You are not logged in.

#1 2012-06-14 15:48:53

zenlord
Member
From: Belgium
Registered: 2006-05-24
Posts: 1,207
Website

network security: SSL / TLS connections or not?

Hi,

Our small office-network is administered by a (very good) self-employed debian dev, and in the last six years I have learned a great deal by reading through configfiles on our server. I have even setup my own (modest) homeserver and am very interested in everything about networking.

Earlier this year there were the SSL-vulnerabilities, so I glanced through our own setup and I think I have found a weakness that I'm not sure of if it is serious or not.

Internal authentication is handled with LDAP / Kerberos, so at this level I see no problems, but connections to f.e. our LDAP-server are not protected with SSL or TLS and thus my question: should this not be mandatory on an office network that (although protected by iptables) allows connections with the internet?

Our server handles next to LDAP / Kerberos also apache, postgresql, imap, smtp, calDAV, NFS, cups etc...

THX!

Offline

#2 2012-06-14 16:06:24

Gcool
Member
Registered: 2011-08-16
Posts: 1,456

Re: network security: SSL / TLS connections or not?

If I understand your explanation correctly, the LDAP server is only used for queries in your internal lan? If this traffic is only between hosts on a trusted segment, then one can potentially argue/understand the choice for plain old LDAP.

However, if you have the resources (knowledge, capability/compatiblity to deploy this correctly onto clients, hardware that can handle it etc etc), encrypted LDAP is always an extra security layer which is usefull to have.


Burninate!

Offline

#3 2012-06-15 07:13:46

zenlord
Member
From: Belgium
Registered: 2006-05-24
Posts: 1,207
Website

Re: network security: SSL / TLS connections or not?

Our LDAP-server is used to authenticate users (LAN only), but also as an addressbook (LAN only, although exposed through a local web app).

But other services are exposed to the internet: imap, smtp, http, etc. Whenever I need to add a new device (smartphone f.e.), I'm confronted with the setting 'encryption', which has to be left blank for our setup. That's why I have my doubts...

But you seem to find encryption something 'optional' if I understand you completely. So my doubts are probably not warranted. THX for your reply!

Offline

Board footer

Powered by FluxBB