically negotiated. For example, when a client behind the firewall initiates an active FTP data
connection, it requires a TCP connections initiated from outside of the firewall to come in. But since the port on
the client is dynamically negotiated, the firewall cannot know it in advance. So either the application fails if firewall
blocks its connections or the firewall accepts all TCP connections initiated from outside to its internal hosts."

Read more here:

http://www.ecsl.cs.sunysb.edu/tr/packet_analysis_final.pdf -Page 2

This is also a great resource which should answer the many questions I'm sure you have:



Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Elemental12Author Commented:
Thank you very much, I appreciate the assistace.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking Protocols

From novice to tech pro — start learning today.