[EXTERNAL] Re: Flow collection and analysis

Eric Kuhnke eric.kuhnke at gmail.com
Fri Jan 28 02:26:24 UTC 2022


Not at all, what I'm recommending is that people who develop something that
is specialized (like netflow analysis software) don't need to expend the
person-hours and extensive development time to implement something that has
already been better implemented by people who are httpd specialists.

The amount of possible design complexities and security risks that go into
shipping a 'stable' versio of apache2 or nginx are beyond the scope of any
small to medium sized non-httpd-related opens source software project. Let
the apache2 or nginx developers handle that.

It's like saying that because a piece of software communicates with
something externally by SMTP, either inbound or outbound email or both,
some software developer should take the time to re-implemnt and write from
scratch their own SMTP, rather than relaying mail via a postfix daemon
running on the same server.

Or because you have a piece of software that queries something over SNMP,
don't use the perfectly good ISC SNMP packages that exist for centos or
debian to issue snmpgets, but write from scratch your own snmp poller.








On Wed, 26 Jan 2022 at 07:34, Mel Beckman <mel at beckman.org> wrote:

> People who advocate TLS lash-ups like nginx front ends remind me of Mr.
> Beans DIY automobile security, which started with a screwed-on metal hasp
> and padlock, and then continued to a range of additional “layers”. Not
> “defense-in-depth”, merely unwarranted “complexity-in-depth”:
>
> https://youtu.be/CCl_KxGLgOA
>
> TLS is a standardized, fully open-source package that can be integrated
> into even tiny IoT devices (witness this $10 WiFi module
>  https://www.adafruit.com/product/4201
> <https://www.adafruit.com/product/4201>). The argument that people who
> want intrinsically secure products can just bolt-on their own security are
> missing the point entirely. Every web-enabled product should be required to
> implement TLS and then let custiners decide when they want to enable it.
> Vendors who are so weak that they can’t should have their products go
> straight into /dev/null.
>
> -mel via cell
>
> On Jan 26, 2022, at 6:51 AM, heasley <heas at shrubbery.net> wrote:
>
> Wed, Jan 26, 2022 at 07:21:19AM -0600, Mike Hammett:
>
> Why is it [TLS] even necessary for such a function?
>
>
> confidentiality and integrity, even if you do not care about
> authentication.
> I am surprised that question is asked.
>
> The fewer things that are left unprotected, the better for everyone.  those
> with concern about erosion of their privacy and human rights benefit from
> everything being protected, everywhere for everyone.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20220127/e7ed7d54/attachment.html>


More information about the NANOG mailing list