Otdfbt

Commencez à vous connecter -- I don't understand the phrasing of this

Can a 40amp breaker be used safely and without issue with a 40amp device on 6AWG wire?

What does this circuit symbol mean?

Someone who is granted access to information but not expected to read it

How to represent jealousy in a cute way?

Is fission/fusion to iron the most efficient way to convert mass to energy?

Is pointing finger in meeting consider bad?

Why do the “Shtei HaLechem” not play a prominent part in the davenning for Shavuos?

The best in flight meal option for those suffering from reflux

What's a opened solder bridge signifies?

Past vs. present tense when referring to a fictional character

Has JSON.serialize suppressApexObjectNulls ever worked?

usage of mir gefallen

Approach sick days in feedback meeting

Is it a good security practice to force employees hide their employer to avoid being targeted?

Print "N NE E SE S SW W NW"

What are the advantages of using TLRs to rangefinders?

What did the 8086 (and 8088) do upon encountering an illegal instruction?

Dedicated bike GPS computer over smartphone

What do you call the action of "describing events as they happen" like sports anchors do?

Why is gun control associated with the socially liberal Democratic party?

Why is C++ template use not recommended in space/radiated environment?

Why is Skinner so awkward in Hot Fuzz?

What publication claimed that Michael Jackson died in a nuclear holocaust?

Will ssh tunnelling be a simpler way to solve my link encryption issue rather than stunnel?

Ssh autorestart remote tunnel reliability problemsConnecting to MySQL securely - MySQL's SSL vs Stunnel vs SSH TunnelingMany concurrent Cassandra database connections thru SSH tunnelSSH over stunnel with secret public (client) ssl certificateAdditional Security Measures for Syslog over SSHWeb server intermediary for public key authenticationreverse ssh tunnel over stunnel (or just reverse back down the stunnel connection)Windows Server Port forwarding SSH to Telnet for multiple usersdropbox / syncthing / cold storage like serverssl connection to aws serverless aurora

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;

2

We have an encryption issue from a vendors mid-tier to an Oracle database. We can use encrypted database connections and have done for 90% of cases.

Our security team has advised us that since this connection goes over a link, everything needs to be secure.

One database client is a proprietary vendor mid-tier for whom we have asked to upgrade with encrypted SSL JDBC links, and they have advised us the timeline for this is two years. We need to have a security solution in a shorter timeframe.

Our security team advised us that stunnel might be a potential solution to this problem. This requires setting up a server, keys on the server and a client.

We already run an ssh server on the box that the Oracle database is running on, with keys for users setup.

It seems to me that stunnel duplicates the pattern of ssh.

1. server - stunnel server vs ssh server


2. server key setup - stunnel key setup vs openssh users setting their keys on the server
   


3. client - Using an ssh client vs using a stunnel client
   

Stunnel might be useful in cases where you're not already running an openssh server, or where you want a different key management system.

Now I might be missing something in my analysis. There might be a feature of stunnel that I need that I can't see.

My question is: Will ssh tunnelling be a simpler way to solve my link encryption issue rather than stunnel?

---

EDIT

• This link is already inside a secure network. It is not public. But it is financial services - where the threat model involves hard shell, soft core analysis. It's not good enough to have an insecure link inside a secure network - because you don't trust the inside of your network.

ssh-tunnel stunnel

share|improve this question

edited Jan 26 '18 at 0:19

Hawkeye

asked Jan 13 '18 at 11:15

HawkeyeHawkeye

1,27182229

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Is your Oracle database a RAC?
  
  – Lacek
  May 31 at 14:03
  

  
  
  
  

add a comment | 

2

We have an encryption issue from a vendors mid-tier to an Oracle database. We can use encrypted database connections and have done for 90% of cases.

Our security team has advised us that since this connection goes over a link, everything needs to be secure.

One database client is a proprietary vendor mid-tier for whom we have asked to upgrade with encrypted SSL JDBC links, and they have advised us the timeline for this is two years. We need to have a security solution in a shorter timeframe.

Our security team advised us that stunnel might be a potential solution to this problem. This requires setting up a server, keys on the server and a client.

We already run an ssh server on the box that the Oracle database is running on, with keys for users setup.

It seems to me that stunnel duplicates the pattern of ssh.

1. server - stunnel server vs ssh server


2. server key setup - stunnel key setup vs openssh users setting their keys on the server
   


3. client - Using an ssh client vs using a stunnel client
   

Stunnel might be useful in cases where you're not already running an openssh server, or where you want a different key management system.

Now I might be missing something in my analysis. There might be a feature of stunnel that I need that I can't see.

My question is: Will ssh tunnelling be a simpler way to solve my link encryption issue rather than stunnel?

---

EDIT

• This link is already inside a secure network. It is not public. But it is financial services - where the threat model involves hard shell, soft core analysis. It's not good enough to have an insecure link inside a secure network - because you don't trust the inside of your network.

ssh-tunnel stunnel

share|improve this question

edited Jan 26 '18 at 0:19

Hawkeye

asked Jan 13 '18 at 11:15

HawkeyeHawkeye

1,27182229

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Is your Oracle database a RAC?
  
  – Lacek
  May 31 at 14:03
  

  
  
  
  

add a comment | 

We have an encryption issue from a vendors mid-tier to an Oracle database. We can use encrypted database connections and have done for 90% of cases.

