On Mon, Feb 14, 2011 at 01:35, Thorsten Biel <thorsten.b...@porsche.de> wrote: > On Feb 11, 2011, at 20:00, Daniel Pittman wrote: =>> On Fri, Feb 11, 2011 at 00:40, Thorsten Biel <thorsten.b...@porsche.de> wrote: >>> On Feb 11, 2011, at 07:25, John Warburton wrote: >>> >>>> How do people get around the "common" rule that DMZ servers should not >>>> initiate network connections back to the internal network? Should we have >>>> a puppet server in the DMZ? >>> >>> Another approach is to use SSH tunnels. Use autossh to initiate SSH >>> connections from your puppetmaster to each client. >> >> I am rather surprised: wouldn't your network security folks and >> auditors go absolutely ape when they discovered that you had punched a >> hole through their firewall to allow connections from the DMZ to a >> secure network without going through the appropriate security analysis >> process? > > That's where IT and medicine are sometimes similar : ask 3 experts and > you get 3 different recommendations. :) > > But to get back to the point: no, they aren't going ape. Why should they?
Because using SSH to create a tunnel that allows servers in the DMZ to connect to the internal network is often considered a problem. :) […] > It boils down to the question of whether you allow DMZ servers to initiate > connections into the internal (secure) zone or not. I think we are in agreement there, and I agree that this is probably the end of the value in the discussion. So, having explained why I see the issue I am happy to, if we still do, agree to disagree. :) Daniel -- ⎋ Puppet Labs Developer – http://puppetlabs.com ✉ Daniel Pittman <dan...@puppetlabs.com> ✆ Contact me via gtalk, email, or phone: +1 (877) 575-9775 ♲ Made with 100 percent post-consumer electrons -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.