help-cfengine
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: running cfengine across firewall


From: Mark . Burgess
Subject: Re: running cfengine across firewall
Date: Tue, 1 Feb 2005 08:21:14 +0100 (MET)

I understand the argument, but you don't need to expose your
internal machines to anything other than 1 IP adress on the outside.
(Just for the record) That is a very small risk.

Mark


On  1 Feb, Tim Nelson wrote:
> On Mon, 31 Jan 2005 address@hidden wrote:
> 
>> I know that many folks think like this -- is it safe to open
>> your firewall? But do you have any reason that your firewall
>> software has any fewer bugs than cfengine might have? ;)
> 
>       No; probably more.
> 
>> Ask youself *why* you don't want to open your firewall.
> 
>       It's all a matter of exposure.  The firewall in this case was a 
> Smoothwall (Linux firewall) machine (slightly modified).  IIRC, it had no 
> open ports, so the only vulnerabilities in it, if I understand, would be 
> TCP/IP attacks (or possibly iptables) on Linux.  And if they allow 
> compromise, I'm in big trouble :).
>       OTOH, if I port-forward the cfservd port (since the network behind 
> was NATed), then the exposure is the same as I originally had, *except* 
> that I also have to worry about cfservd (and bugs in the port-forwarding 
> mechanism).  If there's a cfservd hole, sure I have to rebuild some 
> external machines, but I can just rebuild the config from the internal 
> one.
> 
>       The question is whether I think that there's more risk from 
> allowing access to the internal cfservd, or from the danger of updates not 
> getting pushed through properly.  The external cfengine machines, though, 
> could still get their config from the external cfengine server.
> 
>       I agree, usually pull is better, but I prefer push going from a 
> (supposedly) higher security zone to a lower security zone.
> 
>       :)
> 



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Work: +47 22453272            Email:  address@hidden
Fax : +47 22453205            WWW  :  http://www.iu.hio.no/~mark
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~





reply via email to

[Prev in Thread] Current Thread [Next in Thread]