[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Cfengine and multiple firewalls/security realms

From: Tim Nelson
Subject: Re: Cfengine and multiple firewalls/security realms
Date: Thu, 24 Jun 2004 10:22:18 +1000 (EST)

On Wed, 23 Jun 2004, Scott Omar Burch wrote:

> Chip,
> I haven't responded to Tim yet, but I can respond to both of you here.
> I'm not sure what Tim is referring to when he says Cfengine can be made
> to do a push. I don't believe Cfengine ever does a matter what
> you do...clients/servers always pull their configuration from a master.
> If you execute cfrun on the policy all that does is cause a remote host
> to run cfagent to pull its configuration from the policy server. Sure I

        Oops, my bad.  Sorry :).  That's what I meant.

> can do an scp of an internal master to an external master, but want
> Cfengine to manage its configuration internally..

        Not sure I understand what you mean by managing the configuration
internally.  Could you add a line or two to explain this?

> and in our case I can not simply have one external policy server..

        I realise that, but thought that my simple setup might give you
ideas for your more complex setups.

> as I said before we have multiple external networks with multiple
> firewalls.

        Are these for different customers, or different levels of
security (ie. DMZ, etc), or what?  I ask becuase with a better
understanding of your security needs, we may well be able to answer your
questions better too.

> If Cfengine ever implements the option of pushing rather than pulling
> then it will be much easier to handle in our type of environment.

        Hmm.  In thinking about it, cfengine is designed by university
people for use in a University-style environment.  It works well enough in
the environment that I'm in (medium-ISP), but doesn't appear to account
for what *everyone* wants.  Personally, I think the problem can be
overcome by judicious use of push (including the FriendStatus function).
Hmm.  Maybe the push feature should only work if the Sysadmin can
correctly answer a quiz about the benefits of pull :).

> Unfortunatley I am not
> a programmer, nor do I have the ability myself to fund that type of
> change, but I would suspect there are many in the corporate world that
> would benefit from code changes that would allow Cfengine to function
> without creating holes through firewalls. I realize we have a fairly
> complex security design, but I imagine there are many others that
> implement similar types of designs.

        Hmm.  There are other tools that do similar things to cfengine,
although without cfengine's broad support base.  Maybe one of those does
pull.  The only one that springs to mind is LCFG (with apologies to
everyone for being offtopic).


Tim Nelson
Systems Administrator
Sunet Internet
Tel: +61 3 5241 1155
Fax: +61 3 5241 6187
Email: address@hidden

reply via email to

[Prev in Thread] Current Thread [Next in Thread]