Background:
I am finally setting aside some time to join the 21st Century and look at Puppet.
As it stands today we version control all server configurations in a repository that is held internally at the office. When an update needs making, the changes are checked back into the repos and manually pushed out to the machine in question. This usually means SFTP'ing to the remote machine and then moving files into place, with the relevant permissions, from a shell.
So I am hopeful that Puppet is going to be an simple yet amazing extension to what we already have.
Now I consider the process that we currently have to be reasonably secure. On the assumption that our internal network will always be relatively more secure than the public networks in our datacentres.
The process is always one way. Changes traverse from a secure environment to insecure and never the other way round.
The master store is in the safest possible place. The risk of compromise, either by stealing configurations or sending out malicious modifications, is greatly reduced.
Question:
From what I understand of the Puppet server/client model is that the clients poll and pull updates down directly from the server. The traffic is SSL wrapped so cannot be intercepted or spoofed. But it differs from what we currently do because the Puppet server[s] would need to be hosted in a public location. Either centrally, or one for each datacentre site that we maintain.
So I am wondering:
Am I being unnecessarily paranoid about the change from push to pull?
Am I being unnecessarily paranoid about centrally storing all of that information on a public network?
How are others maintaining multiple networks - separate server for each site?
Update 30/07/09:
I guess that one of my other big concerns is placing so must trust in a single machine. The puppetmaster(s) would be firewalled, secured and such. But even so any public machine with listening services has an attack surface of a certain size.
Presumably if the master has permission to update any file on any one of the puppet clients, then it's compromise would ultimately result in the compromise of all it's clients. The "kings to the kingdom" so to speak.
Is that hypothesis correct?
Is there any way that it can be mitigated?