diff options
Diffstat (limited to 'source/tutorials/tls_cert_scenario.rst')
-rw-r--r-- | source/tutorials/tls_cert_scenario.rst | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/source/tutorials/tls_cert_scenario.rst b/source/tutorials/tls_cert_scenario.rst new file mode 100644 index 0000000..86a5442 --- /dev/null +++ b/source/tutorials/tls_cert_scenario.rst @@ -0,0 +1,26 @@ +Sample Use Case: Single Central Log Server +========================================== + +We have a quite simple use case. There is one central syslog server, +named central.example.net. These server is being reported to by two +Linux machines with name zuse.example.net and turing.example.net. Also, +there is a third client - ada.example.net - which send both its own +messages to the central server but also forwards messages receive from +an UDP-only capable router. We have decided to use ada.example.net +because it is in the same local network segment as the router and so we +enjoy TLS' security benefits for forwarding the router messages inside +the corporate network. All systems (except the router) use +`rsyslog <http://www.rsyslog.com/>`_ as the syslog software. + +.. figure:: tls_cert_100.jpg + :align: center + :alt: + +Please note that the CA must not necessarily be connected to the rest of +the network. Actually, it may be considered a security plus if it is +not. If the CA is reachable via the regular network, it should be +sufficiently secured (firewall rules et al). Keep in mind that if the +CA's security is breached, your overall system security is breached. + +In case the CA is compromised, you need to regenerate the CA's +certificate as well as all individual machines certificates. |