help-cfengine
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Cfengine and multiple firewalls/security realms


From: Scott Omar Burch
Subject: Re: Cfengine and multiple firewalls/security realms
Date: Wed, 23 Jun 2004 15:30:00 -0500
User-agent: Mozilla Thunderbird 0.5 (X11/20040306)

Christian,

Thanks for your informed response..along with Chip's response I feel much better. I figured I would have to work out some sort of in house solution to get Cfengine fully functional with our security..despite all my observations/issues I don't think I will have too much trouble getting everything working in an acceptable manner. The good news is:

1) I maintain our OS images on Solaris and they include many packages I built from source to aid in our administration (OpenSSH, Cfengine, rsync, curl, wget, screen, star, perl, expect, etc., etc.). We already heavily use ssh/rsync with public key authentication. I even have an OpenSSH server that uses SecurID as a backend for authentication. I follow closely the developments of OpenSSH as that is crucial to our environment. In general I've been able to solve many problems that have saved us money and time by using Open Source Solutions. I love the support and dialogue I end up having with people like you..this is very rare in commercially supported software...although there are many commercial products that are excellent that we use heavily (Veritas Foundation Suite products).

2) I have an excellent working relationship with our firewall admins and security architects. I do favors for them and they do favors for me..we usually come to consensu on things..especially since we are all very concerned about security (host based, firewalls, etc.).

Unfortunately throughout the Cfengine testing I have been busy working on several other projects and had someone else doing much of the testing..something I wanted to do more directly. I will be getting much more involved in the future..at least after I return from USENIX next week. I just got the current issue of ;login the other day, but haven't had a chance to look at it yet.

Thanks,
Scott

Christian Pearce wrote:
Scott,

I am currently working with people that have your exact problem.  You
are not alone.  I would venture to guess that due to the purist inside
of Mark, I doubt you will see the implementation of a push inside of
cfengine.  Push in the sense of the Cfengine server opens a connection
and dumps file on to the Cfengine client.  Not using cfrun.  And I might
add with good reason.  I believe the security model cfengine implements
is sound.  Interestingly enough Mark's latest article in Login; touches
upon security, firewalls and networks.  I didn't finish the article yet,
but I found it interesting.   Okay enough of that...

Beyond the fact that firewalls are in the way, how do you get cfengine
to report something back to a man server?  I don't know what you guys
are doing, but I use SSH Public keys and rsync.

Have said that I now have a way of automating rsyncs the other
direction.  So I can actually create a Proxy server that sits in the DMZ
or External network.  I have the main cfengine server rsync via ssh the
cfengine configuration files to the one of the Proxy servers.  The
cfengine code is built with the proper class definitions to choose the
correct Proxy server for performing a cfengine request from a clien in
the DMZ.  It can download the cfengine files or binary files, etc.

I think this is what Chip eluded to with the Gold Mirror.  Someone else
said this is a bad idea, but hey what else am I going to do.  This is
what people have implemented on their network and they have security
policies.  Sometimes in big companies they can't even control what is or
isn't open in a firewall.  The funny thing is they have to let backups
through,  so what is wrong with cfengine?  Regardless this is what I
do.  Hope this helps.

On Wed, 2004-06-23 at 14:35, Scott Omar Burch wrote:

Chip,

I haven't responded to Tim yet, but I can respond to both of you here. I'm not sure what Tim is referring to when he says Cfengine can be made to do a push. I don't believe Cfengine ever does a push..no matter what you do...clients/servers always pull their configuration from a master. If you execute cfrun on the policy all that does is cause a remote host to run cfagent to pull its configuration from the policy server. Sure I can do an scp of an internal master to an external master, but want Cfengine to manage its configuration internally..and in our case I can not simply have one external policy server..as I said before we have multiple external networks with multiple firewalls. If Cfengine ever implements the option of pushing rather than pulling then it will be much easier to handle in our type of environment. Unfortunatley I am not a programmer, nor do I have the ability myself to fund that type of change, but I would suspect there are many in the corporate world that would benefit from code changes that would allow Cfengine to function without creating holes through firewalls. I realize we have a fairly complex security design, but I imagine there are many others that implement similar types of designs.

-Scott

Chip Seraphine wrote:

On Tuesday 22 June 2004 18:26, Tim Nelson wrote:



        Well, cfengine can already be set to do push
[SNIP]
Then it does an automatic scp to copy the files in the external directory to the "Gold Mirror" machine.


Is  the scp copying the 'push' you refer to?  Or am I missing something?




_______________________________________________
Help-cfengine mailing list
address@hidden
http://lists.gnu.org/mailman/listinfo/help-cfengine




reply via email to

[Prev in Thread] Current Thread [Next in Thread]