Re: Securing communications with OpenBSD
On Thu, 9 Oct 2014 08:15:22 + "C. L. Martinez" wrote: > On Thu, Oct 9, 2014 at 7:21 AM, Duncan Patton a Campbell > wrote: > > On Tue, 7 Oct 2014 07:08:54 + > > "C. L. Martinez" wrote: > > > >> On Mon, Oct 6, 2014 at 11:52 PM, Duncan Patton a Campbell > >> wrote: > >> > The most basic consideration in computer security has nothing to > >> > do with technology and computers. Do the people you need to keep > >> > out of the know need to know enough to come and break legs? > >> > > >> > If so, don't bother encrypting. They may not just break legs. > >> > > >> > Dhu > >> > > >> > On Mon, 06 Oct 2014 13:48:33 -0600 > >> > chester.t.fi...@hushmail.com wrote: > >> > > >> >> Very true, filling your subterranean data server with angry hornets > >> >> certainly seems like a good idea but it's really not, most AC > >> >> maintenance contractors will charge you extra (usually per sting!). > >> >> > >> >> Chester T. Field > >> >> > >> >> And remember when I left all the meat out because I saw Mr. David Lynch > >> >> “I’m on TV” do it, > >> >> and he got on TV from doin’ it, and I did it and didn’t get on TV from > >> >> doin’ it? - Gandhi > >> >> > >> >> On 10/6/2014 at 1:37 PM, "Matti Karnaattu" wrote: > >> >> > > >> >> >>Yes, my goal is to secure the > >> >> >>infrastructure as much as possible. > >> >> > > >> >> >I don't know details but it sounds overly complex. And complexity > >> >> >may cause other issues, without any benefit for security. > >> >> > > >> >> >Example, you don't have to encrypt your whole hard disk if the hard > >> >> >disk is located in guarded bunker. But if you do that, it will > >> >> >increase > >> >> >security in theory but that may cause service outtage if you have > >> >> >to > >> >> >always locally type your crypt password if machine crashes. > >> >> > > >> >> >I would put this effort to ease maintainability, ease monitoring, > >> >> >use stateful firewall, deploy honeypot etc. and avoid complexity. > >> >> > >> > >> Thanks guys for your answers. I know it: our it sec. dept. adds a > >> complexity to our infrastructure, but they are determined to do so. > >> > >> Searching via google I found this: > >> > >> http://www.safenet-inc.com/data-encryption/ > >> > >> HSM: hardware security modules ... But exists another problem. If I > >> would like to use some SSL/TLS or IPSec based solution, how can I > >> authenticate these servers between them without compromise host > >> security?? > >> > >> Any ideas?? > >> > >> > > > > Is "man 8 iked" what you are looking for? > > > > Dhu > > Uhmm . .. I don't understand your question Duncan... To use IPsec is a > possibility. > > Possibly 'cause I don't understand yours. You want to authenticate servers "without compromise host security" which to me implies the use of something like iked, the Internet Key Exchange (IKEv2) daemon, "which performs mutual authentication and which establishes and maintains IPsec flows and security associations (SAs) between the two peers." You don't need iked to run something like ipsec. You can exhange the keys some different way like, say multiple redundant one time pads and courriers (for the truly 'noidal). Dhu -- Ne obliviscaris, vix ea nostra voco.
