no security at application level?

Brad Fitzpatrick
Wed, 22 Oct 2003 16:00:05 -0700 (PDT)

No, no.... we listen on an IP, not an interface!

That's an important distinction when it comes to network security.

On Thu, 23 Oct 2003, Anatoly Vorobey wrote:

> On Wed, Oct 22, 2003 at 03:32:34PM -0700, Joshua Haberman wrote:
> > I want to be sure that I'm not missing something.  It appears that
> > memcached offers no form of authenticating or authorizing connections,
> > so any security of this type need to be performed at the TCP level ie.
> > through firewalling.  Is that correct?
> Yes. Perhaps the docs don't stress that enough, I'm not sure, but this
> is hugely important to remember:
> Small installations running memcached on publicly accessible servers
> *must* take care not to allow unauthorised connections. This would
> usually be done through using a private network which large
> installations typically use anyway. Small installations which use
> memcached should set up firewalling instructions carefully. memcached
> also has a command-line option to listen on a particular interface only,
> which may help to admins who set up their machines with >1 network
> interface.
> --
> avva