1. ssl or no ssl, a hole needs to punched if you have deny-by-default packet-filter firewall. Conceivably, you could use SSL to authenticate client using client certificate in lieu of a packet-filter firewall. However, Both have their own merits and may serve your need best if you use both.
<br>2. If you have a server (Hobbit's typical client) compromised, you have serious problem. DoS to the Hobbit server is much lesser a concern, since it can be done as long as the target has public service (or is reachable over the net). Potential compromise of the Hobbit server by a rogue client is more of an issue here.
<br>So, question to Henrik, how well Hobbit server protects itself from a misbehaving client ( bad-code, or malicious) with the bbd listening to client traffic via TCP/1984 and parsing (potentially malformed/malicious) data from the client. Any security audit has been done?
<br>3. This can be done pretty easily by PGP or GPG. The client has server's public key and encrypt report data with it. Server (or a new server extension) decrypts the data then process it as usual.<br><br><div><span class="gmail_quote">
On 10/12/06, <b class="gmail_sendername">Schwimmer, Eric E *HS</b> <<a href="mailto:EES2Y@hscmail.mcc.virginia.edu" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">EES2Y@hscmail.mcc.virginia.edu
</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>The subject pretty much says it all :) The top item on my hobbit wish<br>list is to see some sort of client/server authentication & encryption.<br>This will take care of three of my largest hobbit worries/problems:
<br><br>1. Having to poke a hole in my hobbit server's firewall every time I<br>add a new hobbit client.<br><br>2. The possibility that someone might compromise one machine running a<br>hobbit client and use that machine to send false reports or DOS the
<br>hobbit server.<br><br>3. Prevent tender bits of info (such as my log files) that would<br>otherwise traverse the network unencrypted.<br><br>Of course, this would break a lot of existing scripts (devmon, bb-xsnmp,<br>
etc); perhaps it would be possible to have the secure server listen on a<br>different port?<br><br>I know I could do all of this with stunnel, but that's one more thing<br>I'd have to install and setup (and one more thing that could break) on
<br>all of my hobbit clients. Plus, there's always the laziness factor :)<br><br>Food for thought.<br><br>-Eric<br><br>To unsubscribe from the hobbit list, send an e-mail to<br><a href="mailto:hobbit-unsubscribe@hswn.dk" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
hobbit-unsubscribe@hswn.dk</a><br><br><br></blockquote></div><br>