On Wed, 11 Oct 2000, Karl J. Runge wrote:
> I was hoping you guys would elaborate a bit on the distinction in benefits
> between:
>
> 1) using ssh across the internet
> 2) using ssh inside a firewalled work or home LAN
There are a number of advantages.
Defense in depth is one. This is the security principle that says you
shouldn't rely on a single feature for protection; rather, you should layer
multiple defenses so that if the first layer fails, you are still protected.
What happens if your firewall is misconfigured or compromised?
Internal security is another. Many companies believe that most or all
threats will come from outside. This simply isn't true. Statistically
speaking, most serious attacks (not the script-kiddie/vandalism kind, but
directed attacks against your operation) come from inside the operation.
Systems are also generally much more vulnerable to local attacks, where you
can do things like attach a network sniffer to the physical media.
For the truly paranoid, there is EMSEC (Emissions Security, sometimes called
TEMPEST from the old US DoD code-name for the project). Any wire caring an
electrical signal is also an antenna. If you're running cleartext network
backups, you're also broadcasting your disk contents to the local area. With
the right equipment, an attacker can monitor your network from outside your
physical facility.
> I'd also be interested in your suggestions/experiences for ssh activity
> automation i.e. via cron *w/o* passphrase.
The passphrase protects your private/secret key against compromise if it is
stolen. In the case of remote root access, you're really authenticating a
host-to-host connection. In that case, it makes sense to use a private key
without a passphrase. It is certainly better then plain old blind host trust
relationships.
--
Ben Scott <[EMAIL PROTECTED]>
Net Technologies, Inc. <http://www.ntisys.com>
Voice: (800)905-3049 x18 Fax: (978)499-7839
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
