password protection

[Alex Stapleton]

On 18 Oct 2005, at 15:40, Casper Langemeijer wrote:

> Hi all!
>
> I plan on using memcached for a new project, but I've got one big
> thing to consider: security. This ofcourse should be a big thing in
> software development anyway, but I work for a company that is ISO
> certified for security. For me it is an even bigger concern.

> 1. I've found no way of ensuring the data is read only by my  
> application.
>
> I though off:
>
> - encrypting the data I put into memcached, this I obviously dismissed
> because this would make caching too slow.

That really depends on which encryption system you use, and what  
exactly *too* slow is?

> - using UNIX domain sockets (a socket file) to connect to  
> memcached. This
> would enable me to use UNIX file permissions to 'secure' memcached  
> a bit.
> I see no real pitfalls here, except that it limits me to use memcached
> only on the local machine, and I might want to use dedicated caching
> machines somewhere along the line...

You could simply enable iptables in your kernel, and lock down access  
to that box to *only* client machines which you want to be able to  
access it. Of course your whole setup should really be hidden inside  
a private network anyway with only a single (or perhaps two for some  
redundancy?) point of entry. If your memcached server resides on a  
private network and your external access points are properly locked  
down, then your main concerns should be buffer overflows and physical  
attacks to your infrastructure.

I'm surprised there's nobody at your company who can help you with  
this tbh, not that people here will refuse to offer advice though.