[Fusioninventory-user] DMZ deployment options

[Guillaume Rousse]

Le 31/10/2012 17:12, Benjamin Huntsman a écrit :
>> I fail to see any security advantage in OCS. Especially after reading their source code.
>
> So you're arguing that it'd be more secure to have the entire GLPI web application in a DMZ, than to have an OCS Communication Server in the DMZ that only accepts Agent inventories, and keeping all the OCS and GLPI DB's (and application front-ends) on the internal network?
It's a bit difficult to mesure security objectively. Especially without 
any kind of security threat model: what are you trying to protect, 
against what ?

You can consider the following setup:
1) "all my DMZ servers can initiate HTTPS connections to my GLPI server"
2) "my DMZ GLPI relay server can initiate MySQL connections to my GLPI 
server"
3) "my DMZ OCS relay server can accept incoming MySQL connections from 
my GLPI server"

I can't consider than any of those scenarios is directly more or less 
secure than others, but 1) is obviously way simpler than 2) and 3), and 
2) is also simpler than 3), because you have one less codebase to 
manage. And if you consider than simplicity also help auditing and 
moonitoring, then 1) is also more robust.

>  Even with SSL certificates in use?
SSL just protect you against man-in-the-middle attacks and sniffing, , 
not against software developpement issues, such as SQL injections or 
buffer overflows. Unless you consider your server inventories as 
confidential, you won't gain much using secure connexions.

-- 
BOFH excuse #303:

fractal radiation jamming the backbone