On Thu, Feb 10, 2011 at 22:25, John Warburton <jwarbur...@gmail.com> wrote:
> Does anyone have any experiences with puppet in the DMZ they can share?
We looked at how to integrate puppet into a network that needed
medical-in-confidence certification back in Australia, which is
probably about the same level of security control that most business
DMZ deployments realistically need.
In the end I elected that the best path was to have our security plan
permit inbound connectivity from the DMZ for log traffic (via SSL) and
puppet agent to master communication. While it was a risk we could
reasonably bound and manage the security requirements, and the folks
we worked with for audit preparation were happy that this was an
acceptable risk when tightly controlled.
[...]
> I understand that fine, but we use facts quite a bit to get state
> information, so the traditional part of the client server/model where facts
> are shipped back from the client to the puppet server is missing.
>
> How do people get around the "common" rule that DMZ servers should not
> initiate network connections back to the internal network? Should we have a
> puppet server in the DMZ?
If I couldn't have the DMZ talk to my central master then, yes, I
would deploy a second master to the DMZ and use that to manage things.
(Depending on how you architect the DMZ you might find it attractive
to use as the sole master, or not. We had the capability to "DMZ" any
machine to a VLAN, so there was no reduction in cross-host security
for doing this. :)
We found that the utility of dynamic updates and facts, plus stored
configuration, was worth the risk; overall they made it much easier to
control, manage, and secure the systems, and so meet our overall
security goals.
You might ask, if there are concerns, what security analysis is
required to get approval for puppet from the security teams.
Typically this turns out to be pretty easy, in my experience.
Regards,
Daniel
Now you tell us that you have a SECRET network, of course, and I
sympathise and think of transparent ducting. ;)
--
⎋ Puppet Labs Developer – http://puppetlabs.com
✉ Daniel Pittman <dan...@puppetlabs.com>
✆ Contact me via gtalk, email, or phone: +1 (877) 575-9775
♲ Made with 100 percent post-consumer electrons
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
