Author Topic: CS Proxy question  (Read 2772 times)

Offline Gremlin

  • Jr. Member
  • **
  • Posts: 55
  • Karma: 1
CS Proxy question
« on: September 24, 2010, 12:51:36 AM »
With a multisite design..  where we have CS Proxy at the remote site, I assume that all configuration details are kept in CS Proxy sever's cache / memory locally.

a) Does the memory / cache include sensitive data like agent login and password ? Any encryptionon the data kept in the cache / memory for added security ?

b)  Can we determine what data should be cached and what should continue to be pulled from the config database directly ?

Offline Steve

  • Sr. Member
  • ****
  • Posts: 298
  • Karma: 11
Re: CS Proxy question
« Reply #1 on: September 24, 2010, 02:14:25 AM »
Your CS Proxy holds the same data as your main config server. This included usernames and passwords (if you don't use a Radius/LDAP solution).

Data is not pulled from the database directly, except by Config Server and CS Proxy, all other apps get their config from these 2 applications.

Offline Gremlin

  • Jr. Member
  • **
  • Posts: 55
  • Karma: 1
Re: CS Proxy question
« Reply #2 on: September 24, 2010, 10:12:28 AM »
Due to security considerartions, are we able to config such that agentIDs and passwords are not sent to the CS proxy svrs ?

Thus, can agent logins always access the config db directly while cs proxy clients will get all other config details (non-sensitive info) from the cs proxy svrs?

Offline Steve

  • Sr. Member
  • ****
  • Posts: 298
  • Karma: 11
Re: CS Proxy question
« Reply #3 on: September 25, 2010, 12:54:28 AM »
I doubt it.

A CS proxy is a config server, and just like config server it loads everything from the DB when it starts.

Offline René

  • Administrator
  • Hero Member
  • *****
  • Posts: 1783
  • Karma: 57
Re: CS Proxy question
« Reply #4 on: September 26, 2010, 08:34:45 PM »
Hi Gremlin,

As Steve wrote CS Proxy is de facto Configuration Server running in read-only mode and using Configuration Server to retrieve configuration data instead of connection to database. In theory, it's possible to restrict CS Proxy from reading some data like agent's information but in that case agents must connect directly to Configuration Server as CS Proxy would return an error when trying to read non-existing - from Proxy perspective - object.

If you are concerned about security I think connection between CS and CS Proxy can be secured by using TLS.

R.

Offline bublepaw

  • Sr. Member
  • ****
  • Posts: 283
  • Karma: 10
Re: CS Proxy question
« Reply #5 on: September 30, 2010, 08:40:36 AM »
Hi Gremlin,

The whole idea behind CS Proxy is to allow system to function when there is no connection to config server - that is why it must keep copy of all data in it's memory. As Rene mentioned You can turn on TLS encryption to protect data which are sent during startup between CS Proxy and config server. Also You may consider using external authentication to keep passwords in system like active directory. With external authentication whenever user needs to authorize CS Proxy will send request through radius to external system so no password are stored in CS Proxy or config server or database.

Pawel

Offline Benjamin5kelvain

  • Newbie
  • *
  • Posts: 1
  • Karma: 0
Re: CS Proxy question
« Reply #6 on: September 30, 2010, 03:09:12 PM »
since last four days i will use CS Proxy server. it could be not understand properly to me. please help me.
Online searching will definitely help you in choosing the best one for your Ready to assemble kitchen cabinets