Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 3 May 2011 10:12:48 -0700
From:      Bill Campbell <freebsd@celestial.com>
To:        freebsd-questions@freebsd.org
Subject:   Re: OT: Security question (openssl vs openssh)
Message-ID:  <20110503171248.GB30552@ayn.mi.celestial.com>
In-Reply-To: <4DC00FB5.7080306@msen.com>
References:  <4DC00FB5.7080306@msen.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Tue, May 03, 2011, Mark Moellering wrote:
> Everyone,
> I am looking into setting up a webserver to hold some very sensitive  
> information.  I am trying to figure out which is more secure, forcing  
> any web connections to be done using an ssh tunnel or forcing ssl.
> I have not been able to figure out if one is definitively much more  
> secure than another or if they are close to the same.  I would have  
> initially thought the ssh tunnel was more secure but knowing that ssl  
> can use AES-256, I am now wondering if that isn't adding a complexity  
> for little extra security.

Our solution for critical services like this is to run the
service only on a private LAN segment which is available from the
outside world only through an OpenVPN connection.  The OpenVPN
connection requires unique keys for each client which are easily
revoked if a laptop is lost or stolen or on employee termination.

It also isolates the web service from other external attacks via
insecure PHP scripts and such.

Bill
-- 
INTERNET:   bill@celestial.com  Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/  PO Box 820; 6641 E. Mercer Way
Voice:          (206) 236-1676  Mercer Island, WA 98040-0820
Fax:            (206) 232-9186  Skype: jwccsllc (206) 855-5792

If the personal freedoms guaranteed by the Constitution inhibit the
government's ability to govern the people, we should look to limit those
guarantees.  -- President Bill Clinton, August 12, 1993



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20110503171248.GB30552>