RE: cfengine, firewall and security

[Patrice GUERLAIS]

Thanks to all for your help.

Small precision : I don't worry about encryption, but only about closing my 
firewall from outside towards inside.

Anyhow, I'm probably going (for the moment) to use 2 cfengine servers, as 
suggested Dan :
- a 'full' (say master) server, located inside the firewall
- a 'partial' (say secondary) server, located outside the firewall. It is used 
only to have a referential outside the firewall, and
then leave it close from outside to inside.
- nothing is done on the secondary server, but use cfrun to synchronize its 
outside co-located clients
- all the changes to a configuration are made within the master server, then 
the secondary server is pushed using rsync or anything
like that
- a small daemon can listen to a specific and firewalled port on the secondary 
server, just to receive commands from the master
server. Those commands will be things like 'cfrun outside-client1 
outside-client2 ...'

Doing so, I don't have to open my firewall from outside to inside, but I can 
keep all my reference data in one place.

Patrice


> -----Message d'origine-----
> De : Mark.Burgess@iu.hio.no [mailto:Mark.Burgess@iu.hio.no]
> Envoye : vendredi 10 novembre 2000 08:37
> A : dan_bethe@yahoo.com
> Cc : cbbrowne@hex.net; patrice.guerlais@echo.fr; help-cfengine@gnu.org
> Objet : Re: cfengine, firewall and security
>
>
> On  9 Nov, Dan Bethe wrote:
> >> There seems to me to be considerable merit to the idea of using rsync
> >> to distribute the files; that provides two things:
> >
> >     That's a fine idea, Christopher.  I'd like to add that rsync can use
> > ssh as its transport (--rsh=ssh) and that ssh can use RSA as its
> > authentication method.  But I'm sure you knew that.  :)
> >
>
> I sometimes despair over the popular belief that RSA encryption equals
> security. While I agree that RSA is useful and that rsync is efficient,
> I am not convinced that there is a general understanding of why. As long
> as all source files are coming from a single common, trusted
> host, RSA doesn't provide anything that symmetric encryption does not
> in this case. That is the main reason why this simpler solution was
> used in cfengine. However, in more complex configurations, RSA allows
> multiple distinctions to be made between different trusted hosts.
>
> I take issue with the idea that the only machine you need to worry about
> is the source machine behind the firewall. Once someone is in control
> of any one of your machines, they can do whatever they please. The
> worst (for them) they could do with cfengine would be to actually
> download the "safe" versions of data through the firewall, and confgure
> the machine correctly. The best they could do would be to switch off
> cfengine.
>
> In neither case does cfengine offer a route "through" the firewall.
> One could also question the use of encryption for copying public data
> (binaries etc). This is just burning unnecessary CPU cycles.
>
> There are always arguments for using encryption, but my belief is that
> they are usually dominated by encryption-fever and that, if folks
> spent as much time understanding the trust relationships in their
> networks, as they did burning CPU on encryption, their networks
> would be more secure. Encryption protects from so few attacks,
> on the scale of it all, that its mere mention  makes me groan these
> days.
>
> It is not my intention to set of a major debate on the use of
> encryption. I just want to point out that this common blind
> trust in RSA is often misguided. It is not the panacea of security.
>
> Mark's cynical spiel....;)
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Work: +47 22453272            Email:  Mark.Burgess@iu.hio.no
> Fax : +47 22453205            WWW  :  http://www.iu.hio.no/~mark
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>