[Orca-users] Re: Anyone using Orca with rsync?
Sean O'Neill
sean at seanoneill.info
Sat Nov 22 20:18:29 PST 2003
Ade Rixon wrote:
>Also, Sean O'Neill followed up with:
>
>
>>If you have a ORCA server that SSH's into the remote systems and rsync's
>>down the data (e.g. PULL), this one machine would have SSH access to
>>LOTS of other systems and would probably make any security group very
>>nervous about that machine.
>>
>>If you have the remote systems rsync their data to the ORCA server (e.g.
>>PUSH), then you have lots of other machines with SSH access to ONE
>>system. This generally makes security a /little/ less nervous.
>>
>>
>
>It's true that one of the principles of security is not to put all your
>eggs into one basket. However, the corollary of this is that sometimes
>it's more secure to keep your eggs in one basket *if the basket is
>well-guarded*.
>
>Consider a 2 tier network with a demilitarised (Internet-facing) zone and
>a secure internal zone, separated by a firewall. You don't want to allow
>the hosts on the external zone to have transparent SSH access to an
>internal host (particularly one that contains something as important as
>your performance data). The SSH private key (the important part of the
>pair) would be installed on a host that could be compromised. You could
>use the SSH authorized_keys file to restrict command execution, but your
>firewall would have to allow *all* SSH traffic between those hosts,
>including non-Orca-related connections. And SSH itself has suffered the
>odd vulnerability.
>
>Instead, the internal host must initiate connections to the external ones
>and pull the data down. The point of initiation and the private key are on
>a secure network and, assuming it really is secure, are unlikely to be
>compromised. It's easier to lock down one machine than many.
>
>
In a DMZ type situation as you have described, I would take your advice
as it is obviously the right thing to do. But many environments I've
worked in, unfortunately, don't always follow this topology. Those
nasty beasts called the "management network" or even "backup network"
always seems to crop up. Two hosters I've done consulting work for
have these two networks in their topology for practically all machines
unless directly specified by the customer to not have them. With this
in mind, I would not put all my eggs in one basket without CAREFUL
consideration - one bad "egg" is all it takes. But I'm splitting hairs ...
In the end what you've highlighted is there are pros and cons for every
network design. The ramifications for every change, VLAN, "allow in" or
"allow out" much be looked at carefully and considered against the
entire security profile of an environment.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/orca-users/attachments/20031122/b18d2374/attachment.html>
More information about the Orca-users
mailing list