On Mon, Dec 20, 2010 at 1:54 PM, Jarred White <[email protected]> wrote: > Hello. I’m trying to find a way to remotely deploy OSSEC to some of our > remote sites and have it report back to us on server health/security. There > is no direct connection to the remote network, so any reporting would need > to happen over the Internet since VPN is out of the question. > > > > Naturally I’m not going to send ossec alerts unencrypted via the Internet. > I’ve thought about writing some scripts that would keep an stunnel up and > running in order to report back to us, but I’m wondering if there is a > better way. > > > > I did see this on the list archives, dated 9/21/06: > > > > Ossec uses blowfish (192 bits) for the agent/server communication channel > > and md5+sha1 combined for the integrity verification. > > > > I reviewed a presentation put on by Daniel and while it mentions the use of > pre-shared keys, I’m interested in understanding a little bit more about how > the authentication/security mechanism works. My guess is that the UDP > traffic could be sniffed, but I’m just not sure and with my limited > understanding about how it works, am not anxious to send alerts via the > Internet. > > > > Any thoughts? > > > > Thanks, > > Jarred
The traffic between agents and the manager are authenticated and encrypted. I don't have an understanding of the technologies used to do this though.
