TLS support for argus and argus-clients

Carter Bullard carter at qosient.com
Tue Feb 5 13:23:25 EST 2013


Gentle people,
There are a few requests to provide TLS authentication and confidentiality protection for
argus data on the wire, in addition to the SASL support we currently provide.

I'm looking into the effort now and would like to get your opinions on this feature.
Using your SSL certificates seems like a good thing, and getting around the complexities
of SASL account creation, mechanisms etc… sounds like a good thing, but the SASL
stuff does work, so, …. extend security capabilities,  not replace, seems like a good thing.

Currently, security protection for argus data in transit is provided by SASLv2.
You have to configure it at compile time for argus, the clients get it by default.

You configure the argus data source to set a protection policy, by setting the
various MIN_SSF and MAX_SSF values in the configuration file.  This applies to
argus and radium  These are pretty cryptic SASL configurations that set the minimum
and maximum level of protection.  We have command line support to specify
particular SASL mechanisms for the clients ( -M saslmech="mech" ).

If MIN_SSF is not zero, then argus / radium will tell attaching clients that a
security association must be created.  Clients can declare that they need security,
if their RA_MIN_SSF is non-zero.  The source and clients negotiate things, and
if they can create an association, then all is well.  SASL handles the establishment,
providing things like "Password: " prompts to get you through, if necessary.

To add TLS to this mix, we need to provide ./configure support to load TLS at
compile time, we'll need data sources and client configuration support to chose TLS,
SASL or none.  We need to add TLS as an option to the argus transport protocol, and
we'll need to provide some guidance on certificates, etc…..

Seems like a bit of work, but I can see a good reason to do it.
Are there opinions on this?  Anyone added this type of support to their applications?
Suggestions for configuration?  Do other packages provide this level of options?
Please send suggestions / opinions / ideas / flames / concerns to the list or to me.

Hope all is most excellent,

Carter 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4367 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130205/193fba04/attachment.bin>


More information about the argus mailing list