Re: running cfengine across firewall

[Tim Nelson]

On Mon, 31 Jan 2005 Mark.Burgess@iu.hio.no wrote:

> I know that many folks think like this -- is it safe to open
> your firewall? But do you have any reason that your firewall
> software has any fewer bugs than cfengine might have? ;)

        No; probably more.

> Ask youself *why* you don't want to open your firewall.

	It's all a matter of exposure.  The firewall in this case was a 
Smoothwall (Linux firewall) machine (slightly modified).  IIRC, it had no 
open ports, so the only vulnerabilities in it, if I understand, would be 
TCP/IP attacks (or possibly iptables) on Linux.  And if they allow 
compromise, I'm in big trouble :).
	OTOH, if I port-forward the cfservd port (since the network behind 
was NATed), then the exposure is the same as I originally had, *except* 
that I also have to worry about cfservd (and bugs in the port-forwarding 
mechanism).  If there's a cfservd hole, sure I have to rebuild some 
external machines, but I can just rebuild the config from the internal 
one.

	The question is whether I think that there's more risk from 
allowing access to the internal cfservd, or from the danger of updates not 
getting pushed through properly.  The external cfengine machines, though, 
could still get their config from the external cfengine server.

	I agree, usually pull is better, but I prefer push going from a 
(supposedly) higher security zone to a lower security zone.

        :)

--
Tim Nelson
Server Administrator
WebAlive Technologies Global
Level 1 Innovation Building, Digital Harbour
1010 LaTrobe Street
Docklands, Melbourne, 
Vic, 3008
Phone: +61 3 9934 0812
Fax: +61 3 9934 0899
E-mail: tim.nelson@webalive.biz
http://www.webalive.biz/

"Your Business, Your Web, Your Control"