We have an encryption issue from a vendors mid-tier to an Oracle database. We can use encrypted database connections and have done for 90% of cases.
Our security team has advised us that since this connection goes over a link, everything needs to be secure.
One database client is a proprietary vendor mid-tier for whom we have asked to upgrade with encrypted SSL JDBC links, and they have advised us the timeline for this is two years. We need to have a security solution in a shorter timeframe.
Our security team advised us that stunnel might be a potential solution to this problem. This requires setting up a server, keys on the server and a client.
We already run an ssh server on the box that the Oracle database is running on, with keys for users setup.
It seems to me that stunnel duplicates the pattern of ssh.
- server - stunnel server vs ssh server
- server key setup - stunnel key setup vs openssh users setting their keys on the server
- client - Using an ssh client vs using a stunnel client
Stunnel might be useful in cases where you're not already running an openssh server, or where you want a different key management system.
Now I might be missing something in my analysis. There might be a feature of stunnel that I need that I can't see.
My question is: Will ssh tunnelling be a simpler way to solve my link encryption issue rather than stunnel?
EDIT
- This link is already inside a secure network. It is not public. But it is financial services - where the threat model involves hard shell, soft core analysis. It's not good enough to have an insecure link inside a secure network - because you don't trust the inside of your network.
I would just create an IPSec connection between the two systems and not worry about ssh/stunnel.
Today I would use WireGuard. It's much simpler to set up and work with.