help-cfengine
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: running cfengine across firewall


From: Tim Nelson
Subject: Re: running cfengine across firewall
Date: Tue, 1 Feb 2005 10:50:29 +1100 (EST)

On Mon, 31 Jan 2005 address@hidden wrote:

I know that many folks think like this -- is it safe to open
your firewall? But do you have any reason that your firewall
software has any fewer bugs than cfengine might have? ;)

        No; probably more.

Ask youself *why* you don't want to open your firewall.

It's all a matter of exposure. The firewall in this case was a Smoothwall (Linux firewall) machine (slightly modified). IIRC, it had no open ports, so the only vulnerabilities in it, if I understand, would be TCP/IP attacks (or possibly iptables) on Linux. And if they allow compromise, I'm in big trouble :). OTOH, if I port-forward the cfservd port (since the network behind was NATed), then the exposure is the same as I originally had, *except* that I also have to worry about cfservd (and bugs in the port-forwarding mechanism). If there's a cfservd hole, sure I have to rebuild some external machines, but I can just rebuild the config from the internal one.

The question is whether I think that there's more risk from allowing access to the internal cfservd, or from the danger of updates not getting pushed through properly. The external cfengine machines, though, could still get their config from the external cfengine server.

I agree, usually pull is better, but I prefer push going from a (supposedly) higher security zone to a lower security zone.

        :)

--
Tim Nelson
Server Administrator
WebAlive Technologies Global
Level 1 Innovation Building, Digital Harbour
1010 LaTrobe Street
Docklands, Melbourne, Vic, 3008
Phone: +61 3 9934 0812
Fax: +61 3 9934 0899
E-mail: address@hidden
http://www.webalive.biz/

"Your Business, Your Web, Your Control"




reply via email to

[Prev in Thread] Current Thread [Next in Thread]