[Gllug] DMZ to inside copy

Doug Winter doug at pigeonhold.com
Fri Jan 16 10:26:19 UTC 2004


On Thu 15 Jan Richard Jones wrote:
> scp and the trust relationship is one solution that others have
> already outlined.  However, I have problems creating extra login
> accounts on sensitive machines, and I think you should avoid this if
> at all possible.

I disagree - using accounts to seperate responsibilities makes you more
rather than less secure.  You would prefer everyone to log in as root?

Obviously providing a security dependency from one system to another
does cause problems.  It is unfortunate for most of us that we manage
highly secure remote installations from internal office networks
infested with Windows machines that render most of our security suspect.

However, the dependency is a real one - if someone has breached your
internal network, then they can always install keyboard sniffers on your
machine if they want - ultimately the security of our remote systems
really is dependent on the security of our office networks, whether we
like it or not.

> So a question: are the logs themselves very sensitive?  Probably not
> particularly sensitive I would think.  In which case, why not publish
> the logs over HTTP from the DMZ machine using an obscure URL, eg:

Logs are often extremely sensitive because they reveal things you would
rather leave unknown (ip addresses, account names and so forth).

Obscure URLs have a habit of being indexed by google.

doug.

-- 
6973E2CF print 2C95 66AD 1596 37D2 41FC  609F 76C0 A4EC 6973 E2CF
"The purpose of all war is robbery."
    -- Voltaire

-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug




More information about the GLLUG mailing list