Prev: How to enter a character by entering the number code? E.g ALT 123
Next: Linux friendly Laptops and Netbooks??
From: Rahul on 11 Jan 2010 16:37
I was curious what was the dominant thinking about security.

Here's my situation:

I have about a 100 servers coming up for a computational cluster. The
access required is mainly ssh and a couple of other services. We know
specific I/P addresses or domains that ought to be allowed access.

Either I can have a single firewall protecting them or firewalls that run
on each machine. I have always relied on the single firewall solution. But
that exposes one to te single-point-of-failure arguments.

What's the dominant thinking about this kind of security? If one has 100
identical machines is it better to secure one "access machine" or them
independantly.

Of course, each machine has the usual secure passwords etc. but this
question is for precautions above that level.

Maybe this is too philosohpical and lacks a generic answer....

--
Rahul
From: notbob on 11 Jan 2010 17:36
On 2010-01-11, Rahul <nospam(a)nospam.invalid> wrote:

> Either I can have a single firewall protecting them or firewalls that run
> on each machine.....

You need to get a good overall view of what "firewalls" are about.
The best I've ever seen on this particular subject is Building
Internet Firewalls by O'Reilly. It's about the overall firewall
security concept more than naming a single firewall application or
product. I didn't find it on their website, so maybe the book is not
longer in print, but here is a piece of it:

http://oreilly.com/catalog/fire/chapter/ch04.html

Some of their old books are available online. Look around. Buying it
used from ebay or amazon would be worth your while. HTH.

nb
From: Sylvain Robitaille on 12 Jan 2010 11:00
On Mon, 11 Jan 2010 21:37:34 +0000 (UTC), Rahul wrote:

> I have about a 100 servers coming up for a computational cluster. The
> access required is mainly ssh and a couple of other services. We know
> specific I/P addresses or domains that ought to be allowed access.
>
> Either I can have a single firewall protecting them or firewalls that
> run on each machine. I have always relied on the single firewall
> solution. But that exposes one to te single-point-of-failure
> arguments.

The typical approach, with HPC compute clusters, is to have the compute
nodes all on an isolated private network reachable only via the head or
login node(s). Protect the login node(s) as you would any other that
provides that type of service to your user community. Protect your head
node(s) as you would any other system providing remote services for your
user community. If the head node(s) is/are also the login node(s),
adjust that protection accordingly. The compute nodes, then, are
primarily raw CPU power. Users shouldn't actively login to them at all.

> What's the dominant thinking about this kind of security? If one has
> 100 identical machines is it better to secure one "access machine" or
> them independantly.

Don't look at it as 100 identical systems, because that isn't what it
is. Look at it as 1 system, with certain known points of access (head
node(s), login node(s)). Protect those points of access as appropriate
for your organization.

--
----------------------------------------------------------------------
Sylvain Robitaille syl(a)encs.concordia.ca

Systems analyst / AITS Concordia University
Faculty of Engineering and Computer Science Montreal, Quebec, Canada
----------------------------------------------------------------------
From: Rahul on 13 Jan 2010 01:21
Sylvain Robitaille <syl(a)alcor.concordia.ca> wrote in
news:slrnhkp74t.sth.syl(a)charlotte.encs.concordia.ca:

> On Mon, 11 Jan 2010 21:37:34 +0000 (UTC), Rahul wrote:
>
>> What's the dominant thinking about this kind of security? If one has
>> 100 identical machines is it better to secure one "access machine" or
>> them independantly.
>
> Don't look at it as 100 identical systems, because that isn't what it
> is. Look at it as 1 system, with certain known points of access (head
> node(s), login node(s)). Protect those points of access as appropriate
> for your organization.
>

Thanks for your thoughts Sylvain! You make me feel more confident. On all
past cluster I have done exactly what you said: used private I/Ps and
protected all compute nodes.

Access came via a single, protected login node which had outside access.

Unfortunately this time I had a co-sys admin (more "senior" than me) on the
project that was trying to convince me otherwise. I was skeptical but to be
fair to him wanted to get more opinions.

Out of curiosity though: how does one apply the same argument to a non-HPC
setting. Say I had 100 workstations I was buying. How does one justify a
perimeter firewall against protecting each machine individually?

--
Rahul
From: Jeremy Nicoll - news posts on 13 Jan 2010 08:56
Rahul <nospam(a)nospam.invalid> wrote:

> Out of curiosity though: how does one apply the same argument to a non-HPC

> setting. Say I had 100 workstations I was buying. How does one justify a
> perimeter firewall against protecting each machine individually?

Some of this argument is going to depend on physical security. If the 100
machines are in a locked room with no chance of anyone installing anything
on them, or changing their configurations, it's a different ballgame from
having the machines open-access.

If they're open-access I'd trust no machine.

--
Jeremy C B Nicoll - my opinions are my own.

Email sent to my from-address will be deleted. Instead, please reply
to newsreplynnn(a)wingsandbeaks.org.uk replacing "nnn" by "284".
 |  Next  |  Last
Pages: 1 2 3
Prev: How to enter a character by entering the number code? E.g ALT 123
Next: Linux friendly Laptops and Netbooks??