help-cfengine
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: running cfengine across firewall


From: Mark McCullough
Subject: Re: running cfengine across firewall
Date: Mon, 31 Jan 2005 07:37:42 -0600

On Mon, 2005-01-31 at 08:38 +0100, Mark.Burgess@iu.hio.no wrote:
> I know that many folks think like this -- is it safe to open
> your firewall? But do you have any reason that your firewall
> software has any fewer bugs than cfengine might have? ;)
> 
> Ask youself *why* you don't want to open your firewall.

In my case, the reason is a very simple principle.  On my systems
outside my firewall, all connections are initiated from internal systems
to the external system if at all possible.  Yes, some applications force
us to break this rule, (a web application that initiates a transitory
connection to an application server on the internal network), but the
more we hold to this rule, the safer everyone feels.  Your book cites
the famous principle of least privilege which I believe applies.

If it is possible to do the job without giving external systems inbound
access to your firewall/network, then do so.  By nature, presumably you
trust internal systems more than you trust external, so they should be
allowed greater leeway in initiating connections to the outside.

What we have done in our case is permitted outbound cfengine connections
from the policyhost to the systems in question outside the firewall.
This allows me to initiate a cfrun on those boxes.  I have another
routine that will do a rsync push of the latest policy and related files
to these external systems staging area.  Then, cfengine on those
external systems checks the staging area for updated policy files.  I
won't claim it is the cleanest solution, but it works.

One side effect is if I need a one day override of the policy for a box,
I can easily do it by adjusting the staging area policy for that
external system.  

-- 
mmccul@earthlink.net                                   Mark McCullough
"To announce that there must be no criticism of the President, or that 
we are to stand by the President, right or wrong, is not only 
unpatriotic and servile, but is morally treasonable to the American 
public." (Theodore Roosevelt, 1918)

Attachment: signature.asc
Description: This is a digitally signed message part


reply via email to

[Prev in Thread] Current Thread [Next in Thread]