[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [hobbit] Alternate to msgcache/hobbitfetch?
- To: hobbit (at) hswn.dk
- Subject: Re: [hobbit] Alternate to msgcache/hobbitfetch?
- From: Charles Jones <jonescr (at) cisco.com>
- Date: Tue, 05 Jun 2007 12:24:09 -0700
- Authentication-results: sj-dkim-4; header.From=jonescr (at) cisco.com; dkim=pass ( sig from cisco.com/sjdkim4002 verified; );
- Dkim-signature: v=0.5; a=rsa-sha256; q=dns/txt; l=1480; t=1181071451; x=1181935451; c=relaxed/simple; s=sjdkim4002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=jonescr (at) cisco.com; z=From:=20Charles=20Jones=20<jonescr (at) cisco.com> |Subject:=20Re=3A=20[hobbit]=20Alternate=20to=20msgcache/hobbitfetch? |Sender:=20; bh=bmfL7dKYDLZVoRRRsKvcaO6P9rL1aSH89UELOX4IB+o=; b=p/kUPpDbrywjQvESkJfDaAOGSlCIrRZGSqAhCA0tqS/5jZJPTDMSC1Ckx6Qmx2lgaOhX285l 9YFt3nCFad15DVqqC51djJ16OGfL1xFhBRxFrm3dqfe4FIHwj52Ij+48;
- Organization: Cisco Systems
- References: <20070605031815.348399EE2B (at) ws6-2.us4.outblaze.com>
- User-agent: Thunderbird 2.0.0.0 (X11/20070419)
Random thoughts on msgcache and alternatives:
1. SSH tunnels are nice, as they encrypt the data transfers*
2. SSH tunnels are a pain in some ways, imagine managing 1000+ tunnels.
Even if you have autossh to help keep them up, it's fairly
resource-intensive to have thousands of ssh tunnels constantly
established from your server to remote hosts.
3. I would imagine it's not a simple thing to modify hobbit to do
everything over an "on-demand" ssh tunnel, because Hobbit does more than
just ssh to a host, running the client script, and parsing the output.
There is also all the other hobbit protocol stuff like pushing out new
clients, logfile monitoring, etc.
4. If Hobbit could do things via ssh, it would be much easier to deal
with firewalls, as there are usually already rules in place for ssh, and
if not it usually doesn't raise any serious flags with infosec if you
request ssh access.
*5. Regardless, I would like to see some sort of encryption of the
hobbit protocol. Nothing extreme, just not plaintext. Even a simple XOR
of the data, or, even better, the server and clients could have a
hobbit-security.conf where a key was defined, and all data would be
XOR'd with this key. XORing data is easy to do in C and not resource
intensive. This should satisfy the folks who worry about sending the
contents of their logfiles and other sensitive information over the network.
That's my ramblings for the day :)
-Charles