Google does this on a massive scale for the laptops they give to employees. Many of the details are in http://research.google.com/pubs/pub43231.html
The key points are: 1. SSL only. All else is firewalled off. (external clients actually talk to a load balancer that is locked down and only forwards SSL-authenticated connections to the master). 2. Don't autosign your certs. 3. When you sign certs, actually check the fingerprints 4. The server cert AND the client cert must be signed (puppet cert takes care of that for you). Tom (not a google employee, not speaking for google) On Thu, Jul 2, 2015 at 3:51 PM, Nik Haldimann <n...@placemeter.com> wrote: > Hi > > I have a fleet of headless devices to manage that are going to be deployed > all over the place on various networks but connected to the public > internet. I'm evaluating if it would make sense to manage them through > puppet. I am able to run the puppet agent on the devices and I seem to be > able to do things I would want to do, so on the surface this seems like a > good idea. > > However, my impression is that a puppet master is usually deployed within > a private networks (e.g., internal to a data center or as part of a private > VPC subnet on AWS). For my use case I would have to open the master to the > public internet. What are the implications of this? Is this recommended or > not? Are there specific settings I should be watching out for to make this > secure? > > Nik > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/081d9674-434b-4057-b2b7-1c02ecb91d40%40googlegroups.com > <https://groups.google.com/d/msgid/puppet-users/081d9674-434b-4057-b2b7-1c02ecb91d40%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- Email: t...@whatexit.org Work: tlimonce...@stackoverflow.com Skype: YesThatTom Blog: http://EverythingSysadmin.com -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAHVFxgmn0XGxzAGzyJks2nGJ9%3DWzpQuPBche53_G0wMjQEhStQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
