[hobbit] Feature request: SSL/TLS client/server negotiation
Jerry Yu
jjj863 at gmail.com
Fri Oct 13 16:40:42 CEST 2006
1. ssl or no ssl, a hole needs to punched if you have deny-by-default
packet-filter firewall. Conceivably, you could use SSL to authenticate
client using client certificate in lieu of a packet-filter firewall.
However, Both have their own merits and may serve your need best if you use
both.
2. If you have a server (Hobbit's typical client) compromised, you have
serious problem. DoS to the Hobbit server is much lesser a concern, since
it can be done as long as the target has public service (or is reachable
over the net). Potential compromise of the Hobbit server by a rogue client
is more of an issue here.
So, question to Henrik, how well Hobbit server protects itself from a
misbehaving client ( bad-code, or malicious) with the bbd listening to
client traffic via TCP/1984 and parsing (potentially malformed/malicious)
data from the client. Any security audit has been done?
3. This can be done pretty easily by PGP or GPG. The client has server's
public key and encrypt report data with it. Server (or a new server
extension) decrypts the data then process it as usual.
On 10/12/06, Schwimmer, Eric E *HS <EES2Y at hscmail.mcc.virginia.edu> wrote:
>
>
> The subject pretty much says it all :) The top item on my hobbit wish
> list is to see some sort of client/server authentication & encryption.
> This will take care of three of my largest hobbit worries/problems:
>
> 1. Having to poke a hole in my hobbit server's firewall every time I
> add a new hobbit client.
>
> 2. The possibility that someone might compromise one machine running a
> hobbit client and use that machine to send false reports or DOS the
> hobbit server.
>
> 3. Prevent tender bits of info (such as my log files) that would
> otherwise traverse the network unencrypted.
>
> Of course, this would break a lot of existing scripts (devmon, bb-xsnmp,
> etc); perhaps it would be possible to have the secure server listen on a
> different port?
>
> I know I could do all of this with stunnel, but that's one more thing
> I'd have to install and setup (and one more thing that could break) on
> all of my hobbit clients. Plus, there's always the laziness factor :)
>
> Food for thought.
>
> -Eric
>
> To unsubscribe from the hobbit list, send an e-mail to
> hobbit-unsubscribe at hswn.dk
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20061013/adaec8fa/attachment.html>
More information about the Xymon
mailing list