[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: running cfengine across firewall
From: |
Tim Nelson |
Subject: |
Re: running cfengine across firewall |
Date: |
Tue, 1 Feb 2005 10:50:29 +1100 (EST) |
On Mon, 31 Jan 2005 Mark.Burgess@iu.hio.no wrote:
I know that many folks think like this -- is it safe to open
your firewall? But do you have any reason that your firewall
software has any fewer bugs than cfengine might have? ;)
No; probably more.
Ask youself *why* you don't want to open your firewall.
It's all a matter of exposure. The firewall in this case was a
Smoothwall (Linux firewall) machine (slightly modified). IIRC, it had no
open ports, so the only vulnerabilities in it, if I understand, would be
TCP/IP attacks (or possibly iptables) on Linux. And if they allow
compromise, I'm in big trouble :).
OTOH, if I port-forward the cfservd port (since the network behind
was NATed), then the exposure is the same as I originally had, *except*
that I also have to worry about cfservd (and bugs in the port-forwarding
mechanism). If there's a cfservd hole, sure I have to rebuild some
external machines, but I can just rebuild the config from the internal
one.
The question is whether I think that there's more risk from
allowing access to the internal cfservd, or from the danger of updates not
getting pushed through properly. The external cfengine machines, though,
could still get their config from the external cfengine server.
I agree, usually pull is better, but I prefer push going from a
(supposedly) higher security zone to a lower security zone.
:)
--
Tim Nelson
Server Administrator
WebAlive Technologies Global
Level 1 Innovation Building, Digital Harbour
1010 LaTrobe Street
Docklands, Melbourne,
Vic, 3008
Phone: +61 3 9934 0812
Fax: +61 3 9934 0899
E-mail: tim.nelson@webalive.biz
http://www.webalive.biz/
"Your Business, Your Web, Your Control"
- Re: running cfengine across firewall, (continued)
- Re: running cfengine across firewall, Russell Adams, 2005/01/29
- Re: running cfengine across firewall, Tim Nelson, 2005/01/30
- Re: running cfengine across firewall, Russell Adams, 2005/01/30
- Re: running cfengine across firewall, Tim Nelson, 2005/01/31
- Re: running cfengine across firewall, Mark . Burgess, 2005/01/31
- Re: running cfengine across firewall, Russell Adams, 2005/01/31
- Re: running cfengine across firewall, Mark . Burgess, 2005/01/31
- cfengine - file copy, Sebastian Bickel, 2005/01/31
- Re: running cfengine across firewall, Christian Pearce, 2005/01/31
- Re: running cfengine across firewall, Mark McCullough, 2005/01/31
- Re: running cfengine across firewall,
Tim Nelson <=
- Re: running cfengine across firewall, Tim Nelson, 2005/01/31
- Re: running cfengine across firewall, Christian Pearce, 2005/01/31