> Maybe I was not completely clear. I think we should go the TLS route and > let the operator decide whether he wants authenticated or > unauthenticated TLS (or asymmetric authentication, e.g. the server is > authenticated but the client is not just like in HTTPS) So I fully agree > with Rainer on this one. > > -- > Bazsi
This is a way to go, but it is important to note that the absence of client-side certificates (authentication) potentially exposes you to hostile clients attempting to masquerade as a legitimate client. It also makes it more difficult to guard against man-in-the-middle attacks. I like the idea of using TLS because it is much lighter weight than IPsec and it is better understood by a broader group of IT professionals. In a scenario where all the clients and servers are using certificates from the same issuing CA, one could also make the argument that this is the basis of trust, starting at the device, flowing through relays, and arriving at collectors. -Eric Eric A. Hibbard, CISSP, ISSAP, ISSMP, ISSEP Senior Director, Data Networking Technology Chair, SNIA Security Technical Work Group Office of the CTO HITACHI DATA SYSTEMS 750 Central Expressway, MS 3407 Santa Clara, CA 95050-2627 P 408.970.7979/ F 408.562.5477 [EMAIL PROTECTED] _______________________________________________ Syslog mailing list [email protected] https://www1.ietf.org/mailman/listinfo/syslog
