On 6/22/15 5:06 PM, Black, David wrote: > Hi Randy, <snip>
> The secdir reviewer's original comment was: > >> I would also mention the specific problem of software running in a virtual >> machine and accessing the hypervisor's variables. This is an attack vector >> that is somewhat specific to this MIB. It cannot be mitigated by network >> firewalls. > > That would be a consideration if AgentX was running over some sort of > hypervisor syscall interface that could not be interposed on by a firewall. > In that scenario, some sort of access controls on that syscall interface > would be a good idea. that's consistent with the security considerations for agent-x > OTOH, if one forced the AgentX access into the hypervisor to be via network > traffic, then a firewall (e.g., a software firewall on the same hypervisor), > could provide some mitigation. I don't recall there inherently being a reason why agents couldn't use TLS, or some other socket transport like websockets it's just a tcp-stream wrapping agent-x pdus. > Thanks, > --David
signature.asc
Description: OpenPGP digital signature
_______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
