[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Cfengine and multiple firewalls/security realms

From: Scott Omar Burch
Subject: Re: Cfengine and multiple firewalls/security realms
Date: Thu, 24 Jun 2004 13:34:34 -0500
User-agent: Mozilla Thunderbird 0.5 (X11/20040306)


My comments below, again thans for your responses..Scott

Tim Nelson wrote:

Not sure I understand what you mean by managing the configuration internally. Could you add a line or two to explain this?

What I meant here is that I did not want external applications such as scp, rsync, etc. managing the mirroring of the different policy servers (however in my case I only want one policy server). I was basically trying to see if Cfengine could function without having to rely on firewall policy changes and other utilities. I was correct in thinking I would need to do some creative thinking with regards to deployment guys have confirmed this. Since I am new to actually using Cfengine I wanted to make sure I wasn't missing anything..and obviously there were a few things with regards to key exchange that I was not familiar with. It turns out that I am able to handle the key situation without comprimising security..currently I have some issues with firewall policy that I will work out. I was able to get authentication working just find on multihomed servers that don't have firewalls betweent them, so Cfengine does function as expected.

and in our case I can not simply have one external policy server..

I realise that, but thought that my simple setup might give you ideas for your more complex setups.

Yes your ideas help and I have thought about having multiple policy servers, but I think I will work around the problem slighly differently, but that decision will be made after I come up with a proposal and meet directly with my friends who mange the security where I work.

Are these for different customers, or different levels of security (ie. DMZ, etc), or what? I ask becuase with a better understanding of your security needs, we may well be able to answer your questions better too.

The security I am talking about is our general security design. We have our ebusines environment classified into different layers. There is an authentication layer (ldap, etc.), presentation layer (web servers), application layer (weblogic, etc.), and database layer (oracle servers, etc.). Each of these layers are separated by various firewalls, the policy being that no communication is allowed between servers in different layers without explicit policy (rules) allowing this to happen. There are of course firewalls on the perimiter that handle traffic coming into and out of these layers from the internet and our internal corporate network. In general we allow various types of traffic from inside to traverse the management interfaces on servers in this environment (when I say this environment I mean the machines sitting in the layers mentioned above (collectively known as our ebusiness infrastructure). We obviously have other environments that are separate from ebusiness (the DMZ is one for example..this would have our corporate ftp server, etc.)

Hmm. In thinking about it, cfengine is designed by university people for use in a University-style environment. It works well enough in the environment that I'm in (medium-ISP), but doesn't appear to account for what *everyone* wants. Personally, I think the problem can be overcome by judicious use of push (including the FriendStatus function). Hmm. Maybe the push feature should only work if the Sysadmin can correctly answer a quiz about the benefits of pull :).

Yes, I realize this..which explains some of Cfengine's design. I fully understand why a pull is done, etc...but that doesn't mean some changes couldn't be made in the future that would make implementation easier in our type of environment. At one point in time Tivoli's TSM client (this is a backup client for those that don't know) required us to use static host routes so that it would function properly when it was contacted by the TSM server to properly sends its data back to the backup server. Today however the server contacts the client and the backup session is held open and the backup data is sent back on the session that is initiated by the server..the client does not open a new tcp connection back to the backup server (this is why we used to need a static host route..because we would only allow that traffic on the management interface, but the default route was along the prodcution interface).

Hmm. There are other tools that do similar things to cfengine, although without cfengine's broad support base. Maybe one of those does pull. The only one that springs to mind is LCFG (with apologies to everyone for being offtopic).

I am sure there are other tools, but few that are as well thought out as Cfengine, have the broad support base as you said, and are as flexible. All the time we have commercial software vendors trying to sell us this and that utility to help us better manage/audit our environments, however usually they break down when we ask if we want to write a custom script or module to this or that task (the answer is almost can pay us to do that, but we don't provide any APIs for you to do this on your own.). It seems to me that this generally comes from larger publicly traded companies. An example is Bindview. Bindview is basically and auditing tool that runs on UNIX/Windows that allows you audit systems based on predefined configurations (e.g. Sun's Security Blueprints)..yet the tool cannot act on variances in the configuration, nor can you easily write your own configurations to act against..again Bindview will do this for you..but you can't do it yourself. For us being able to automatically fix things when they don't match a certain configuration is much more usefule than just reporting that a system is not in compliance. The challenge for us will be organizing the logical groups (classes of machines). I still have quite a bit of reading to do to get all of this sorted out.

Thanks again,

reply via email to

[Prev in Thread] Current Thread [Next in Thread]