Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 2 Oct 2001 23:03:23 +0200 (CEST)
From:      Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl>
To:        Alexey Koptsevich <alex@astro.su.se>
Cc:        security@FreeBSD.ORG
Subject:   Re: access from monitoring host
Message-ID:  <Pine.BSF.4.21.0110022254010.428-100000@lhotse.zaraska.dhs.org>
In-Reply-To: <Pine.GSO.4.10.10110021523540.18156-100000@dioscuri.astro.su.se>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Tue, 2 Oct 2001, Alexey Koptsevich wrote:

> 
> Hello,
> 
> There is a discussion about ways of access from centralized monitoring
> host at
> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/securing-freebsd.html
> 
>  Except for its network traffic, NFS is the least visible method - allowing
>  you to monitor the filesystems on each client box virtually undetected. If
>  your limited-access server is connected to the client boxes through a
>  switch, the NFS method is often the better choice. If your limited-access
>  server is connected to the client boxes through a hub, or through several
>  layers of routing, the NFS method may be too insecure (network-wise) and
>  using ssh may be the better choice even with the audit-trail tracks that
>  ssh lays.
> 
> I dp not understand, why access method should be different in cases when
> monitoring host is behind the switch or connected through the hub?
If your network is connected with a switch then all traffic between hosts
A and B is not visible by any other host; if it is otherwise, all other
hosts on this Ethernet segment can see this traffic. So, if someone on
this segment has bad will s/he can watch your NFS transfers or even insert
data in your session. The same applies if both hosts are on distant
networks and the traffic goes through multiple untrusted networks. 

Generally use of unencrypted connections over untrusted environment for
administrative work and authorization is not acceptable.

Krzysztof

> 
> Thanks,
> Alex
> 
> PS Please cc: me your reply.
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
> 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0110022254010.428-100000>