Re: Securing communications with OpenBSD
On Thu, Oct 9, 2014 at 7:21 AM, Duncan Patton a Campbell wrote: > On Tue, 7 Oct 2014 07:08:54 + > "C. L. Martinez" wrote: > >> On Mon, Oct 6, 2014 at 11:52 PM, Duncan Patton a Campbell >> wrote: >> > The most basic consideration in computer security has nothing to >> > do with technology and computers. Do the people you need to keep >> > out of the know need to know enough to come and break legs? >> > >> > If so, don't bother encrypting. They may not just break legs. >> > >> > Dhu >> > >> > On Mon, 06 Oct 2014 13:48:33 -0600 >> > chester.t.fi...@hushmail.com wrote: >> > >> >> Very true, filling your subterranean data server with angry hornets >> >> certainly seems like a good idea but it's really not, most AC >> >> maintenance contractors will charge you extra (usually per sting!). >> >> >> >> Chester T. Field >> >> >> >> And remember when I left all the meat out because I saw Mr. David Lynch >> >> “I’m on TV” do it, >> >> and he got on TV from doin’ it, and I did it and didn’t get on TV from >> >> doin’ it? - Gandhi >> >> >> >> On 10/6/2014 at 1:37 PM, "Matti Karnaattu" wrote: >> >> > >> >> >>Yes, my goal is to secure the >> >> >>infrastructure as much as possible. >> >> > >> >> >I don't know details but it sounds overly complex. And complexity >> >> >may cause other issues, without any benefit for security. >> >> > >> >> >Example, you don't have to encrypt your whole hard disk if the hard >> >> >disk is located in guarded bunker. But if you do that, it will >> >> >increase >> >> >security in theory but that may cause service outtage if you have >> >> >to >> >> >always locally type your crypt password if machine crashes. >> >> > >> >> >I would put this effort to ease maintainability, ease monitoring, >> >> >use stateful firewall, deploy honeypot etc. and avoid complexity. >> >> >> >> Thanks guys for your answers. I know it: our it sec. dept. adds a >> complexity to our infrastructure, but they are determined to do so. >> >> Searching via google I found this: >> >> http://www.safenet-inc.com/data-encryption/ >> >> HSM: hardware security modules ... But exists another problem. If I >> would like to use some SSL/TLS or IPSec based solution, how can I >> authenticate these servers between them without compromise host >> security?? >> >> Any ideas?? >> >> > > Is "man 8 iked" what you are looking for? > > Dhu Uhmm . .. I don't understand your question Duncan... To use IPsec is a possibility.
Re: Securing communications with OpenBSD
On Tue, 7 Oct 2014 07:08:54 + "C. L. Martinez" wrote: > On Mon, Oct 6, 2014 at 11:52 PM, Duncan Patton a Campbell > wrote: > > The most basic consideration in computer security has nothing to > > do with technology and computers. Do the people you need to keep > > out of the know need to know enough to come and break legs? > > > > If so, don't bother encrypting. They may not just break legs. > > > > Dhu > > > > On Mon, 06 Oct 2014 13:48:33 -0600 > > chester.t.fi...@hushmail.com wrote: > > > >> Very true, filling your subterranean data server with angry hornets > >> certainly seems like a good idea but it's really not, most AC > >> maintenance contractors will charge you extra (usually per sting!). > >> > >> Chester T. Field > >> > >> And remember when I left all the meat out because I saw Mr. David Lynch > >> “I’m on TV” do it, > >> and he got on TV from doin’ it, and I did it and didn’t get on TV from > >> doin’ it? - Gandhi > >> > >> On 10/6/2014 at 1:37 PM, "Matti Karnaattu" wrote: > >> > > >> >>Yes, my goal is to secure the > >> >>infrastructure as much as possible. > >> > > >> >I don't know details but it sounds overly complex. And complexity > >> >may cause other issues, without any benefit for security. > >> > > >> >Example, you don't have to encrypt your whole hard disk if the hard > >> >disk is located in guarded bunker. But if you do that, it will > >> >increase > >> >security in theory but that may cause service outtage if you have > >> >to > >> >always locally type your crypt password if machine crashes. > >> > > >> >I would put this effort to ease maintainability, ease monitoring, > >> >use stateful firewall, deploy honeypot etc. and avoid complexity. > >> > > Thanks guys for your answers. I know it: our it sec. dept. adds a > complexity to our infrastructure, but they are determined to do so. > > Searching via google I found this: > > http://www.safenet-inc.com/data-encryption/ > > HSM: hardware security modules ... But exists another problem. If I > would like to use some SSL/TLS or IPSec based solution, how can I > authenticate these servers between them without compromise host > security?? > > Any ideas?? > > Is "man 8 iked" what you are looking for? Dhu -- Ne obliviscaris, vix ea nostra voco.
