[stunnel-users] EXTERNAL: Re: Certificates
Jochen.Bern at LINworks.de
Sat Sep 17 18:21:39 CEST 2011
On 09/16/2011 04:46 PM, Bucci, David G wrote:
> J. Bern - just curious - is syslogging over stunnel less stable for
> some reason, or does it exacerbate the reliability problem mentoned
> in the manpage? Iow, if you're satisfied with your syslog processing
> today, will layering in stunnel make anything worse?
> Neither RELP nor gssapi auth provide encryption for syslog traffic,
> iirc ... if you're truly worried about snooping on syslog traffic,
> not sure how they would help. Seems to me they're orthogonal issues. No?
Reliability, authentication, secrecy, nonrepudiation, etc. certainly are
"orthogonal" in that one doesn't replace the other. Nonetheless, they
all are part of IT security and whenever someone says the magic words
"we need to secure that", I fully expect *all* these parts to surface in
the ensuing project. :-}
Case in point: If your logging warrants encryption to prevent an
intruder from reading any messages flying by at random (as opposed to
just having a policy that says "all traffic, even if only internal,
needs to be encrypted"), it's very likely that the same intruder keeping
some of these messages from getting to you (attack on reliability) would
be just as bad.
Having that said: I've never run syslog over stunnel and don't know of
any issues in doing so beyond the obvious ones (increased connection
setup time, possibility of unnoticed cert expiry, etc.). I'm merely
following the principle that if you can get a subsystem with the desired
functionality already built in, it's likely to have less problems
(technical as well as design) than trying to cobble things together
yourself - and the arena of remote logging protocols has seen *a lot* of
evolution to take your pick from.
(That is, at least as far as multipurpose computers are concerned.
Office grade switches and routers *still* tend to max out at the stone
age UDP-based non-sequence-numbered syslog protocol, for crying out
loud. >:-C )
Jochen Bern, Systemingenieur --- LINworks GmbH <http://www.LINworks.de/>
Postfach 100121, 64201 Darmstadt | Robert-Koch-Str. 9, 64331 Weiterstadt
PGP (1024D/4096g) FP = D18B 41B1 16C0 11BA 7F8C DCF7 E1D5 FAF4 444E 1C27
Tel. +49 6151 9067-231, Zentr. -0, Fax -299 - Amtsg. Darmstadt HRB 85202
Unternehmenssitz Weiterstadt, Geschäftsführer Metin Dogan, Oliver Michel
More information about the stunnel-users