In lists.firewalls you write:
>If anyone out here is using crypto in an automated system,
>I'd like to know how you're doing key management.
X.509 certs. I use SSL as the transport. I use SSLrcp,SSLrdist etc.
See http://www.quick.com.au/ftp/pub/sjg/
In fact the next release of my user space NFS server also uses SSL for
transport and X.509 certs to authenticating mount requests - I've not
made this one publicly available yet though.
Note I've not (yet) updated SSLrshd etc to support SSLeay-0.8 (only
released yesterday) which would allow you to compile without any RSA
patented algorithms - handy for U.S. folk :-)
>Anyone got a script like this, or similar distributed redundant
>security subsystems? They're cool.
No, I just snfs mount the filesystems of my bastions on another box
and run tripwire on them. This avoids the problems alluded to by mjr
I think, where tripwire can be fooled if the kernel or libc.so on the
box running tripwire have been tampered with.
--sjg
--
Simon J. Gerraty <sjg @
quick .
com .
au>
#include <disclaimer> /* imagine something _very_ witty here */
Follow-Ups:
References:
|
|
