From owner-freebsd-questions@FreeBSD.ORG Tue May 3 17:31:57 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9E1131065677 for ; Tue, 3 May 2011 17:31:57 +0000 (UTC) (envelope-from bill@celestial.com) Received: from dorsai-02.celestial.com (dorsai-02.celestial.com [192.136.111.19]) by mx1.freebsd.org (Postfix) with ESMTP id 66F888FC1A for ; Tue, 3 May 2011 17:31:57 +0000 (UTC) Received: from localhost (localhost.localdomain [127.0.0.1]) by dorsai-02.celestial.com (Postfix) with ESMTP id 70F12206074C for ; Tue, 3 May 2011 10:12:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at celestial.com Received: from dorsai-02.celestial.com ([127.0.0.1]) by localhost (dorsai-02.celestial.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id iJF0AJ9WDont for ; Tue, 3 May 2011 10:12:49 -0700 (PDT) Received: from ayn.mi.celestial.com (hayek.celestial.com [192.136.111.12]) by dorsai-02.celestial.com (Postfix) with ESMTP id 3128D2057708 for ; Tue, 3 May 2011 10:12:49 -0700 (PDT) Received: from localhost (localhost.localdomain [127.0.0.1]) by ayn.mi.celestial.com (Postfix) with ESMTP id F0C24512EF; Tue, 3 May 2011 10:12:48 -0700 (PDT) X-Virus-Scanned: amavisd-new at mi.celestial.com Received: from ayn.mi.celestial.com ([127.0.0.1]) by localhost (ayn.mi.celestial.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id vQhWfVl+ooDx; Tue, 3 May 2011 10:12:48 -0700 (PDT) Received: by ayn.mi.celestial.com (Postfix, from userid 203) id D34B25133D; Tue, 3 May 2011 10:12:48 -0700 (PDT) Date: Tue, 3 May 2011 10:12:48 -0700 From: Bill Campbell To: freebsd-questions@freebsd.org Message-ID: <20110503171248.GB30552@ayn.mi.celestial.com> Mail-Followup-To: freebsd-questions@freebsd.org References: <4DC00FB5.7080306@msen.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4DC00FB5.7080306@msen.com> User-Agent: Mutt/1.5.19 OpenPKG/CURRENT (2009-01-05) Subject: Re: OT: Security question (openssl vs openssh) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd@celestial.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 May 2011 17:31:57 -0000 On Tue, May 03, 2011, Mark Moellering wrote: > Everyone, > I am looking into setting up a webserver to hold some very sensitive > information. I am trying to figure out which is more secure, forcing > any web connections to be done using an ssh tunnel or forcing ssl. > I have not been able to figure out if one is definitively much more > secure than another or if they are close to the same. I would have > initially thought the ssh tunnel was more secure but knowing that ssl > can use AES-256, I am now wondering if that isn't adding a complexity > for little extra security. Our solution for critical services like this is to run the service only on a private LAN segment which is available from the outside world only through an OpenVPN connection. The OpenVPN connection requires unique keys for each client which are easily revoked if a laptop is lost or stolen or on employee termination. It also isolates the web service from other external attacks via insecure PHP scripts and such. Bill -- INTERNET: bill@celestial.com Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way Voice: (206) 236-1676 Mercer Island, WA 98040-0820 Fax: (206) 232-9186 Skype: jwccsllc (206) 855-5792 If the personal freedoms guaranteed by the Constitution inhibit the government's ability to govern the people, we should look to limit those guarantees. -- President Bill Clinton, August 12, 1993