Re: Cfengine and multiple firewalls/security realms

[Scott Omar Burch]

Christian,

Thanks for your informed response..along with Chip's response I feel 
much better. I figured I would have to work out some sort of in house 
solution to get Cfengine fully functional with our security..despite all 
my observations/issues I don't think I will have too much trouble 
getting everything working in an acceptable manner. The good news is:

1) I maintain our OS images on Solaris and they include many packages I 
built from source to aid in our administration (OpenSSH, Cfengine, 
rsync, curl, wget, screen, star, perl, expect, etc., etc.). We already 
heavily use ssh/rsync with public key authentication. I even have an 
OpenSSH server that uses SecurID as a backend for authentication. I 
follow closely the developments of OpenSSH as that is crucial to our 
environment. In general I've been able to solve many problems that have 
saved us money and time by using Open Source Solutions. I love the 
support and dialogue I end up having with people like you..this is very 
rare in commercially supported software...although there are many 
commercial products that are excellent that we use heavily (Veritas 
Foundation Suite products).

2) I have an excellent working relationship with our firewall admins and 
security architects. I do favors for them and they do favors for me..we 
usually come to consensu on things..especially since we are all very 
concerned about security (host based, firewalls, etc.).

Unfortunately throughout the Cfengine testing I have been busy working 
on several other projects and had someone else doing much of the 
testing..something I wanted to do more directly. I will be getting much 
more involved in the future..at least after I return from USENIX next 
week. I just got the current issue of ;login the other day, but haven't 
had a chance to look at it yet.

Thanks,
Scott

Christian Pearce wrote:
> Scott,
>
> I am currently working with people that have your exact problem.  You
> are not alone.  I would venture to guess that due to the purist inside
> of Mark, I doubt you will see the implementation of a push inside of
> cfengine.  Push in the sense of the Cfengine server opens a connection
> and dumps file on to the Cfengine client.  Not using cfrun.  And I might
> add with good reason.  I believe the security model cfengine implements
> is sound.  Interestingly enough Mark's latest article in Login; touches
> upon security, firewalls and networks.  I didn't finish the article yet,
> but I found it interesting.   Okay enough of that...
>
> Beyond the fact that firewalls are in the way, how do you get cfengine
> to report something back to a man server?  I don't know what you guys
> are doing, but I use SSH Public keys and rsync.
>
> Have said that I now have a way of automating rsyncs the other
> direction.  So I can actually create a Proxy server that sits in the DMZ
> or External network.  I have the main cfengine server rsync via ssh the
> cfengine configuration files to the one of the Proxy servers.  The
> cfengine code is built with the proper class definitions to choose the
> correct Proxy server for performing a cfengine request from a clien in
> the DMZ.  It can download the cfengine files or binary files, etc.
>
> I think this is what Chip eluded to with the Gold Mirror.  Someone else
> said this is a bad idea, but hey what else am I going to do.  This is
> what people have implemented on their network and they have security
> policies.  Sometimes in big companies they can't even control what is or
> isn't open in a firewall.  The funny thing is they have to let backups
> through,  so what is wrong with cfengine?  Regardless this is what I
> do.  Hope this helps.
>
> On Wed, 2004-06-23 at 14:35, Scott Omar Burch wrote:
>
> > Chip,
> >
> > I haven't responded to Tim yet, but I can respond to both of you here. 
> > I'm not sure what Tim is referring to when he says Cfengine can be made 
> > to do a push. I don't believe Cfengine ever does a push..no matter what 
> > you do...clients/servers always pull their configuration from a master. 
> > If you execute cfrun on the policy all that does is cause a remote host 
> > to run cfagent to pull its configuration from the policy server. Sure I 
> > can do an scp of an internal master to an external master, but want 
> > Cfengine to manage its configuration internally..and in our case I can 
> > not simply have one external policy server..as I said before we have 
> > multiple external networks with multiple firewalls. If Cfengine ever 
> > implements the option of pushing rather than pulling then it will be 
> > much easier to handle in our type of environment. Unfortunatley I am not 
> > a programmer, nor do I have the ability myself to fund that type of 
> > change, but I would suspect there are many in the corporate world that 
> > would benefit from code changes that would allow Cfengine to function 
> > without creating holes through firewalls. I realize we have a fairly 
> > complex security design, but I imagine there are many others that 
> > implement similar types of designs.
> >
> > -Scott
> >
> > Chip Seraphine wrote:
> >
> > > On Tuesday 22 June 2004 18:26, Tim Nelson wrote:
> > >
> > >
> > >
> > > >         Well, cfengine can already be set to do push
> > > > [SNIP]
> > > >  Then it does an automatic scp to copy 
> > > > the files in the external directory to the "Gold Mirror" machine.
> > >
> > >
> > > Is  the scp copying the 'push' you refer to?  Or am I missing something?
> >
> >
> > _______________________________________________
> > Help-cfengine mailing list
> > Help-cfengine@gnu.org
> > http://lists.gnu.org/mailman/listinfo/help-cfengine