[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: running cfengine across firewall
From: |
Mark . Burgess |
Subject: |
Re: running cfengine across firewall |
Date: |
Tue, 1 Feb 2005 08:21:14 +0100 (MET) |
I understand the argument, but you don't need to expose your
internal machines to anything other than 1 IP adress on the outside.
(Just for the record) That is a very small risk.
Mark
On 1 Feb, Tim Nelson wrote:
> On Mon, 31 Jan 2005 Mark.Burgess@iu.hio.no wrote:
>
>> I know that many folks think like this -- is it safe to open
>> your firewall? But do you have any reason that your firewall
>> software has any fewer bugs than cfengine might have? ;)
>
> No; probably more.
>
>> Ask youself *why* you don't want to open your firewall.
>
> It's all a matter of exposure. The firewall in this case was a
> Smoothwall (Linux firewall) machine (slightly modified). IIRC, it had no
> open ports, so the only vulnerabilities in it, if I understand, would be
> TCP/IP attacks (or possibly iptables) on Linux. And if they allow
> compromise, I'm in big trouble :).
> OTOH, if I port-forward the cfservd port (since the network behind
> was NATed), then the exposure is the same as I originally had, *except*
> that I also have to worry about cfservd (and bugs in the port-forwarding
> mechanism). If there's a cfservd hole, sure I have to rebuild some
> external machines, but I can just rebuild the config from the internal
> one.
>
> The question is whether I think that there's more risk from
> allowing access to the internal cfservd, or from the danger of updates not
> getting pushed through properly. The external cfengine machines, though,
> could still get their config from the external cfengine server.
>
> I agree, usually pull is better, but I prefer push going from a
> (supposedly) higher security zone to a lower security zone.
>
> :)
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Work: +47 22453272 Email: Mark.Burgess@iu.hio.no
Fax : +47 22453205 WWW : http://www.iu.hio.no/~mark
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~