Disabling encryption for internal network

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Disabling encryption for internal network

Dark Empathy
Hi,

Please excuse the simple question, but I am unable to work out what to do
from the man page alone.

What is a way to disable encryption for an internal network, where it is
not required? (Linux to Linux).  Is this possible with perhaps a rsync
server and --remote-schema?

I have a situation where we have data on Raspberry Pi 3's. spread over a
private WAN.  Data security, in this particular case, is of zero
importance.  However, I would prefer not to disable encryption on the SSH
server.

Are there any suggestions to run rdiff-backup at maximum speed, no
encryption, on an internal network?

Thankyou kindly.
Reply | Threaded
Open this post in threaded view
|

Re: Disabling encryption for internal network

Derek Atkins-2
Are you sure that SSH encryption is actually slowing down the backup?  I
wouldn't think so, as most devices have AES in hardware and SSH is pretty
efficient.  Before you just bypass it, I would test to see if that's
actually the bottleneck.

You could just run raw rdiff vs rdiff-over-ssh to test.  I suspect the
local I/O is the bottleneck and not encryption or network speed.

-derek

On Fri, April 3, 2020 12:18 pm, Dark Empathy wrote:

> Hi,
>
> Please excuse the simple question, but I am unable to work out what to do
> from the man page alone.
>
> What is a way to disable encryption for an internal network, where it is
> not required? (Linux to Linux).  Is this possible with perhaps a rsync
> server and --remote-schema?
>
> I have a situation where we have data on Raspberry Pi 3's. spread over a
> private WAN.  Data security, in this particular case, is of zero
> importance.  However, I would prefer not to disable encryption on the SSH
> server.
>
> Are there any suggestions to run rdiff-backup at maximum speed, no
> encryption, on an internal network?
>
> Thankyou kindly.
>


--
       Derek Atkins                 617-623-3745
       [hidden email]             www.ihtfp.com
       Computer and Internet Security Consultant


Reply | Threaded
Open this post in threaded view
|

Re: Disabling encryption for internal network

Lew Wolfgang
On a possibly related situation, we have a requirement to move
many terabytes of data from one machine to another in close
proximity.  We were using rsync, but transfers would take many
hours, if not days, even over a 10-GBe Ethernet link.  So we installed
rsh and rsh-server and configured our rsync invocations to use rsh
instead of ssh.  This gave us a bandwidth boost of about 2.5 times.
Yes, we're using jumbo frames too.

Regards,
Lew

On 04/03/2020 09:52 AM, Derek Atkins wrote:

> Are you sure that SSH encryption is actually slowing down the backup?  I
> wouldn't think so, as most devices have AES in hardware and SSH is pretty
> efficient.  Before you just bypass it, I would test to see if that's
> actually the bottleneck.
>
> You could just run raw rdiff vs rdiff-over-ssh to test.  I suspect the
> local I/O is the bottleneck and not encryption or network speed.
>
> -derek
>
> On Fri, April 3, 2020 12:18 pm, Dark Empathy wrote:
>> Hi,
>>
>> Please excuse the simple question, but I am unable to work out what to do
>> from the man page alone.
>>
>> What is a way to disable encryption for an internal network, where it is
>> not required? (Linux to Linux).  Is this possible with perhaps a rsync
>> server and --remote-schema?
>>
>> I have a situation where we have data on Raspberry Pi 3's. spread over a
>> private WAN.  Data security, in this particular case, is of zero
>> importance.  However, I would prefer not to disable encryption on the SSH
>> server.
>>
>> Are there any suggestions to run rdiff-backup at maximum speed, no
>> encryption, on an internal network?
>>


Reply | Threaded
Open this post in threaded view
|

Re: Disabling encryption for internal network

Derek Atkins-2
Lew,

On Fri, April 3, 2020 1:30 pm, Lew Wolfgang wrote:
> On a possibly related situation, we have a requirement to move
> many terabytes of data from one machine to another in close
> proximity.  We were using rsync, but transfers would take many
> hours, if not days, even over a 10-GBe Ethernet link.  So we installed
> rsh and rsh-server and configured our rsync invocations to use rsh
> instead of ssh.  This gave us a bandwidth boost of about 2.5 times.
> Yes, we're using jumbo frames too.

Fair enough.  I wouldn't expect commodity AES hardware to be able to
encrypt at 10Gb line speed.  It will saturate 1Gb, but yes, 10Gb the AES
is probably going to be a bottleneck (and IS a bottleneck in your
configuration).

I was assuming OP was on 1Gb and not 10Gb.  The mentioned RPi3 which, last
I checked, is only 1Gb.

-derek

--
       Derek Atkins                 617-623-3745
       [hidden email]             www.ihtfp.com
       Computer and Internet Security Consultant


Reply | Threaded
Open this post in threaded view
|

Re: Disabling encryption for internal network

EricZolf
In reply to this post by Dark Empathy
Hi,

first, I would strictly disagree that any network is safe enough to not
use encryption. If your only security is one firewall, you should assume
that someone will break it at some point in time and then your whole
network would be opened to the enemy. The enemy being possibly a
disgruntled employee. So, don't do this, unless your data and the backup
server (see below) is really worthless, but then why do you backup the
data in the first place?

This said, you're a big boy (or girl) and can make the mistakes you
want, and the principle can be of interest to others for better objectives.

The default remote schema is `ssh -C %s  rdiff-backup --server` and `%s`
will be replaced by whatever you place before the double column `::` in
the source or target (typically `user@host` but it can be anything,
rdiff-backup doesn't check).

Now, the only important requirement for the resulting command is that it
has encumbered stdin and stdout because this is how rdiff-backup talks
to `rdiff-backup --server` (i.e. anything in between sending messages
like `welcome you're unsecure` would break the communication, unless it
is sent on stderr).

Knowing all this, calling something like `rdiff-backup --remote-schema
'rsh %s rdiff-backup --server' /sourcedir somehost::/targetdir` should
work, assuming same user on source and target. Because rsh doesn't know
about `user@host`, you would need to write your own wrapper script to
split it and make use of the `-l` option on rsh.

It's been so long I've used rsh though, I can't remember how the login
mechanism works. If the password goes over the line, it's unencrypted,
meaning you've just offered your backup server to any bad person lurking
on your network.

Other insecure commands are rlogin and telnet, don't use them, stick to
SSH or be prepared to be hacked, sooner or later.

KR, Eric

PS: for the others, check the OpenSSL performance of Raspi 3, not good:
https://libre.computer/2018/03/21/raspberry-pi-3-model-b-review-and-comparison/
and Raspi 4 doesn't seem better in this regard...

On 03/04/2020 18:18, Dark Empathy wrote:

> Hi,
>
> Please excuse the simple question, but I am unable to work out what to do
> from the man page alone.
>
> What is a way to disable encryption for an internal network, where it is
> not required? (Linux to Linux).  Is this possible with perhaps a rsync
> server and --remote-schema?
>
> I have a situation where we have data on Raspberry Pi 3's. spread over a
> private WAN.  Data security, in this particular case, is of zero
> importance.  However, I would prefer not to disable encryption on the SSH
> server.
>
> Are there any suggestions to run rdiff-backup at maximum speed, no
> encryption, on an internal network?
>
> Thankyou kindly.
>