[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Cfengine and multiple firewalls/security realms

From: Christian Pearce
Subject: Re: Cfengine and multiple firewalls/security realms
Date: Wed, 23 Jun 2004 15:13:18 -0400


I am currently working with people that have your exact problem.  You
are not alone.  I would venture to guess that due to the purist inside
of Mark, I doubt you will see the implementation of a push inside of
cfengine.  Push in the sense of the Cfengine server opens a connection
and dumps file on to the Cfengine client.  Not using cfrun.  And I might
add with good reason.  I believe the security model cfengine implements
is sound.  Interestingly enough Mark's latest article in Login; touches
upon security, firewalls and networks.  I didn't finish the article yet,
but I found it interesting.   Okay enough of that...

Beyond the fact that firewalls are in the way, how do you get cfengine
to report something back to a man server?  I don't know what you guys
are doing, but I use SSH Public keys and rsync.

Have said that I now have a way of automating rsyncs the other
direction.  So I can actually create a Proxy server that sits in the DMZ
or External network.  I have the main cfengine server rsync via ssh the
cfengine configuration files to the one of the Proxy servers.  The
cfengine code is built with the proper class definitions to choose the
correct Proxy server for performing a cfengine request from a clien in
the DMZ.  It can download the cfengine files or binary files, etc.

I think this is what Chip eluded to with the Gold Mirror.  Someone else
said this is a bad idea, but hey what else am I going to do.  This is
what people have implemented on their network and they have security
policies.  Sometimes in big companies they can't even control what is or
isn't open in a firewall.  The funny thing is they have to let backups
through,  so what is wrong with cfengine?  Regardless this is what I
do.  Hope this helps.

On Wed, 2004-06-23 at 14:35, Scott Omar Burch wrote:
> Chip,
> I haven't responded to Tim yet, but I can respond to both of you here. 
> I'm not sure what Tim is referring to when he says Cfengine can be made 
> to do a push. I don't believe Cfengine ever does a matter what 
> you do...clients/servers always pull their configuration from a master. 
> If you execute cfrun on the policy all that does is cause a remote host 
> to run cfagent to pull its configuration from the policy server. Sure I 
> can do an scp of an internal master to an external master, but want 
> Cfengine to manage its configuration internally..and in our case I can 
> not simply have one external policy I said before we have 
> multiple external networks with multiple firewalls. If Cfengine ever 
> implements the option of pushing rather than pulling then it will be 
> much easier to handle in our type of environment. Unfortunatley I am not 
> a programmer, nor do I have the ability myself to fund that type of 
> change, but I would suspect there are many in the corporate world that 
> would benefit from code changes that would allow Cfengine to function 
> without creating holes through firewalls. I realize we have a fairly 
> complex security design, but I imagine there are many others that 
> implement similar types of designs.
> -Scott
> Chip Seraphine wrote:
> > On Tuesday 22 June 2004 18:26, Tim Nelson wrote:
> > 
> > 
> >>    Well, cfengine can already be set to do push
> >> [SNIP]
> >>   Then it does an automatic scp to copy 
> >>the files in the external directory to the "Gold Mirror" machine.
> > 
> > 
> > Is  the scp copying the 'push' you refer to?  Or am I missing something?
> > 
> > 
> _______________________________________________
> Help-cfengine mailing list
> address@hidden
Christian Pearce

reply via email to

[Prev in Thread] Current Thread [Next in Thread]