[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Cfengine and multiple firewalls/security realms
|
From: |
Wheeler, John |
|
Subject: |
RE: Cfengine and multiple firewalls/security realms |
|
Date: |
Tue, 22 Jun 2004 11:51:22 -0500 |
> 1) Authentication with keys appears to be tied to the primary network
> interface of each server. Systems which sit behind firewalls in our
> environment have multiple network interfaces. The primary network
> interface is always considered the production interface. We always
have
> a secondary interface which is used for management operations
(backups,
> monitoring, etc.). If I have a host called snoopy then qfe0 would be
> snoopy and qfe1 would be snoopy-mgmt. For this example snoopy sits
> behind a firewall and the Cfengine policy server is on the other side
of
> the policy server. When we execute cfrun on the policy server we found
> that no matter what we did we could not get authentication to work
along
> the management interface...we needed to open 5308 on the production
> interface...Cfengine appears to always use the interface named snoopy.
<SNIP>
When we setup our new production environment we did exactly this (dual
homed, though we chose to have the primary be the mgmt for several
reasons, cfengine, pxe boot, etc...). Aside from our differences in
choice of primary, the trick is to be sure that the key is created with
the mgmt interface IP. You can use the key you already have and copy it
to the source IP in /var/cfengin/ppkeys. In our case the policy host
also has a leg on the mgmt interface. We added static routes for things
such that traffic would be forced to traverse this mgmt lan for
cfengine. If your policy host is not on the same lan, and you snat, you
can copy the policy host key to the IP that the packet arrives as. I did
this with our policy server, it has a key for 10.2.1.X and that key was
copied to root-10.222.1.X.pub (numbers changed to protect the innocent).
>
> 2) Our bigger issue is how to have a policy server when there are
> multiple security realms. We have multiple layers of firewalls. For
> instance there are firewalls between application servers, web servers,
> database servers, and authentication servers, as well as our internal
> networks. (The servers in application/database/web/authentication
layers
> are on external networks).
<SNIP>
I wouldn't recommend doing this. It gets very cumbersome for updates,
and the management gets confusing for all but the installer. If you want
more than just you to use cfengine, have one policy host.
- RE: Cfengine and multiple firewalls/security realms,
Wheeler, John <=