View Full Version : Sugestion - Encryption of traffic between server und clients

17-04-2005, 13:44
I can imagine this was asked a couple of times, but a search of "encrypt" within the forum did not provide any results, so i add a posting.

As in V1.1A7 the traffic between client and server is not encrypted and as such might be a potential security risk. (Etherreal shows a lot of plain text).

This _might_ be ok in a LAN but wont work over the public internet. Of cause one can use a vpn or ssh tunnel or anything else. This would add up complexity to the entire setup (i..e how to monitor the ssh or vpn tunnel etc.)

Therefore i suggest to add a simple and basic symmetric encryption like for example blowfish which is fairly secure and easy to implement.

Some thoughts on this:
-When using a common shared symmetric encryption, the keys has to be put on any any client. this means in turn that anyone with access to one client could decrypt any traffic von any othe clients.

-To work around this, the encryption key could be specific to the host and placed in the sql database - defined via the webinterface in the host setup. In this case the question is when to decrypt the data. Would the server_proccess query the sql-database or mainatin a hashtable. If the server has to query the sql-database anyway upon a client requst (which it seems to do), than this should not be a performance issue though.

P.S. Of cause one could use also asymetric encrption (like RSA, DH or upper level protocalls like SSL / TLS) , but this adds some more complexcity to the implementation.

Thoughts ?

20-05-2005, 22:40
Since Version 1.1alpha9 is out, i thought it is an idea to bring this up again ;)

Are there any plans for the V1.1 Release to add encryption?

20-05-2005, 23:12
Thanks for the reminder! Already in TODO!

17-05-2007, 10:57
Are there already any plans for the V1.4 Release to add encryption agent-server traffic?


15-02-2010, 17:17

Communication between server and agend is encrypted ?

15-02-2010, 18:02
Not yet. The best work around for now is to use stun or something similar.

16-02-2010, 08:25
Is there a reason it hasn't made it into the core yet? Even a basic encryption that relied on a key in the agent config file (and in the host config on the server) would make it a lot more secure.

16-02-2010, 20:36
This is something that is holding me back from a Zabbix implementation right now... we have a secure area of our network that is audited twice a year, and one of the areas we were "dinged" on during the last audit was a lack of using SNMPv3 (with encryption)

I can only imagine that the lack of Zabbix agents using some basic kind of auth/encryption will stop us from being able to use Zabbix for this enclave we have

24-02-2010, 00:05
We could REALLY use both encryption of the agent traffic and authentication of agents (pref using SSL keys).

24-02-2010, 09:51

We could REALLY use both encryption of the agent traffic and authentication of agents (pref using SSL keys).

It would be nice to have SSL integrated in Zabbix agent.
In the meantime, there is a workaround in Zabbix 1.8 with 'SSH agent'.

I have set up a simple test that gets agent.ping item thru SSH agent:
Type: SSH Agent
Key: ssh.run[ping]
Authentication method: Password
User name: root
Password : ********
Executed script:
zabbix_agentd -t 'agent.ping' | sed -e 's/.*|//' -e 's/\]$//'

I have used 'Password' authentification method for testing. For production use, I would change it to 'Public key'.

It will work only on Unix/Linux hosts and is a bit complicated but, as I said, it is just a workaround.

Hope this helps

26-02-2010, 07:41
It would also be great for the zabbix agents to be able to connect to the zabbix server through a http proxy (squid for example) when in active mode, where we would have something like

in the configuration of zabbix agent.