Is not using encryption dangerous?
I've tried twice now to enable encrypted communications between dagent clients and the deployment server.
The first time occurred when I upgraded our ds9 server to ds9 sp1 and all the XP clients went to dagent. This ground the server to a halt, both cpus pegged at 100%. I had to downgrade to 6.9.
Now with our brand new 6.9 sp3 virtual server I've found myself in the same predicament. Everything is working great except for encryption. If I enable encrypted communications between dagent clients and the server, both cpus peg at 100%. Without encrypted communications everything is fine. I've never had this problem with Aclient.
I realize that with unencrypted communication remote control sessions and the contents of scripts and packages will be passed unencrypted across the network. I'm not as concerned about this as I am about jobs running as other users passing unencrypted credentials across the network. Most of my software deployment jobs run in a specific domain user context. When you create a job in Altiris, to run a job like this, you have to provide the username and password. Does this information get passed across the network in plain text?
Comments
wireshark
Hi,
You can use wireshark to look what data is send across network.
Its free network protocol analyzer can be found at www.wireshark.org
Passwords are not passed over
Passwords are not passed over in plain text, even in unencrypted sessions.
Personally, I prefer not to encrypt (where possible) the agent communications. The information being passed is not sensitive (unless you consider a software/service inventory sensitive), and its done over a TCP session (not broadcast).
It's a mad world though. I've seen administrators forced to encrypted AClient/DAgent comms in environments where highly sensitive HR files are placed on fileservers which do not support any encryption whatsoever when accessed across the network. I feel my horse preparing to get into a good gallop, so I'll stop now ;-)
Ian Atkin, Senior Developer for the ICT Support Team, Oxford University, UK
Connect Etiquette: "Mark as Solution" those posts which resolve your problem, and give a thumbs up to useful comments, articles and downloads<
ianatkin: That's what
ianatkin:
That's what I figured, and for our environment software and service inventory are rarely sensitive. You do have a great point about sensitive fileshares :D
I am still a bit dissapointed that I can't even enable encryption without killing the server, but I guess it's not really a big issue. I'm just surprised that it seems as if no one else is having this same problem. Or maybe use of encryption for agents is fairly rare.
Encryption will always
Encryption will always introduce an overhead an extra overhead on the server. Somewhere there is a document about the overhead on NS of forcing encryption on agent comms (HTTPS vs HTTP) and the impact is significant.
So, servers must be spec'd with encryption in mind at the start, rather than adding this feature on as an afterthought.
Having said that, its still possible that something is amiss in your environment which is forcing encryption to overrun the CPU. You could try enabling it on a few clients at a time and scale up to get an idea of CPU vs Client Count scaling.
Kind Regards,
Ian./
Ian Atkin, Senior Developer for the ICT Support Team, Oxford University, UK
Connect Etiquette: "Mark as Solution" those posts which resolve your problem, and give a thumbs up to useful comments, articles and downloads<
Would you like to reply?
Login or Register to post your comment.