help-cfengine
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bootstrapping


From: Adrian Phillips
Subject: Re: Bootstrapping
Date: Thu, 19 Feb 2004 08:03:58 +0100
User-agent: Gnus/5.090016 (Oort Gnus v0.16) Emacs/21.2 (gnu/linux)

>>>>> "Eric" == Eric Sorenson <address@hidden> writes:

[ Removing Ccs - presumably everyone reads the list ?]

    Eric> Given the caveats -- internal-only hosts, defense in depth
    Eric> with filters and firewalls -- my point is you don't lose
    Eric> much real world security by making
    Eric> TrustKeysFrom/DynamicAddresses promiscuous.

Um, do you disallow people ssh'ing to the outside world and, for
example, setting up tunnels to their internal machines ? I'm in no way
a security expert but I was under the impression that the majority of
security breaches are due to internal issues not attacks directly
through the firewall.

What this actually means in real terms I'm not sure - splitting the
network into seperate segments depending upon use, e.g production,
windows, and so on. If a machine that has a cfengine key is
compromised what does it mean for cfengine and the rest of the
network. Its highly unlikely that the cfengine server itself could be
compromised through the cfservd/cfagent connection so is this an
argument for using them or not using them.

Perhaps its too early in the morning for me :-)

Sincerely,

Adrian Phillips

-- 
Who really wrote the works of William Shakespeare ?
http://www.pbs.org/wgbh/pages/frontline/shakespeare/




reply via email to

[Prev in Thread] Current Thread [Next in Thread]