Files included in Group Config Encrypted?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Files included in Group Config Encrypted?

K Post
Just noticed this:
Oct-20-16 20:52:17 Info: file c:/ASSP/IP-Lists/IPS-gmail.com.cfg is now
stored encrypted, because it is used in secured config Groups

We programatically generate several lists in IP-Lists that are used in
group definitions.  It looks like they become re-encrypted after updating,
so if we were going to use them elsewhere, we wouldn't be able to.  That's
okay, we can change the code that creates this lists.

I do have little questions though:

1) When did encryption of external configuration files become the norm?  I
hadn't noticed this before.

2) Is there a way to disable this option?

3) Curious, what's the point of encrypting these files?  if someone has
access to the ASSP machine or file structure, encryption of these files
won't do much of anything would it?  (change PW in ASSP.cfg and look at
admin UI to see what's in the group file).

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: Files included in Group Config Encrypted?

Thomas Eckardt/eck
>so if we were going to use them elsewhere, we wouldn't be able to

No - even such a encrypted file is also used in an unsecured config
parameter, assp will know that and will decrypt the content.

>1) When did encryption of external configuration files become the norm? I
hadn't noticed this before.

What are 'external configuration files'?
There was never a V2 released without encrypted config parameters!

>2) Is there a way to disable this option?

No.
Why?

>3) Curious, what's the point of encrypting these files?  if someone has
access to the ASSP machine or file structure, encryption of these files
won't do much of anything would it?.

Encryped are all config parameters (and used files), if they may contain
passwords.
Encrypted config parameters are only visible to 'root' in the GUI

>(change PW in ASSP.cfg and look at
admin UI to see what's in the group file)

Changing 'webAdminPassword' outside the GUI or SNMP will destroy all
encrypted config parameters , hashes and database tables.


Thomas



Von:    K Post <[hidden email]>
An:     ASSP development mailing list <[hidden email]>
Datum:  21.10.2016 03:12
Betreff:        [Assp-test] Files included in Group Config Encrypted?



Just noticed this:
Oct-20-16 20:52:17 Info: file c:/ASSP/IP-Lists/IPS-gmail.com.cfg is now
stored encrypted, because it is used in secured config Groups

We programatically generate several lists in IP-Lists that are used in
group definitions.  It looks like they become re-encrypted after updating,
so if we were going to use them elsewhere, we wouldn't be able to.  That's
okay, we can change the code that creates this lists.

I do have little questions though:

1) When did encryption of external configuration files become the norm?  I
hadn't noticed this before.

2) Is there a way to disable this option?

3) Curious, what's the point of encrypting these files?  if someone has
access to the ASSP machine or file structure, encryption of these files
won't do much of anything would it?  (change PW in ASSP.cfg and look at
admin UI to see what's in the group file).
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: Files included in Group Config Encrypted?

K Post
In reply to this post by K Post
Sorry for my delayed reply (managed only to see your reply on the Sourceforge archives since they don't do SRS and Gmail is now rejecting your messages sent through them).

I'm also sorry that I wasn't more clear in my request.  In my Groups definition, I include external files like this:

[GROUP-CONSTANTCONTACT-IPS]
# include IP-Lists/IPS-constantcontact.com.cfg

For this example, the file IPS-constantcontact.com.cfg gets updated by a little script that queries the IP's that constant contact uses, by doing a recursive search of this provider's SPF record.  It just puts the IP's in a text file, ASSP detects the change, and uses them. GREAT and works nicely for me.    Now I'm noticing though that ASSP is also encrypted by ASSP after loading them.   Maybe it's always done this, but I've never noticed this before the other day.

If this file were to be needed elsewhere, that would be a problem - of course we could have the program that generates the file generate two, one for assp that will be encrypted, the other for use by whatever other program needs it.

I'm asking more out of curiosity than practicality at this point, but I want to understand as much as possible.

I take security VERY seriously, but at the same time know that encrypted config files can cause problem if you've got a disaster recovery situation that you need to undertake.  I like the idea of encryption in concept, but if we're dealing with config files that are only accessible via a compromised machine, we'd have bigger problems if they became accessible...  No?


 
>so if we were going to use them elsewhere, we wouldn't be able to

No - even such a encrypted file is also used in an unsecured config 
parameter, assp will know that and will decrypt the content.

>1) When did encryption of external configuration files become the norm? I
hadn't noticed this before.

What are 'external configuration files'?
There was never a V2 released without encrypted config parameters!

>2) Is there a way to disable this option?

No.
Why?

>3) Curious, what's the point of encrypting these files?  if someone has
access to the ASSP machine or file structure, encryption of these files
won't do much of anything would it?.

Encryped are all config parameters (and used files), if they may contain 
passwords.
Encrypted config parameters are only visible to 'root' in the GUI

>(change PW in ASSP.cfg and look at
admin UI to see what's in the group file)

Changing 'webAdminPassword' outside the GUI or SNMP will destroy all 
encrypted config parameters , hashes and database tables.


Thomas

On Thu, Oct 20, 2016 at 9:11 PM, K Post <[hidden email]> wrote:
Just noticed this:
Oct-20-16 20:52:17 Info: file c:/ASSP/IP-Lists/IPS-gmail.com.cfg is now stored encrypted, because it is used in secured config Groups

We programatically generate several lists in IP-Lists that are used in group definitions.  It looks like they become re-encrypted after updating, so if we were going to use them elsewhere, we wouldn't be able to.  That's okay, we can change the code that creates this lists.

I do have little questions though:

1) When did encryption of external configuration files become the norm?  I hadn't noticed this before.

2) Is there a way to disable this option?

3) Curious, what's the point of encrypting these files?  if someone has access to the ASSP machine or file structure, encryption of these files won't do much of anything would it?  (change PW in ASSP.cfg and look at admin UI to see what's in the group file).


------------------------------------------------------------------------------
The Command Line: Reinvented for Modern Developers
Did the resurgence of CLI tooling catch you by surprise?
Reconnect with the command line and become more productive.
Learn the new .NET and ASP.NET CLI. Get your free copy!
http://sdm.link/telerik
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test