[lug] security question

George Sexton georges at mhsoftware.com
Thu Jun 3 09:47:50 MDT 2010


You have to weigh whether the additional security of using SSH to move
already encrypted data is superior to using a simpler protocol.

For example, if the data is strongly encrypted you could just use a simple
web server to host the data. It cuts out the SSH side and a lot of
complexity. The argument against that is that "anyone" could download the
encrypted data. What would they then do with it? 

To rephrase it, is the "superior security" of ssh worth the risk of a larger
attack surface?

George Sexton
MH Software, Inc.
303 438-9585
www.mhsoftware.com


> -----Original Message-----
> From: lug-bounces at lug.boulder.co.us [mailto:lug-
> bounces at lug.boulder.co.us] On Behalf Of Kevin Kempter
> Sent: Wednesday, June 02, 2010 12:00 PM
> To: Boulder (Colorado) Linux Users Group -- General Mailing List
> Subject: [lug] security question
> 
> Hi all;
> 
> we're moving on a service where we'll need to have a component within
> our
> clients' networks that will deliver data back to us for
> analysis/processing.
> Security is a big concern.  We're thinking of something like this:
> 
> 1) setup ssh keys onto a cloud server (or a dmz box) for each client
> 
> 2) have each client's local processing ssh the data file (zipped and
> encrypted) to the cloud server where the umask for the connecting user
> will
> be 0477 thus they cannot do anything, and we'll have a process that
> gets
> called that accepts data from stdin and writes to a file
> 
> We'd like to deploy reasonably sufficient security while at the same
> time keep
> it as simple as possible. We're open to the delivery server being
> either a
> dmz box within our network or a cloud server for security
> 
> 
> Here's my questions:
> 
> 1) thoughts on the above approach?
> 
> 2) thoughts on alternate approaches?
> 
> Thanks in advance...
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667
> channel=#hackingsociety





More information about the LUG mailing list