Secure network

Jason Martin jhmartin at toger.us
Thu Feb 12 00:11:08 CET 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The fact that the cert was signed by a trusted party doesn't mean that the 
private key hasn't been stolen, just that the key is 'officialy' signed by 
someone else. 

For the security portion of it; what you really have to be aware of is the 
security of NRPE. You could put Nagios in a DMZ and have it be only 
allowed to talk to ping / nrpe on the remote hosts. Enable ssl / tcp 
wrappers on the remote hosts and the only thing nagios can do to them is 
what NRPE allows it to do (subject to NRPE exploits of course).  In that 
case you only have to worry about the security of NRPE and the plugins 
that it executes.  It is much simpler to analyze the security of NRPE vs 
Nagios in its entirety.

The other option is to go passive-only and have the secure hosts upload 
their results via nsca, in which case there is not secure-side interaction 
to worry about except for send_nsca, which is even smaller than NRPE. It 
complicates the Nagios config and makes you dependant on secure-side cron 
for plugin execution, but you don't have to trust Nagios not to screw 
things up.

If you are worried about people looking at Nagios and discovering what 
hosts / services are running where, then you just have to secure the 
Nagios box from external attacks as well as the website. No magic there. 
You can use the standard Unix tools for that.

- -Jason Martin



On Wed, 11 Feb 2004, Michael Gale wrote:

> 
> Sorry ... I should of said that our nagios machine is available only on the
> internal network.
> 
> I totally agree with Jeff ... if you have paying customers you should have a
> cert signed by a public trusted CA.
> 
> Michael
> 
> On Wed, 11 Feb 2004 14:20:34 -0600
> jeff vier <jeff.vier at tradingtechnologies.com> wrote:
> 
> > On Wed, 2004-02-11 at 14:02, Michael Gale wrote:
> > > What ? so I have a internal CA ... the web server only trust this CA. All
> > > clients which require access have to have a cert signed by the CA.
> > > Now you are saying that is someone steals the private key they can sign
> > > certs. If someone has this type of access .. I think that having my stolen
> > > private key would not be the only problem ?
> > 
> > Well, yes.  But you would be surprised at how much is 're-used' after
> > rebuilding a cracked system.
> > 
> > > So how is this different then using a trusted CA ? I am not self signing my
> > > certs. I have a CA set up inside and the web server cert is signed by that
> > > CA.
> > 
> > Because, if I'm a paying client, for instance, and you're housing
> > sensitive information about me and my systems, *I* don't know that your
> > CA cert is 'good'.
> > 
> > > Sure the internal clients have to import a cert signed by it and import the
> > > CA into their browsers.
> > > But once that CA is imported how is it less secure a verisign signed cert ?
> > 
> > If it's purely internal, I don't think it matters as much.  But you
> > didn't say that before :) (and the grandparent post wasn't specific,
> > either - just 'how secure is Nagios?')
> > 
> > > If a web server is only being accessed by company a few employes to view
> > > system status and monitoring. Paying for a cert signed by a "trusted CA" is
> > > not worth it.
> > 
> > Agreed. (if a VPN connection is not an option and the person *has* to
> > see the GUI)
> > 
> > > Why don't we just suggest that nagios only be viewable over a VPN connection
> > > ?
> > 
> > That's what I would recommend, yes.
> > 
> > 
> > 
> > 
> > 
> 
> 
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.3.3 (GNU/Linux)
Comment: pgpenvelope 2.10.2 - http://pgpenvelope.sourceforge.net/

iD8DBQFAKra1l2ODWuqVSBMRAqx7AKCXIqBsiLOH+yMJnT1cfH3TqyBIDACcDOB1
xduMsN86D0CYovPzJfyW5a8=
=HL7q
-----END PGP SIGNATURE-----


-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null





More information about the Users mailing list