Re: Cfengine and multiple firewalls/security realms

[Scott Omar Burch]

Chip,

I haven't responded to Tim yet, but I can respond to both of you here. 
I'm not sure what Tim is referring to when he says Cfengine can be made 
to do a push. I don't believe Cfengine ever does a push..no matter what 
you do...clients/servers always pull their configuration from a master. 
If you execute cfrun on the policy all that does is cause a remote host 
to run cfagent to pull its configuration from the policy server. Sure I 
can do an scp of an internal master to an external master, but want 
Cfengine to manage its configuration internally..and in our case I can 
not simply have one external policy server..as I said before we have 
multiple external networks with multiple firewalls. If Cfengine ever 
implements the option of pushing rather than pulling then it will be 
much easier to handle in our type of environment. Unfortunatley I am not 
a programmer, nor do I have the ability myself to fund that type of 
change, but I would suspect there are many in the corporate world that 
would benefit from code changes that would allow Cfengine to function 
without creating holes through firewalls. I realize we have a fairly 
complex security design, but I imagine there are many others that 
implement similar types of designs.

-Scott

Chip Seraphine wrote:
> On Tuesday 22 June 2004 18:26, Tim Nelson wrote:
>
>
> >         Well, cfengine can already be set to do push
> > [SNIP]
> >   Then it does an automatic scp to copy 
> > the files in the external directory to the "Gold Mirror" machine.
>
>
> Is  the scp copying the 'push' you refer to?  Or am I missing something?