help-cfengine
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: cfengine, firewall and security


From: Elmar Kurgpold
Subject: Re: cfengine, firewall and security
Date: Fri, 10 Nov 2000 16:43:17 -0800 (PST)

For me, it's not the RSA encryption of the file transfer that is
appealing, it is the public key/private key handshake.  Although in my
environment the encryption is also nice. :-)

        ++Elmar

On Fri, 10 Nov 2000 address@hidden wrote:

> I sometimes despair over the popular belief that RSA encryption equals
> security. While I agree that RSA is useful and that rsync is efficient,
> I am not convinced that there is a general understanding of why. As long
> as all source files are coming from a single common, trusted
> host, RSA doesn't provide anything that symmetric encryption does not
> in this case. That is the main reason why this simpler solution was
> used in cfengine. However, in more complex configurations, RSA allows
> multiple distinctions to be made between different trusted hosts.
> 
> I take issue with the idea that the only machine you need to worry about
> is the source machine behind the firewall. Once someone is in control
> of any one of your machines, they can do whatever they please. The
> worst (for them) they could do with cfengine would be to actually
> download the "safe" versions of data through the firewall, and confgure
> the machine correctly. The best they could do would be to switch off
> cfengine. 
> 
> In neither case does cfengine offer a route "through" the firewall.
> One could also question the use of encryption for copying public data
> (binaries etc). This is just burning unnecessary CPU cycles.  
> 
> There are always arguments for using encryption, but my belief is that
> they are usually dominated by encryption-fever and that, if folks
> spent as much time understanding the trust relationships in their
> networks, as they did burning CPU on encryption, their networks
> would be more secure. Encryption protects from so few attacks,
> on the scale of it all, that its mere mention  makes me groan these
> days.
> 
> It is not my intention to set of a major debate on the use of
> encryption. I just want to point out that this common blind
> trust in RSA is often misguided. It is not the panacea of security.
> 
> Mark's cynical spiel....;)
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Work: +47 22453272            Email:  address@hidden
> Fax : +47 22453205            WWW  :  http://www.iu.hio.no/~mark
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> 
> 
> _______________________________________________
> Help-cfengine mailing list
> address@hidden
> http://mail.gnu.org/mailman/listinfo/help-cfengine
> 

|  Elmar Kurgpold
|  Email: address@hidden




reply via email to

[Prev in Thread] Current Thread [Next in Thread]