On 12/21/2010 11:58 PM, loyd. darby wrote:
If you got the impression I am knocking OSSEC, I am not. On a LAN or private network there is no point in looking at another product because it is free and it rocks. I believe when you cross hostile networks (the cloud) the rules change. Static PSK is no more secure than having a strong password that never gets changed.
I am all for knocking OSSEC as long as the conversation is civil, which it always is in this group. :) Having honest discussions about the strengths and weaknesses of the product serves all of us.
There are other products that use three party authenticated agents and encrypted traffic with all the trimmings but if you need that, they will find you. The ones I know are ridiculously expensive and am not selling anything but the idea that open source is cool and developers who make it get hero status in my book.
I would be interested to know more about these. I guess I just haven't seen them. We should learn from those security models and see if it makes sense for OSSEC.
Fips is a pain and does not really improve security of communications in transit, it is all about securing the endpoints and protecting the executing code and junk like that. I guess what caused my reservation is the fact that if a key compromise did happen, you could be spied on forever and you would not be able to detect it. An operational control of assigning new keys to the clients frequently would mitigate that.
I think that is a legitimate concern. For most companies, it is probably not a realistic concern because, let's face it, we still have to deal with syslog, and that is a lot worse. But that doesn't mean we shouldn't address the issue of non-expiring keys. Key rotation would be a good thing to have in OSSEC, along with automation of handling the keys in general.