Our security team has advised us that since this connection goes over a link, everything needs to be secure.

One database client is a proprietary vendor mid-tier for whom we have asked to upgrade with encrypted SSL JDBC links, and they have advised us the timeline for this is two years. We need to have a security solution in a shorter timeframe.

Our security team advised us that stunnel might be a potential solution to this problem. This requires setting up a server, keys on the server and a client.

We already run an ssh server on the box that the Oracle database is running on, with keys for users setup.

It seems to me that stunnel duplicates the pattern of ssh.

1. server - stunnel server vs ssh server


2. server key setup - stunnel key setup vs openssh users setting their keys on the server
   


3. client - Using an ssh client vs using a stunnel client
   

Stunnel might be useful in cases where you're not already running an openssh server, or where you want a different key management system.

Now I might be missing something in my analysis. There might be a feature of stunnel that I need that I can't see.

My question is: Will ssh tunnelling be a simpler way to solve my link encryption issue rather than stunnel?

---

EDIT

• This link is already inside a secure network. It is not public. But it is financial services - where the threat model involves hard shell, soft core analysis. It's not good enough to have an insecure link inside a secure network - because you don't trust the inside of your network.

ssh-tunnel stunnel

share|improve this question

edited Jan 26 '18 at 0:19

Hawkeye

asked Jan 13 '18 at 11:15

HawkeyeHawkeye

1,27182229

share|improve this question

edited Jan 26 '18 at 0:19

Hawkeye

asked Jan 13 '18 at 11:15

HawkeyeHawkeye

1,27182229

share|improve this question

edited Jan 26 '18 at 0:19

Hawkeye

asked Jan 13 '18 at 11:15

HawkeyeHawkeye

1,27182229

asked Jan 13 '18 at 11:15

HawkeyeHawkeye

1,27182229

asked Jan 13 '18 at 11:15

HawkeyeHawkeye

1,27182229

1 Answer
1

active

oldest

votes

3

+100

I would just create an IPSec connection between the two systems and not worry about ssh/stunnel.

---

Today I would consider using WireGuard. It's much simpler to set up and work with.

share|improve this answer

edited May 31 at 5:49

answered Jan 13 '18 at 12:35

IainIain

106k14166259

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thanks - that's helpful - I'll update the question to clarify.
  
  – Hawkeye
  Jan 15 '18 at 8:33
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  IPSec is probably still the answer.
  
  – Iain
  Jan 15 '18 at 11:42
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thanks - could you provide reasons as to why this is better?
  
  – Hawkeye
  Jan 15 '18 at 19:26
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Thanks - what are the benefits over stunnel or ssh ?
  
  – Hawkeye
  Jan 15 '18 at 22:34
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  stunnel is ssh tunneling. It just doesn't spawn a shell.
  
  – TheCompWiz
  May 31 at 0:43
  

  
  
  
  

 | 
show 5 more comments

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f892044%2fwill-ssh-tunnelling-be-a-simpler-way-to-solve-my-link-encryption-issue-rather-th%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

3

+100

I would just create an IPSec connection between the two systems and not worry about ssh/stunnel.

---

Today I would consider using WireGuard. It's much simpler to set up and work with.

share|improve this answer

edited May 31 at 5:49

answered Jan 13 '18 at 12:35

IainIain

106k14166259

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thanks - that's helpful - I'll update the question to clarify.
  
  – Hawkeye
  Jan 15 '18 at 8:33
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  IPSec is probably still the answer.
  
  – Iain
  Jan 15 '18 at 11:42
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thanks - could you provide reasons as to why this is better?
  
  – Hawkeye
  Jan 15 '18 at 19:26
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Thanks - what are the benefits over stunnel or ssh ?
  
  – Hawkeye
  Jan 15 '18 at 22:34
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  stunnel is ssh tunneling. It just doesn't spawn a shell.
  
  – TheCompWiz
  May 31 at 0:43
  

  
  
  
  

 | 
show 5 more comments

3

+100

I would just create an IPSec connection between the two systems and not worry about ssh/stunnel.

---

Today I would consider using WireGuard. It's much simpler to set up and work with.

share|improve this answer

edited May 31 at 5:49

answered Jan 13 '18 at 12:35

IainIain

106k14166259

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thanks - that's helpful - I'll update the question to clarify.
  
  – Hawkeye
  Jan 15 '18 at 8:33
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  IPSec is probably still the answer.
  
  – Iain
  Jan 15 '18 at 11:42
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thanks - could you provide reasons as to why this is better?
  
  – Hawkeye
  Jan 15 '18 at 19:26
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Thanks - what are the benefits over stunnel or ssh ?
  
  – Hawkeye
  Jan 15 '18 at 22:34
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  stunnel is ssh tunneling. It just doesn't spawn a shell.
  
  – TheCompWiz
  May 31 at 0:43
  

  
  
  
  

 | 
show 5 more comments

I would just create an IPSec connection between the two systems and not worry about ssh/stunnel.

---

Today I would consider using WireGuard. It's much simpler to set up and work with.

share|improve this answer

edited May 31 at 5:49

answered Jan 13 '18 at 12:35

IainIain

106k14166259

share|improve this answer

edited May 31 at 5:49

answered Jan 13 '18 at 12:35

IainIain

106k14166259

answered Jan 13 '18 at 12:35

IainIain

106k14166259

answered Jan 13 '18 at 12:35

IainIain

106k14166259