Forum: CFEngine Help Subject: Re: Thoughts of encrypting the entire Cfengine workspace? Author: mikesphar Link to topic: https://cfengine.com/forum/read.php?3,25714,25718#msg-25718
It would seem to me that servers in a DMZ environment should probably be served by a private cfengine infrastructure dedicated exclusively to the DMZ, and only containing policies relevant to the DMZ machines. You shouldn't have your internal DNS or user information accessible from within the DMZ if you can help it, makes sense your internal cfengine promises shouldn't be in the DMZ either. I can even imagine a scenario where the DMZ servers don't do policy updates at all, since that would require an inbound connection from the DMZ, but would instead have policy piles pushed to them via some other external process. Cfengine on those DMZ servers would effectively just be running off of local policy files. The problem I see with encryption is the local machine has to have a way to decrypt the files, thus someone who has compromised the machine is likely to have a way to decrypt the files, or to at least observe the process of cfagent decrypting the files. Even if you allow cfagent to negotiate decryption with the cfserver, the hacker can monitor *that* exchange. And because you had to allow inbound connections from cfagent to cfserver, the hacker has an attack vector on the cfserver now as well. At some point cfagent decrypts the policy files into local memory at least, at which point the hacker can get at them, no? We're essentially talking about applying DRM to policy files. We know how effective DRM is against determined hackers, right? _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
