[zeromq-dev] security model recommendation

chrish at techspecs.com chrish at techspecs.com
Thu Sep 8 02:51:39 CEST 2011

So, to take the thread a little further... Suppose the application is
either free or costs little but the cost to obtain the service is low and
most anyone can subscribe to the service. Now, the server is behind a
firewall that only allows IP addresses that have been validated (either
through credit card purchase or some other means like known bad IP address
screen). So the hacker has the means to develop an entry to the server.
Now he/she could play with zmq in any manner to bring the server down.

I think this thread has been discussed before and, if so, I don't want to
belabor the point but I am curious what facilities I can use, inside zmq,
to protect against such a rogue process. Maybe the is the wrong place to
try. Any recommendations to free and/or commercial software that can be
placed in front of zmq to protect against this threat?

I did see some discussion about whether zmq is ready for open internet
communication; I am assuming that the goal is to use it for this purpose.
Is it ready? Actually I have been using it for some months on a realtime
application over the open internet and it seems pretty stable. But I worry
about this security issue; mostly about a rogue process, with zmq internal
knowledge, to disrupt communication for others and/or hang the server(s).

Thank you.


> On 8 September 2011 00:56, Pieter Hintjens <ph at imatix.com> wrote:
>> You can already use iptables to whitelist trusted peers, and block all
>> others.
> And you can implement a simple authentication scheme each time the client
> application runs, it first connects to your server and authenticates via
> and then if it's all good the FW allows their IP. Then you can develop a
> custom
> monitoring application or something of that nature which would kill the
> peer if
> it misbehaves :)
> This is quite a basic idea, don't take my word for it please.
> Also, if your server is hosted on well managed network, these sort of
> things
> would be detected by the administrators, using netflow monitoring for
> example.
> Well, not too make this too complicated - it all depends on what exactly
> you
> want to use zmq for.
> I don't think there is a need for these things to be handled in the
> library really,
> may be some generic hints can be added in the FAQ section.
> Cheers,
> --
> llya
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> http://lists.zeromq.org/mailman/listinfo/zeromq-dev

More information about the zeromq-dev mailing list