no security at application level?
Brad Fitzpatrick
brad@danga.com
Wed, 22 Oct 2003 16:00:05 -0700 (PDT)
No, no.... we listen on an IP, not an interface!
That's an important distinction when it comes to network security.
On Thu, 23 Oct 2003, Anatoly Vorobey wrote:
> On Wed, Oct 22, 2003 at 03:32:34PM -0700, Joshua Haberman wrote:
> > I want to be sure that I'm not missing something. It appears that
> > memcached offers no form of authenticating or authorizing connections,
> > so any security of this type need to be performed at the TCP level ie.
> > through firewalling. Is that correct?
>
> Yes. Perhaps the docs don't stress that enough, I'm not sure, but this
> is hugely important to remember:
>
> NO AUTHENTICATION WHATSOEVER.
>
> Small installations running memcached on publicly accessible servers
> *must* take care not to allow unauthorised connections. This would
> usually be done through using a private network which large
> installations typically use anyway. Small installations which use
> memcached should set up firewalling instructions carefully. memcached
> also has a command-line option to listen on a particular interface only,
> which may help to admins who set up their machines with >1 network
> interface.
>
> --
> avva
>
>