On Thu, Feb 10, 2011 at 22:25, John Warburton <jwarbur...@gmail.com> wrote:
> Does anyone have any experiences with puppet in the DMZ they can share? We looked at how to integrate puppet into a network that needed medical-in-confidence certification back in Australia, which is probably about the same level of security control that most business DMZ deployments realistically need. In the end I elected that the best path was to have our security plan permit inbound connectivity from the DMZ for log traffic (via SSL) and puppet agent to master communication. While it was a risk we could reasonably bound and manage the security requirements, and the folks we worked with for audit preparation were happy that this was an acceptable risk when tightly controlled. [...] > I understand that fine, but we use facts quite a bit to get state > information, so the traditional part of the client server/model where facts > are shipped back from the client to the puppet server is missing. > > How do people get around the "common" rule that DMZ servers should not > initiate network connections back to the internal network? Should we have a > puppet server in the DMZ? If I couldn't have the DMZ talk to my central master then, yes, I would deploy a second master to the DMZ and use that to manage things. (Depending on how you architect the DMZ you might find it attractive to use as the sole master, or not. We had the capability to "DMZ" any machine to a VLAN, so there was no reduction in cross-host security for doing this. :) We found that the utility of dynamic updates and facts, plus stored configuration, was worth the risk; overall they made it much easier to control, manage, and secure the systems, and so meet our overall security goals. You might ask, if there are concerns, what security analysis is required to get approval for puppet from the security teams. Typically this turns out to be pretty easy, in my experience. Regards, Daniel Now you tell us that you have a SECRET network, of course, and I sympathise and think of transparent ducting. ;) -- ⎋ Puppet Labs Developer – http://puppetlabs.com ✉ Daniel Pittman <dan...@puppetlabs.com> ✆ Contact me via gtalk, email, or phone: +1 (877) 575-9775 ♲ Made with 100 percent post-consumer electrons -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.