From owner-freebsd-security  Tue Oct  2 14: 3:41 2001
Delivered-To: freebsd-security@freebsd.org
Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169])
	by hub.freebsd.org (Postfix) with ESMTP id D74A037B407
	for <security@FreeBSD.ORG>; Tue,  2 Oct 2001 14:03:35 -0700 (PDT)
Received: by pa169.kurdwanowa.sdi.tpnet.pl (Postfix, from userid 1001)
	id B8EE31D2A; Tue,  2 Oct 2001 23:03:24 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP
	id 38A6A5545; Tue,  2 Oct 2001 23:03:23 +0200 (CEST)
Date: Tue, 2 Oct 2001 23:03:23 +0200 (CEST)
From: Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl>
X-Sender: kzaraska@lhotse.zaraska.dhs.org
To: Alexey Koptsevich <alex@astro.su.se>
Cc: security@FreeBSD.ORG
Subject: Re: access from monitoring host
In-Reply-To: <Pine.GSO.4.10.10110021523540.18156-100000@dioscuri.astro.su.se>
Message-ID: <Pine.BSF.4.21.0110022254010.428-100000@lhotse.zaraska.dhs.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Tue, 2 Oct 2001, Alexey Koptsevich wrote:

> 
> Hello,
> 
> There is a discussion about ways of access from centralized monitoring
> host at
> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/securing-freebsd.html
> 
>  Except for its network traffic, NFS is the least visible method - allowing
>  you to monitor the filesystems on each client box virtually undetected. If
>  your limited-access server is connected to the client boxes through a
>  switch, the NFS method is often the better choice. If your limited-access
>  server is connected to the client boxes through a hub, or through several
>  layers of routing, the NFS method may be too insecure (network-wise) and
>  using ssh may be the better choice even with the audit-trail tracks that
>  ssh lays.
> 
> I dp not understand, why access method should be different in cases when
> monitoring host is behind the switch or connected through the hub?
If your network is connected with a switch then all traffic between hosts
A and B is not visible by any other host; if it is otherwise, all other
hosts on this Ethernet segment can see this traffic. So, if someone on
this segment has bad will s/he can watch your NFS transfers or even insert
data in your session. The same applies if both hosts are on distant
networks and the traffic goes through multiple untrusted networks. 

Generally use of unencrypted connections over untrusted environment for
administrative work and authorization is not acceptable.

Krzysztof

> 
> Thanks,
> Alex
> 
> PS Please cc: me your reply.
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
> 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message