Le 31/10/2012 17:12, Benjamin Huntsman a écrit :
I fail to see any security advantage in OCS. Especially after reading their
source code.
So you're arguing that it'd be more secure to have the entire GLPI web
application in a DMZ, than to have an OCS Communication Server in the DMZ that
only accepts Agent inventories, and keeping all the OCS and GLPI DB's (and
application front-ends) on the internal network?
It's a bit difficult to mesure security objectively. Especially without
any kind of security threat model: what are you trying to protect,
against what ?
You can consider the following setup:
1) "all my DMZ servers can initiate HTTPS connections to my GLPI server"
2) "my DMZ GLPI relay server can initiate MySQL connections to my GLPI
server"
3) "my DMZ OCS relay server can accept incoming MySQL connections from
my GLPI server"
I can't consider than any of those scenarios is directly more or less
secure than others, but 1) is obviously way simpler than 2) and 3), and
2) is also simpler than 3), because you have one less codebase to
manage. And if you consider than simplicity also help auditing and
moonitoring, then 1) is also more robust.
Even with SSL certificates in use?
SSL just protect you against man-in-the-middle attacks and sniffing, ,
not against software developpement issues, such as SQL injections or
buffer overflows. Unless you consider your server inventories as
confidential, you won't gain much using secure connexions.
--
BOFH excuse #303:
fractal radiation jamming the backbone
_______________________________________________
Fusioninventory-user mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/fusioninventory-user
