[lug] security question

Bear Giles bgiles at coyotesong.com
Wed Jun 2 12:23:30 MDT 2010


Don't forget about openvpn.  I don't know how well openvpn and openssh play
together - iirc if you have two ssl layers you can occasionally hit weird
bottlenecks where the performance goes through the floor.  I don't recall if
that's easily handled by somebody who knows how to use SSL networking (vs.
regular sockets) or if it's intrinsic.


On Wed, Jun 2, 2010 at 12:06 PM, John Hernandez <jph at jph.net> wrote:

> On the server side of the file transfer, I'd suggest having a look at
> the scponly package.
>
> http://sublimation.org/scponly/wiki/index.php/Main_Page
>
> It should be available as a Debian/Ubuntu package, not sure about RH.
>
> On Wed, Jun 2, 2010 at 11:59 AM, Kevin Kempter
> <kevin at kevinkempterllc.com> wrote:
> > Hi all;
> >
> > we're moving on a service where we'll need to have a component within our
> > clients' networks that will deliver data back to us for
> analysis/processing.
> > Security is a big concern.  We're thinking of something like this:
> >
> > 1) setup ssh keys onto a cloud server (or a dmz box) for each client
> >
> > 2) have each client's local processing ssh the data file (zipped and
> > encrypted) to the cloud server where the umask for the connecting user
> will
> > be 0477 thus they cannot do anything, and we'll have a process that gets
> > called that accepts data from stdin and writes to a file
> >
> > We'd like to deploy reasonably sufficient security while at the same time
> keep
> > it as simple as possible. We're open to the delivery server being either
> a
> > dmz box within our network or a cloud server for security
> >
> >
> > Here's my questions:
> >
> > 1) thoughts on the above approach?
> >
> > 2) thoughts on alternate approaches?
> >
> > Thanks in advance...
> >
> > _______________________________________________
> > Web Page:  http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
> >
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20100602/d574bf78/attachment.html>


More information about the LUG mailing list