Re: cfengine, firewall and security

help-cfengine

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: cfengine, firewall and security

From:	Elmar Kurgpold
Subject:	Re: cfengine, firewall and security
Date:	Fri, 10 Nov 2000 16:43:17 -0800 (PST)

For me, it's not the RSA encryption of the file transfer that is
appealing, it is the public key/private key handshake.  Although in my
environment the encryption is also nice. :-)

        ++Elmar

On Fri, 10 Nov 2000 Mark.Burgess@iu.hio.no wrote:

> I sometimes despair over the popular belief that RSA encryption equals
> security. While I agree that RSA is useful and that rsync is efficient,
> I am not convinced that there is a general understanding of why. As long
> as all source files are coming from a single common, trusted
> host, RSA doesn't provide anything that symmetric encryption does not
> in this case. That is the main reason why this simpler solution was
> used in cfengine. However, in more complex configurations, RSA allows
> multiple distinctions to be made between different trusted hosts.
> 
> I take issue with the idea that the only machine you need to worry about
> is the source machine behind the firewall. Once someone is in control
> of any one of your machines, they can do whatever they please. The
> worst (for them) they could do with cfengine would be to actually
> download the "safe" versions of data through the firewall, and confgure
> the machine correctly. The best they could do would be to switch off
> cfengine. 
> 
> In neither case does cfengine offer a route "through" the firewall.
> One could also question the use of encryption for copying public data
> (binaries etc). This is just burning unnecessary CPU cycles.  
> 
> There are always arguments for using encryption, but my belief is that
> they are usually dominated by encryption-fever and that, if folks
> spent as much time understanding the trust relationships in their
> networks, as they did burning CPU on encryption, their networks
> would be more secure. Encryption protects from so few attacks,
> on the scale of it all, that its mere mention  makes me groan these
> days.
> 
> It is not my intention to set of a major debate on the use of
> encryption. I just want to point out that this common blind
> trust in RSA is often misguided. It is not the panacea of security.
> 
> Mark's cynical spiel....;)
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Work: +47 22453272            Email:  Mark.Burgess@iu.hio.no
> Fax : +47 22453205            WWW  :  http://www.iu.hio.no/~mark
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> 
> 
> _______________________________________________
> Help-cfengine mailing list
> Help-cfengine@gnu.org
> http://mail.gnu.org/mailman/listinfo/help-cfengine
> 

|  Elmar Kurgpold
|  Email: elmarkurgpold@yahoo.com

[Prev in Thread]

Current Thread

[Next in Thread]

cfengine, firewall and security, Patrice GUERLAIS, 2000/11/09
- Re: cfengine, firewall and security, Christopher Browne, 2000/11/09
- Re: cfengine, firewall and security, Mark R. Lindsey, 2000/11/09
  - RE: cfengine, firewall and security, Patrice GUERLAIS, 2000/11/09
    - RE: cfengine, firewall and security, Elmar Kurgpold, 2000/11/09
- RE: cfengine, firewall and security, Dan Bethe, 2000/11/09
- Re: cfengine, firewall and security, Dan Bethe, 2000/11/10
  - Re: cfengine, firewall and security, Mark . Burgess, 2000/11/10
    - RE: cfengine, firewall and security, Patrice GUERLAIS, 2000/11/10
    - Re: cfengine, firewall and security, Elmar Kurgpold <=
    - Re: cfengine, firewall and security, Sharif Nassar, 2000/11/10
- Re: cfengine, firewall and security, Dan Bethe, 2000/11/10

Prev by Date: Re: cfengine, firewall and security
Next by Date: Re: cfengine, firewall and security
Previous by thread: RE: cfengine, firewall and security
Next by thread: Re: cfengine, firewall and security
Index(es):
- Date
- Thread