On Tuesday, June 17, 2014 12:19:08 PM UTC-5, jmp242 wrote: > > I probably don't really understand much about how puppet connects to the > clients, but is there a big security risk about opening it up to the > internet so laptops can get their configuration... If it's "safe enough" > for any value of safe, what ports does it use? > > Thanks, >
In normal operation, Puppet (the master) *doesn't* connect to clients -- the clients connect to it (on port 8140), thereby establishing a two-way communication channel. Client-side firewalls need to allow outgoing traffic to that port, and accept incoming traffic belonging to an established connection to that port. Those permissions can be narrowed to specific destination networks or machines, if needed. For its part, the master needs to accept connections on port 8140 from all client machines; that can be narrowed to traffic originating on specific networks, if you wish. Each end of the conversation between agent and master authenticates to the other via SSL certificate. Spencer understated the security there: on the web, most SSL connections are authenticated only on one end, so Puppet's communications are even better secured. With that said, if you want laptops in the field to be able to retrieve their configuration, then you have the alternative of requiring them to establish a VPN connection to your internal network in order to do so (especially if users will want / need to use VPN anyway), or of just letting them go without syncing until they return home. The Puppet service itself is pretty well secured, but allowing connections from anywhere on the internet increases your exposure to network-level attacks. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/e0d19ab8-de5e-4205-b774-b37b1b595643%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
