Deployment Architecture

Deployment Server Communication

wilhelmF
Path Finder

Hi is it possible to turn the communication meaning rather than the forwarder is polling the deployment server, the deployment server is polling the forwarder if he needs new apps. This is a request from security.

0 Karma

micahkemp
Champion

No. The deployment server can not push to forwarders. The forwarders pull from the deployment server.

If you need the opposite functionality you would need to look into using some other type of automated deployment management, potentially like Ansible or Puppet.

nickhills
Ultra Champion

In the context of the question i think the terms push/pull are confusing and become moot.

I think @wilhelmF is coming at this from the position: If a wouldbe miscreant could compromise the DS, he can onward compromise all the clients without further lateral movement - this is because the clients 'trust' the DS.
On the other hand, by reversing the process, a single compromised client, can extend its reach no further, as no other clients nor deployment server trust it.

Puppet and Ansible still have the same security cascade issue as the DS, except the authentication is reversed - the server has to authenticate to prove it has appropriate permissions.

My comment above was to highlight that its not the direction of the push/pull which should be of concern, but the authentication and defence around those sensitive management assets. - whilst its always a good idea to lock your front door, don't be surprised if someone climbs through an open window.
With this in mind, I know I would rather manage one house, rather than a whole street. 🙂

If my comment helps, please give it a thumbs up!

teunlaan
Contributor

Don't think it is possible.

How does the deployment server know there is a new forwarder installed?

0 Karma

nickhills
Ultra Champion

Having clients phone home to a single server which you can verify with a certificate is a far more secure means of operating than the inverse.

I think you should take the opportunity to explain to security how the DS/DC architecture works, and why their request would be counter productive from an overall security standpoint.
(ie, one remote system with which to confirm identity, versus hundreds or even thousands)

If my comment helps, please give it a thumbs up!
Get Updates on the Splunk Community!

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...