Re: Securing communications with OpenBSD
On Mon, Oct 6, 2014 at 11:52 PM, Duncan Patton a Campbell wrote: > The most basic consideration in computer security has nothing to > do with technology and computers. Do the people you need to keep > out of the know need to know enough to come and break legs? > > If so, don't bother encrypting. They may not just break legs. > > Dhu > > On Mon, 06 Oct 2014 13:48:33 -0600 > chester.t.fi...@hushmail.com wrote: > >> Very true, filling your subterranean data server with angry hornets >> certainly seems like a good idea but it's really not, most AC >> maintenance contractors will charge you extra (usually per sting!). >> >> Chester T. Field >> >> And remember when I left all the meat out because I saw Mr. David Lynch “I’m >> on TV” do it, >> and he got on TV from doin’ it, and I did it and didn’t get on TV from doin’ >> it? - Gandhi >> >> On 10/6/2014 at 1:37 PM, "Matti Karnaattu" wrote: >> > >> >>Yes, my goal is to secure the >> >>infrastructure as much as possible. >> > >> >I don't know details but it sounds overly complex. And complexity >> >may cause other issues, without any benefit for security. >> > >> >Example, you don't have to encrypt your whole hard disk if the hard >> >disk is located in guarded bunker. But if you do that, it will >> >increase >> >security in theory but that may cause service outtage if you have >> >to >> >always locally type your crypt password if machine crashes. >> > >> >I would put this effort to ease maintainability, ease monitoring, >> >use stateful firewall, deploy honeypot etc. and avoid complexity. >> Thanks guys for your answers. I know it: our it sec. dept. adds a complexity to our infrastructure, but they are determined to do so. Searching via google I found this: http://www.safenet-inc.com/data-encryption/ HSM: hardware security modules ... But exists another problem. If I would like to use some SSL/TLS or IPSec based solution, how can I authenticate these servers between them without compromise host security?? Any ideas??
Re: Securing communications with OpenBSD
The most basic consideration in computer security has nothing to do with technology and computers. Do the people you need to keep out of the know need to know enough to come and break legs? If so, don't bother encrypting. They may not just break legs. Dhu On Mon, 06 Oct 2014 13:48:33 -0600 chester.t.fi...@hushmail.com wrote: > Very true, filling your subterranean data server with angry hornets > certainly seems like a good idea but it's really not, most AC > maintenance contractors will charge you extra (usually per sting!). > > Chester T. Field > > And remember when I left all the meat out because I saw Mr. David Lynch “I’m > on TV” do it, > and he got on TV from doin’ it, and I did it and didn’t get on TV from doin’ > it? - Gandhi > > On 10/6/2014 at 1:37 PM, "Matti Karnaattu" wrote: > > > >>Yes, my goal is to secure the > >>infrastructure as much as possible. > > > >I don't know details but it sounds overly complex. And complexity > >may cause other issues, without any benefit for security. > > > >Example, you don't have to encrypt your whole hard disk if the hard > >disk is located in guarded bunker. But if you do that, it will > >increase > >security in theory but that may cause service outtage if you have > >to > >always locally type your crypt password if machine crashes. > > > >I would put this effort to ease maintainability, ease monitoring, > >use stateful firewall, deploy honeypot etc. and avoid complexity. > > -- Ne obliviscaris, vix ea nostra voco.
