On Feb 11, 2011, at 20:00, Daniel Pittman wrote: > On Fri, Feb 11, 2011 at 00:40, Thorsten Biel <thorsten.b...@porsche.de> wrote: >> On Feb 11, 2011, at 07:25, John Warburton wrote: >> >>> How do people get around the "common" rule that DMZ servers should not >>> initiate network connections back to the internal network? Should we have a >>> puppet server in the DMZ? >> >> Another approach is to use SSH tunnels. Use autossh to initiate SSH >> connections from your puppetmaster to each client. >> > > I am rather surprised: wouldn't your network security folks and > auditors go absolutely ape when they discovered that you had punched a > hole through their firewall to allow connections from the DMZ to a > secure network without going through the appropriate security analysis > process?
That's where IT and medicine are sometimes similar : ask 3 experts and you get 3 different recommendations. :) But to get back to the point: no, they aren't going ape. Why should they? > Anyway, I guess my point is that while this would probably work I > can't really see why it would bring any benefit compared to just > punching the hole through the firewall directly: Puppet uses SSL > secured communication, and validates the identity at both ends, so you > have no more or less exposure than with this mechanism, so far as I > can see? It boils down to the question of whether you allow DMZ servers to initiate connections into the internal (secure) zone or not. As this could turn into a lengthy mail exchange, how about we discuss it at Puppet Camp Europe? Cheers, Thorsten -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
