yet ANOTHER NSClient question

Carroll, Jim P [Contractor] jcarro10 at sprintspectrum.com
Tue Dec 17 00:27:52 CET 2002


We're finally getting around to checking out this option.

On closer inspection, it would seem that NSClient is still somewhat
'exposed'.  More specifically, there's no way to force NSClient to *only*
accept connections from 127.0.0.1.  If this restriction were possible, then
the local stunnel config would accept SSL connections on, say, port 1249,
and redirect to 127.0.0.1:1248, which of course NSClient would happily
accept.

Naturally, one would hope that there are packet filters in place to only
permit traffic on 1249, but we don't have the luxury of making that
assumption.  I'm also told that the built-in filtering software on Win2k
isn't as robust as one would hope.

IPsec isn't an option, because the application in question won't be using it
on the machines that the Win2k box will be communicating with.

So at this point I'm open to suggestion.  Thoughts?

jc

> -----Original Message-----
> From: Mike McClure [mailto:mmcclure at pneservices.com]
> Sent: Monday, November 25, 2002 4:57 PM
> To: Carroll, Jim P [Contractor]
> Cc: nagios
> Subject: Re: [Nagios-users] yet ANOTHER NSClient question
> 
> 
> Hi JC,
> 
> You can certainly lock it down by using stunnel and SSL 
> client certificates. 
> There's a Win32 stunnel binary available.  That would take 
> care of encryption and
> authentication.
> 
> I wouldn't recommend using NSClient on an Internet-exposed 
> Windows box without at
> least that protection.  The passwords are sent in cleartext.
> 
> - Mike
> 
> > How secure is NSClient?
> >
> > I was asked this question this morning by the resident NT 
> guru, since we're
> > considering monitoring a few NT boxes which are already 
> 'exposed' to the
> > Wild Wild Net.
> >
> > All I can see is that NSClient has password support, but 
> that pretty much
> > any command (?) can be executed.
> >
> > Any suggestions on locking this down?  Or does this fall 
> under the "I
> > would't recommend it unless you're fond of rebuilding 
> servers" school of
> > thought?
> >
> > jc
> >
> 
> 
> -- 
> Mike McClure, CCIE # 5125, CISSP # 30232
> PNE Services, Inc. -  http://www.pneservices.com
> mmcclure at pneservices.com
> mobile: 913-636-5590
> 


-------------------------------------------------------
This sf.net email is sponsored by:
With Great Power, Comes Great Responsibility 
Learn to use your power at OSDN's High Performance Computing Channel
http://hpc.devchannel.org/




More information about the Users mailing list