Re: Cfengine and multiple firewalls/security realms

[Scott Omar Burch]

Tim,

My comments below, again thans for your responses..Scott

Tim Nelson wrote:

> 	Not sure I understand what you mean by managing the configuration 
> internally.  Could you add a line or two to explain this?  

What I meant here is that I did not want external applications such as 
scp, rsync, etc. managing the mirroring of the different policy servers 
(however in my case I only want one policy server). I was basically 
trying to see if Cfengine could function without having to rely on 
firewall policy changes and other utilities. I was correct in thinking I 
would need to do some creative thinking with regards to deployment 
here..you guys have confirmed this. Since I am new to actually using 
Cfengine I wanted to make sure I wasn't missing anything..and obviously 
there were a few things with regards to key exchange that I was not 
familiar with. It turns out that I am able to handle the key situation 
without comprimising security..currently I have some issues with 
firewall policy that I will work out. I was able to get authentication 
working just find on multihomed servers that don't have firewalls 
betweent them, so Cfengine does function as expected.

> > and in our case I can not simply have one external policy server..
>
>
> 	I realise that, but thought that my simple setup might give you 
> ideas for your more complex setups.  

Yes your ideas help and I have thought about having multiple policy 
servers, but I think I will work around the problem slighly differently, 
but that decision will be made after I come up with a proposal and meet 
directly with my friends who mange the security where I work.

> 	Are these for different customers, or different levels of 
> security (ie. DMZ, etc), or what?  I ask becuase with a better 
> understanding of your security needs, we may well be able to answer your 
> questions better too.


The security I am talking about is our general security design. We have 
our ebusines environment classified into different layers. There is an 
authentication layer (ldap, etc.), presentation layer (web servers), 
application layer (weblogic, etc.), and database layer (oracle servers, 
etc.). Each of these layers are separated by various firewalls, the 
policy being that no communication is allowed between servers in 
different layers without explicit policy (rules) allowing this to 
happen. There are of course firewalls on the perimiter that handle 
traffic coming into  and out of these layers from the internet and our 
internal corporate network. In general we allow various types of traffic 
from inside to traverse the management interfaces on servers in this 
environment (when I say this environment I mean the machines sitting in 
the layers mentioned above (collectively known as our ebusiness 
infrastructure). We  obviously have other environments that are separate 
from ebusiness (the DMZ is one for example..this would have our 
corporate ftp server, etc.)

> 	Hmm.  In thinking about it, cfengine is designed by university 
> people for use in a University-style environment.  It works well enough in 
> the environment that I'm in (medium-ISP), but doesn't appear to account 
> for what *everyone* wants.  Personally, I think the problem can be 
> overcome by judicious use of push (including the FriendStatus function).  
> Hmm.  Maybe the push feature should only work if the Sysadmin can 
> correctly answer a quiz about the benefits of pull :).  

Yes, I realize this..which explains some of Cfengine's design. I fully 
understand why a pull is done, etc...but that doesn't mean some changes 
couldn't be made in the future that would make implementation easier in 
our type of environment. At one point in time Tivoli's TSM client (this 
is a backup client for those that don't know) required us to use static 
host routes so that it would function properly when it was contacted by 
the TSM server to properly sends its data back to the backup server. 
Today however the server contacts the client and the backup session is 
held open and the backup data is sent back on the session that is 
initiated by the server..the client does not open a new tcp connection 
back to the backup server (this is why we used to need a static host 
route..because we would only allow that traffic on the management 
interface, but the default route was along the prodcution interface).

> 	Hmm.  There are other tools that do similar things to cfengine, 
> although without cfengine's broad support base.  Maybe one of those does 
> pull.  The only one that springs to mind is LCFG (with apologies to 
> everyone for being offtopic).  

I am sure there are other tools, but few that are as well thought out as 
Cfengine, have the broad support base as you said, and are as flexible. 
All the time we have commercial software vendors trying to sell us this 
and that utility to help us better manage/audit our environments, 
however usually they break down when we ask if we want to write a custom 
script or module to this or that task (the answer is almost always..you 
can pay us to do that, but we don't provide any APIs for you to do this 
on your own.). It seems to me that this generally comes from larger 
publicly traded companies. An example is Bindview. Bindview is basically 
and auditing tool that runs on UNIX/Windows that allows you audit 
systems based on predefined configurations (e.g. Sun's Security 
Blueprints)..yet the tool cannot act on variances in the configuration, 
nor can you easily write your own configurations to act against..again 
Bindview will do this for you..but you can't do it yourself. For us 
being able to automatically fix things when they don't match a certain 
configuration is much more usefule than just reporting that a system is 
not in compliance. The challenge for us will be organizing the logical 
groups (classes of machines). I still have quite a bit of reading to do 
to get all of this sorted out.

Thanks again,
Scott