puppet in the dmz?
56 views
Skip to first unread message
Jason McMahan
Aug 23, 2017, 2:20:35 PM8/23/17
to Puppet Users
Good day,
We are looking at managing our infrastructure in the dmz as we do our internal nodes with puppet.
We are running multiple masters with foreman as our enc. R10k ensure the manifests on all masters are updated regularly.
Does anyone have suggestion to integrate the dmz into our current layout as well as ensure security?
We have mainly windows machines, with a handful of linux ones in the dmz.
Thoughts have been, place a master in the dmz all agents talk to that master. But then what should we do? Have a connection to puppetdb internal?
Create a copy of what we have internal in the dmz? That is the least favorable option.
Any help of input is greatly appreciated.
Thank you
Rob Nelson
Aug 23, 2017, 3:09:02 PM8/23/17
to puppet...@googlegroups.com
Jason,
I think the most reasonable compromises that maintain the `puppet agent` workflow you likely use are either A) placing an additional master in the DMZ and have the agents connect to it or B) have the agents connect to the existing master in the LAN on port 8140/tcp. In scenario A, you could push code to the master through Code Manager (PE) or use r10k to fetch it from appropriate sources - this would be your one DMZ->LAN connection - and the agent traffic never hits the LAN. In scenario B, all the agents do have to contact the LAN, but they do it on a single port and using SSL, mitigating your risk.
Security methodology for DMZs varies quite a bit for different companies. In some, there are ZERO connections from DMZ to LAN, in others it's just restricted to acceptable levels of risk. With Puppet, there's no full-blown Push method I'm aware of that you can use (you could possibly combine some sort of LAN->DMZ push of code and run `puppet apply` as a scheduled task/cronjob, but getting code to nodes isn't part of Puppet).
I think the most reasonable compromises that maintain the `puppet agent` workflow you likely use are either A) placing an additional master in the DMZ and have the agents connect to it or B) have the agents connect to the existing master in the LAN on port 8140/tcp. In scenario A, you could push code to the master through Code Manager (PE) or use r10k to fetch it from appropriate sources - this would be your one DMZ->LAN connection - and the agent traffic never hits the LAN. In scenario B, all the agents do have to contact the LAN, but they do it on a single port and using SSL, mitigating your risk.
A (IMO) less secure scenario C that some companies entertain would be a multi-homed node, in this case your DMZ master having a second connection to the LAN so it doesn't go through the firewall, but I dislike that. It maintains the letter of the rule of no sessions from the DMZ communicating through the firewall to the LAN, but violates the spirit of the rule by creating a bridge between the segments without the firewall policy to minimize risk.
Most places I've been at would accept the risk of agents talking to the master only (scenario B); a few would prefer an additional DMZ master and accept the overhead (scenario A); only one would take scenario C and it's no coincidence that I quit that company in a hurry :)
Hope that helps.
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/3abd0b97-ed16-407c-98a1-4476be75358a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages