[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Cfengine and multiple firewalls/security realms
Scott Omar Burch
Re: Cfengine and multiple firewalls/security realms
Thu, 24 Jun 2004 13:34:34 -0500
Mozilla Thunderbird 0.5 (X11/20040306)
My comments below, again thans for your responses..Scott
Tim Nelson wrote:
Not sure I understand what you mean by managing the configuration
internally. Could you add a line or two to explain this?
What I meant here is that I did not want external applications such as
scp, rsync, etc. managing the mirroring of the different policy servers
(however in my case I only want one policy server). I was basically
trying to see if Cfengine could function without having to rely on
firewall policy changes and other utilities. I was correct in thinking I
would need to do some creative thinking with regards to deployment
here..you guys have confirmed this. Since I am new to actually using
Cfengine I wanted to make sure I wasn't missing anything..and obviously
there were a few things with regards to key exchange that I was not
familiar with. It turns out that I am able to handle the key situation
without comprimising security..currently I have some issues with
firewall policy that I will work out. I was able to get authentication
working just find on multihomed servers that don't have firewalls
betweent them, so Cfengine does function as expected.
and in our case I can not simply have one external policy server..
I realise that, but thought that my simple setup might give you
ideas for your more complex setups.
Yes your ideas help and I have thought about having multiple policy
servers, but I think I will work around the problem slighly differently,
but that decision will be made after I come up with a proposal and meet
directly with my friends who mange the security where I work.
Are these for different customers, or different levels of
security (ie. DMZ, etc), or what? I ask becuase with a better
understanding of your security needs, we may well be able to answer your
questions better too.
The security I am talking about is our general security design. We have
our ebusines environment classified into different layers. There is an
authentication layer (ldap, etc.), presentation layer (web servers),
application layer (weblogic, etc.), and database layer (oracle servers,
etc.). Each of these layers are separated by various firewalls, the
policy being that no communication is allowed between servers in
different layers without explicit policy (rules) allowing this to
happen. There are of course firewalls on the perimiter that handle
traffic coming into and out of these layers from the internet and our
internal corporate network. In general we allow various types of traffic
from inside to traverse the management interfaces on servers in this
environment (when I say this environment I mean the machines sitting in
the layers mentioned above (collectively known as our ebusiness
infrastructure). We obviously have other environments that are separate
from ebusiness (the DMZ is one for example..this would have our
corporate ftp server, etc.)
Hmm. In thinking about it, cfengine is designed by university
people for use in a University-style environment. It works well enough in
the environment that I'm in (medium-ISP), but doesn't appear to account
for what *everyone* wants. Personally, I think the problem can be
overcome by judicious use of push (including the FriendStatus function).
Hmm. Maybe the push feature should only work if the Sysadmin can
correctly answer a quiz about the benefits of pull :).
Yes, I realize this..which explains some of Cfengine's design. I fully
understand why a pull is done, etc...but that doesn't mean some changes
couldn't be made in the future that would make implementation easier in
our type of environment. At one point in time Tivoli's TSM client (this
is a backup client for those that don't know) required us to use static
host routes so that it would function properly when it was contacted by
the TSM server to properly sends its data back to the backup server.
Today however the server contacts the client and the backup session is
held open and the backup data is sent back on the session that is
initiated by the server..the client does not open a new tcp connection
back to the backup server (this is why we used to need a static host
route..because we would only allow that traffic on the management
interface, but the default route was along the prodcution interface).
Hmm. There are other tools that do similar things to cfengine,
although without cfengine's broad support base. Maybe one of those does
pull. The only one that springs to mind is LCFG (with apologies to
everyone for being offtopic).
I am sure there are other tools, but few that are as well thought out as
Cfengine, have the broad support base as you said, and are as flexible.
All the time we have commercial software vendors trying to sell us this
and that utility to help us better manage/audit our environments,
however usually they break down when we ask if we want to write a custom
script or module to this or that task (the answer is almost always..you
can pay us to do that, but we don't provide any APIs for you to do this
on your own.). It seems to me that this generally comes from larger
publicly traded companies. An example is Bindview. Bindview is basically
and auditing tool that runs on UNIX/Windows that allows you audit
systems based on predefined configurations (e.g. Sun's Security
Blueprints)..yet the tool cannot act on variances in the configuration,
nor can you easily write your own configurations to act against..again
Bindview will do this for you..but you can't do it yourself. For us
being able to automatically fix things when they don't match a certain
configuration is much more usefule than just reporting that a system is
not in compliance. The challenge for us will be organizing the logical
groups (classes of machines). I still have quite a bit of reading to do
to get all of this sorted out.