Future content: Server: Medium-Risk Configuration #7
Labels
Comments
|
we don't need anyone's approval for medium risk. If we meet the technical controls on our side, that is sufficient. This is not something that we would take to ISO at all. If the collective RC sys admins agree and recommend to me that these endpoint configuration changes MUST be made, then they will be. We do not need to make this more complicated.
…________________________________
From: A. Karl Kornel <notifications@github.com>
Sent: Friday, April 6, 2018 1:12:05 PM
To: stanford-rc/globus.stanford.edu
Cc: Subscribed
Subject: [stanford-rc/globus.stanford.edu] Future content: Server: Medium-Risk Configuration (#7)
Assuming we get approval for Medium Risk, I expect some changes would be needed in endpoint configuration. Just off-hand, I can think of the following:
* Require at least TLS 1.1 (in grid-security configuration)
* Log all transfers (in GridFTP configuration)
* Disable the RSA ciphers (in grid-security configuration), for forward-secrecy. For example, consider the cipher string DHE:ECDHE:!LOW:!MEDIUM. This cannot be done until GridFTP and MyProxy are updated to enable DH/DHE ciphers. See Globus Support request #309315.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub<#7>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AOMaAp8qSjFZQC4ftsk9yQtE5aHDTBP1ks5tl8wVgaJpZM4TKo8_>.
|
|
I've reviewed all of the pages, and I think all of the Medium Risk requirements are addressed, except for backup & restore. That one is covered by #8, so I think this is OK to close! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Assuming we get approval for Medium Risk, I expect some changes would be needed in endpoint configuration. Just off-hand, I can think of the following:
DHE:ECDHE:!LOW:!MEDIUM. This cannot be done until GridFTP and MyProxy are updated to enable DH/DHE ciphers. See Globus Support request #309315.The text was updated successfully, but these errors were encountered: