NRPE vs. check_by_ssh

[Cian Brennan]

On Wed, Mar 25, 2009 at 06:44:00PM +0000, Christopher McAtackney wrote:
> 2009/3/25 Kevin Keane <subscription at kkeane.com>:
> > I think you are comparing apples and oranges here, because in most
> > situations that I can think of, the decision is dictated by the network
> > topology. If you are exclusively on a trusted private network,
> > check_by_ssh really doesn't offer any benefits. Conversely, if your
> > topology involves the Internet or some other untrusted network (WiFi),
> > then you wouldn't want NRPE in the first place.
> >
> > The only exception to the above that I can think of is when it comes to
> > deciding between using check_by_ssh over an untrusted network, vs. NRPE
> > through some other kind of tunnel or VPN. But in that case, you'd incur
> > encryption overhead either way, and the comparison is very different
> > from the question you asked.
> >
> > All that said: I don't have any first-hand experience, but I suspect
> > that the impact of establishing 2200 ssh connections in a five-minute
> > span (assuming that you are using a five-minute check interval) is
> > pretty substantial. The main impact actually lies in establishing and
> > tearing down the connections, key negotiations etc.; the encryption
> > during the data phase probably has only limited impact because most
> > checks only transmit a few bytes back and forth.
> >
> > SSH does much better with longer-duration connections when the keys are
> > already exchanged. This is even more true if you have a router-based
> > VPN, because in that case the overhead is offloaded to a different machine.
> >
> > So if you have the option of sending the checks as NRPE through one or a
> > few long-term VPNs: you are probably going to be better off. Of course,
> > in the big picture, your mileage may vary.
> 
> Firstly, thanks for the detailed explanation of the issues involved in
> this choice Kevin, it's been very helpful.
> 
> I'm curious though, could you elaborate on why NRPE is unsuitable if
> communication with my remote hosts is going to go via the Internet? Is
> it not sufficient that NRPE uses SSL? This may be more of a network
> security question than a Nagios one, but I've no real experience in
> either area unfortunately, so I appreciate any info you can give here.
> 
> Cheers,
> Chris
> 
NRPE uses SSL, but it doesn't check certificates. As such, someone could spoof
your IP, and run code, and get the results through NRPE. SSH does check
certificates, and relies on a shared secret, making this impossible.

> ------------------------------------------------------------------------------
> _______________________________________________
> Nagios-users mailing list
> Nagios-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nagios-users
> ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
> ::: Messages without supporting info will risk being sent to /dev/null
> 

-- 

-- 

------------------------------------------------------------------------------
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null