On Thu, 9 Oct 2014 08:15:22 +0000 "C. L. Martinez" <carlopm...@gmail.com> wrote:
> On Thu, Oct 9, 2014 at 7:21 AM, Duncan Patton a Campbell > <campb...@neotext.ca> wrote: > > On Tue, 7 Oct 2014 07:08:54 +0000 > > "C. L. Martinez" <carlopm...@gmail.com> wrote: > > > >> On Mon, Oct 6, 2014 at 11:52 PM, Duncan Patton a Campbell > >> <campb...@neotext.ca> wrote: > >> > The most basic consideration in computer security has nothing to > >> > do with technology and computers. Do the people you need to keep > >> > out of the know need to know enough to come and break legs? > >> > > >> > If so, don't bother encrypting. They may not just break legs. > >> > > >> > Dhu > >> > > >> > On Mon, 06 Oct 2014 13:48:33 -0600 > >> > chester.t.fi...@hushmail.com wrote: > >> > > >> >> Very true, filling your subterranean data server with angry hornets > >> >> certainly seems like a good idea but it's really not, most AC > >> >> maintenance contractors will charge you extra (usually per sting!). > >> >> > >> >> Chester T. Field > >> >> > >> >> And remember when I left all the meat out because I saw Mr. David Lynch > >> >> “I’m on TV” do it, > >> >> and he got on TV from doin’ it, and I did it and didn’t get on TV from > >> >> doin’ it? - Gandhi > >> >> > >> >> On 10/6/2014 at 1:37 PM, "Matti Karnaattu" <mkarnaa...@gmail.com> wrote: > >> >> > > >> >> >>Yes, my goal is to secure the > >> >> >>infrastructure as much as possible. > >> >> > > >> >> >I don't know details but it sounds overly complex. And complexity > >> >> >may cause other issues, without any benefit for security. > >> >> > > >> >> >Example, you don't have to encrypt your whole hard disk if the hard > >> >> >disk is located in guarded bunker. But if you do that, it will > >> >> >increase > >> >> >security in theory but that may cause service outtage if you have > >> >> >to > >> >> >always locally type your crypt password if machine crashes. > >> >> > > >> >> >I would put this effort to ease maintainability, ease monitoring, > >> >> >use stateful firewall, deploy honeypot etc. and avoid complexity. > >> >> > >> > >> Thanks guys for your answers. I know it: our it sec. dept. adds a > >> complexity to our infrastructure, but they are determined to do so. > >> > >> Searching via google I found this: > >> > >> http://www.safenet-inc.com/data-encryption/ > >> > >> HSM: hardware security modules ... But exists another problem. If I > >> would like to use some SSL/TLS or IPSec based solution, how can I > >> authenticate these servers between them without compromise host > >> security?? > >> > >> Any ideas?? > >> > >> > > > > Is "man 8 iked" what you are looking for? > > > > Dhu > > Uhmm . .. I don't understand your question Duncan... To use IPsec is a > possibility. > > Possibly 'cause I don't understand yours. You want to authenticate servers "without compromise host security" which to me implies the use of something like iked, the Internet Key Exchange (IKEv2) daemon, "which performs mutual authentication and which establishes and maintains IPsec flows and security associations (SAs) between the two peers." You don't need iked to run something like ipsec. You can exhange the keys some different way like, say multiple redundant one time pads and courriers (for the truly 'noidal). Dhu -- Ne obliviscaris, vix ea nostra voco.