Re: Securing communications with OpenBSD
On Mon, Oct 6, 2014 at 4:17 PM, Giancarlo Razzolini wrote: > Traffic in the clear, even on a switch controlled by you, doesn't mean > that anyone with physical access couldn't tap into your switch and see > the traffic. Which is why you need to lock down the switch as well. Password protected. Disable all unused ports. Have some kind of MAC detection to detect and alert unknown MACs (e.g. infoblox or something home rolled - not that difficult) Good security is also a matter of the policies and procedures you have in place. Who has root access? How do they access root? (sudo is best - and log it all). Is there a change management policy and procedure? -- "Don't eat anything you've ever seen advertised on TV" - Michael Pollan, author of "In Defense of Food"
Re: Securing communications with OpenBSD
On 06-10-2014 16:36, Matti Karnaattu wrote: > I don't know details but it sounds overly complex. And complexity > may cause other issues, without any benefit for security. > > Example, you don't have to encrypt your whole hard disk if the hard > disk is located in guarded bunker. But if you do that, it will increase > security in theory but that may cause service outtage if you have to > always locally type your crypt password if machine crashes. You pretty much always want to encrypt you drive these days. > > I would put this effort to ease maintainability, ease monitoring, > use stateful firewall, deploy honeypot etc. and avoid complexity. > Traffic in the clear, even on a switch controlled by you, doesn't mean that anyone with physical access couldn't tap into your switch and see the traffic. There are simple vpn solutions. OP, take a look at iked and OpenVPN. I believe that these two are the most indicated for your case. Cheers, [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
Re: Securing communications with OpenBSD
Very true, filling your subterranean data server with angry hornets certainly seems like a good idea but it's really not, most AC maintenance contractors will charge you extra (usually per sting!). Chester T. Field And remember when I left all the meat out because I saw Mr. David Lynch “I’m on TV” do it, and he got on TV from doin’ it, and I did it and didn’t get on TV from doin’ it? - Gandhi On 10/6/2014 at 1:37 PM, "Matti Karnaattu" wrote: > >>Yes, my goal is to secure the >>infrastructure as much as possible. > >I don't know details but it sounds overly complex. And complexity >may cause other issues, without any benefit for security. > >Example, you don't have to encrypt your whole hard disk if the hard >disk is located in guarded bunker. But if you do that, it will >increase >security in theory but that may cause service outtage if you have >to >always locally type your crypt password if machine crashes. > >I would put this effort to ease maintainability, ease monitoring, >use stateful firewall, deploy honeypot etc. and avoid complexity.
Re: Securing communications with OpenBSD
>Yes, my goal is to secure the >infrastructure as much as possible. I don't know details but it sounds overly complex. And complexity may cause other issues, without any benefit for security. Example, you don't have to encrypt your whole hard disk if the hard disk is located in guarded bunker. But if you do that, it will increase security in theory but that may cause service outtage if you have to always locally type your crypt password if machine crashes. I would put this effort to ease maintainability, ease monitoring, use stateful firewall, deploy honeypot etc. and avoid complexity.
Re: Securing communications with OpenBSD
On Mon, Oct 6, 2014 at 2:27 PM, Alan McKay wrote: > On Mon, Oct 6, 2014 at 2:00 AM, C. L. Martinez wrote: >> Is my approach correct? Any other better solution? Is it stupid this >> approach? > > You did not really state what your goal was. Or what the problem is. > > "Securing communications between front and back end via SSH/SSL" is > not a goal or problem. It is a solution to a problem. > > To me it seems a bit strange that you'd want to do this if they are all in the > same rack, for example, connected to switches that you control. > > Is the goal just to make your infrastructure as secure as possible? Thanks Alan for your answer. Yes, my goal is to secure the infrastructure as much as possible. Our IT Security Dept. has made a request in that direction.
Re: Securing communications with OpenBSD
On Mon, Oct 6, 2014 at 2:00 AM, C. L. Martinez wrote: > Is my approach correct? Any other better solution? Is it stupid this > approach? You did not really state what your goal was. Or what the problem is. "Securing communications between front and back end via SSH/SSL" is not a goal or problem. It is a solution to a problem. To me it seems a bit strange that you'd want to do this if they are all in the same rack, for example, connected to switches that you control. Is the goal just to make your infrastructure as secure as possible? -- "Don't eat anything you've ever seen advertised on TV" - Michael Pollan, author of "In Defense of Food"
Securing communications with OpenBSD
Hi all, I appeal to you to see if you can give me some advice. I need to secure communications between my front-end and back-end servers. First, my infrastructure: Internet ---> Public OpenBSD Carp'ed fws ---> FreeBSD front-end web servers (https) ---> Internal OpenBSD Carp'ed fws ---> CentOS back-end servers (http, tomcat and Oracle BBDD 11g). Between these back-end and front-end servers, packet average is 1000 pkt/sec. And as you can imagine, traffic between these back-end and front-end servers goes in clear. I'm planning to deploy OpenBSD based servers between these back/front end servers using these technologies, both or only one. a) Establishing SSL tunnels. b) Establishing IPSec tunnels host to host. It could establish tunnels using these servers directly, but I prefer to avoid the impact of processing and/or performance that would occur. And another thing: I need to secure comms between backend servers also. Oracle BBDD hosts are installed in different hosts than tomcat application servers, for example. Is my approach correct? Any other better solution? Is it stupid this approach? Thanks. P.D: I can use cryptographic cards, if I need it.
