While it might sound all very easy you need to remember that you need to do this with every packet in the data stream which is less easy to manage. You would need an SSH client that would ignore or replace the port 22 with port 21 and appropriately fragment each packet into it's three sections in order for this to work.

Doable? Yes. Trivial? Not really.

Additionally, as you rightly point out, it might make it past the firewall but Snort and almost any other NIDS should start alarm bells jangling in an admin's head when it shows the offset framentation of packets.

If I were presenting this I wouldn't try to demo it because of the complexity of trying it. Murphy's Law clearly states that it will work flawlessly until you are in the middle of the presentation to the board and then..... I would prefer to give a laymans explanation of the issue, why the firewall may fail to detect it and what the host will do with the remaining packets.

A nice little mitigating factor might be used on servers that are publicly available. Employ IPSec to "Require Security" on all ports that are not publicly available but that provide service locally, (within the DMZ). That way anything that "finds it's way" past firewall rules still has the issue of negotiating IPSec via a Pre-Shared Key.... The result... No communication. Should work.... Need to test it in the morning.... Dunno why I never thought of it.... layers, layers, layers......