On Fri, Feb 11, 2011 at 00:40, Thorsten Biel <thorsten.b...@porsche.de> wrote:
> On Feb 11, 2011, at 07:25, John Warburton wrote:
>
>> Does anyone have any experiences with puppet in the DMZ they can share?
[…]
>> How do people get around the "common" rule that DMZ servers should not
>> initiate network connections back to the internal network? Should we have a
>> puppet server in the DMZ?
>
> Another approach is to use SSH tunnels. Use autossh to initiate SSH
> connections from your puppetmaster to each client.
>
> The SSH tunnels open port 8140 on localhost on the client, allowing puppet on
> the
> client to tunnel back to the master.
>
> Not the most efficient approach, but easier to implement than a slave master.
> I have about 50 DMZ clients running this way.
I am rather surprised: wouldn't your network security folks and
auditors go absolutely ape when they discovered that you had punched a
hole through their firewall to allow connections from the DMZ to a
secure network without going through the appropriate security analysis
process?
Anyway, I guess my point is that while this would probably work I
can't really see why it would bring any benefit compared to just
punching the hole through the firewall directly: Puppet uses SSL
secured communication, and validates the identity at both ends, so you
have no more or less exposure than with this mechanism, so far as I
can see?
Regards,
Daniel
--
⎋ Puppet Labs Developer – http://puppetlabs.com
✉ Daniel Pittman <dan...@puppetlabs.com>
✆ Contact me via gtalk, email, or phone: +1 (877) 575-9775
♲ Made with 100 percent post-consumer electrons
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
