[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Cfengine and multiple firewalls/security realms
Scott Omar Burch
Re: Cfengine and multiple firewalls/security realms
Wed, 23 Jun 2004 15:30:00 -0500
Mozilla Thunderbird 0.5 (X11/20040306)
Thanks for your informed response..along with Chip's response I feel
much better. I figured I would have to work out some sort of in house
solution to get Cfengine fully functional with our security..despite all
my observations/issues I don't think I will have too much trouble
getting everything working in an acceptable manner. The good news is:
1) I maintain our OS images on Solaris and they include many packages I
built from source to aid in our administration (OpenSSH, Cfengine,
rsync, curl, wget, screen, star, perl, expect, etc., etc.). We already
heavily use ssh/rsync with public key authentication. I even have an
OpenSSH server that uses SecurID as a backend for authentication. I
follow closely the developments of OpenSSH as that is crucial to our
environment. In general I've been able to solve many problems that have
saved us money and time by using Open Source Solutions. I love the
support and dialogue I end up having with people like you..this is very
rare in commercially supported software...although there are many
commercial products that are excellent that we use heavily (Veritas
Foundation Suite products).
2) I have an excellent working relationship with our firewall admins and
security architects. I do favors for them and they do favors for me..we
usually come to consensu on things..especially since we are all very
concerned about security (host based, firewalls, etc.).
Unfortunately throughout the Cfengine testing I have been busy working
on several other projects and had someone else doing much of the
testing..something I wanted to do more directly. I will be getting much
more involved in the future..at least after I return from USENIX next
week. I just got the current issue of ;login the other day, but haven't
had a chance to look at it yet.
Christian Pearce wrote:
I am currently working with people that have your exact problem. You
are not alone. I would venture to guess that due to the purist inside
of Mark, I doubt you will see the implementation of a push inside of
cfengine. Push in the sense of the Cfengine server opens a connection
and dumps file on to the Cfengine client. Not using cfrun. And I might
add with good reason. I believe the security model cfengine implements
is sound. Interestingly enough Mark's latest article in Login; touches
upon security, firewalls and networks. I didn't finish the article yet,
but I found it interesting. Okay enough of that...
Beyond the fact that firewalls are in the way, how do you get cfengine
to report something back to a man server? I don't know what you guys
are doing, but I use SSH Public keys and rsync.
Have said that I now have a way of automating rsyncs the other
direction. So I can actually create a Proxy server that sits in the DMZ
or External network. I have the main cfengine server rsync via ssh the
cfengine configuration files to the one of the Proxy servers. The
cfengine code is built with the proper class definitions to choose the
correct Proxy server for performing a cfengine request from a clien in
the DMZ. It can download the cfengine files or binary files, etc.
I think this is what Chip eluded to with the Gold Mirror. Someone else
said this is a bad idea, but hey what else am I going to do. This is
what people have implemented on their network and they have security
policies. Sometimes in big companies they can't even control what is or
isn't open in a firewall. The funny thing is they have to let backups
through, so what is wrong with cfengine? Regardless this is what I
do. Hope this helps.
On Wed, 2004-06-23 at 14:35, Scott Omar Burch wrote:
I haven't responded to Tim yet, but I can respond to both of you here.
I'm not sure what Tim is referring to when he says Cfengine can be made
to do a push. I don't believe Cfengine ever does a push..no matter what
you do...clients/servers always pull their configuration from a master.
If you execute cfrun on the policy all that does is cause a remote host
to run cfagent to pull its configuration from the policy server. Sure I
can do an scp of an internal master to an external master, but want
Cfengine to manage its configuration internally..and in our case I can
not simply have one external policy server..as I said before we have
multiple external networks with multiple firewalls. If Cfengine ever
implements the option of pushing rather than pulling then it will be
much easier to handle in our type of environment. Unfortunatley I am not
a programmer, nor do I have the ability myself to fund that type of
change, but I would suspect there are many in the corporate world that
would benefit from code changes that would allow Cfengine to function
without creating holes through firewalls. I realize we have a fairly
complex security design, but I imagine there are many others that
implement similar types of designs.
Chip Seraphine wrote:
On Tuesday 22 June 2004 18:26, Tim Nelson wrote:
Well, cfengine can already be set to do push
Then it does an automatic scp to copy
the files in the external directory to the "Gold Mirror" machine.
Is the scp copying the 'push' you refer to? Or am I missing something?
Help-cfengine mailing list