On Tue, Jun 15, 2010 at 06:00, paddy joesoap <paddyjoesoap@xxxxxxxxx> wrote: > In securing XMPP (Jabber, IM) servers, what role does an iptables > firewall play in practice. Not a big role in and of itself if by server you mean the process that accepts connections from clients. > The XMPP community tend to think of TLS communication channels only That's an overstatement > I'd imagine that some enterprises want to inspect at the firewall (or > ... > with IM conversations is blocked. In such scenarios, is it best > practice to remove the TLS option and thereby loosing some proof of > identify (certificates) in favour of deep packet inspection? Another option is for that enterprise to maintain a malicious root certificate internally with which to generate spoofed domain certs on the fly. This has been done for https already in several products. Whether this practice, or outright banning of encrypted outbound connections is 'best practice' is a matter of opinion. I would say no. > Are there scenarios where an enterprise that is geographically spread > who use VPN's such that they do not require TLS encryption on the XMPP How large does an enterprise need to be before the risk of malicious interception within its own network is as reasonable as on the public internet? I don't take for granted that my physical lan is inherently secure. End to end encryption will only become more popular. I was hoping for it to be managed by the kernels of the endpoints and happen in the form of automatic IPSec, but running TLS in the client/server software has proven more attractive to most people. > While XMPP servers such as Openfire have TLS functionality end-to-end, > are these used in practice by security administrators or is some of > the communication desired in the clear for DPI. My vote goes to end to end, untainted TLS. Run selinux/apparmor/grsec on the server if you understand essential server daemons can have bugs. > While I understand that layer 7 filtering should really be left to > application specific filters, iptables has some functionality with its I'd still leave the filtering to an IDS, and let the IDS att rules to the firewall in real time. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
