[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [hobbit] Feature request: SSL/TLS client/server negotiation

To: hobbit (at) hswn.dk
Subject: Re: [hobbit] Feature request: SSL/TLS client/server negotiation
From: "Jerry Yu" <jjj863 (at) gmail.com>
Date: Fri, 13 Oct 2006 10:40:42 -0400
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=mIW9CFy72qjy4qU7+M+5nEYMFMt8CxIBIi/dNWI3IQnqf4gSyZD7BDHCMazBln7pWm178g8IQn0Ir7DCITBpXCFv1b6w02w6Q+Z2r5Nwd0uwowmxXpr9+gbuvV6Nmj7+1LVtAMHa9mXloANBlpIsyFwx82eI6zl9qiUT7mzSbo0=
References: <AEAE02A192FF134295ADE16FD006E8F0CFBC23@HSCSEMAIL21.hscs.virginia.edu>

1. ssl or no ssl, a hole needs to punched if you have deny-by-default
packet-filter firewall. Conceivably, you could use SSL to authenticate
client using client certificate in lieu of a packet-filter firewall.
However, Both have their own merits and may serve your need best if you use
both.
2. If you have a server (Hobbit's typical client) compromised, you have
serious problem. DoS to the Hobbit server is much lesser a concern,  since
it can be done as long as the target has public service (or is reachable
over the net).  Potential compromise of the Hobbit server by a rogue client
is more of an issue here.
So, question to Henrik,  how well Hobbit server protects itself  from a
misbehaving client ( bad-code, or malicious) with the bbd listening to
client traffic via TCP/1984 and parsing (potentially malformed/malicious)
data from the client. Any security audit has been done?
3. This can be done pretty easily by PGP or GPG. The client has server's
public key and encrypt report data with it. Server (or a new server
extension) decrypts the data then process it as usual.

On 10/12/06, Schwimmer, Eric E *HS <EES2Y (at) hscmail.mcc.virginia.edu> wrote:

The subject pretty much says it all :)  The top item on my hobbit wish
list is to see some sort of client/server authentication & encryption.
This will take care of three of my largest hobbit worries/problems:

1.  Having to poke a hole in my hobbit server's firewall every time I
add a new hobbit client.

2.  The possibility that someone might compromise one machine running a
hobbit client and use that machine to send false reports or DOS the
hobbit server.

3.  Prevent tender bits of info (such as my log files) that would
otherwise traverse the network unencrypted.

Of course, this would break a lot of existing scripts (devmon, bb-xsnmp,
etc); perhaps it would be possible to have the secure server listen on a
different port?

I know I could do all of this with stunnel, but that's one more thing
I'd have to install and setup (and one more thing that could break) on
all of my hobbit clients. Plus, there's always the laziness factor :)

Food for thought.

-Eric

To unsubscribe from the hobbit list, send an e-mail to
hobbit-unsubscribe (at) hswn.dk

Follow-Ups:
- Re: [hobbit] Feature request: SSL/TLS client/server negotiation
  - From: Charles Jones
- Re: [hobbit] Feature request: SSL/TLS client/server negotiation
  - From: Henrik Stoerner

References:
- Feature request: SSL/TLS client/server negotiation
  - From: Schwimmer, Eric E *HS

Prev by Date: RE: [hobbit] Script to configure and show graphs and group of graphs
Next by Date: Re: [hobbit] Re: rrd question
Previous by thread: Re: [hobbit] Feature request: SSL/TLS client/server negotiation
Next by thread: Re: [hobbit] Feature request: SSL/TLS client/server negotiation
Index(es):
- Date
- Thread