Overview : Community : Archive : Tools : Showcase

Archives


- Beowulf
- Beowulf Announce
- Scyld-users
- Beowulf on Debian

[Beowulf] Intra-cluster security

Many of your questions may have already been answered in earlier discussions or in the FAQ. The search results page will indicate current discussions as well as past list serves, articles, and papers.

Search

Leif Nixon nixon at nsc.liu.se
Mon Sep 14 00:45:42 PDT 2009 

Joe Landman <landman at scalableinformatics.com> writes:

> Leif Nixon wrote:
>> Joe Landman <landman at scalableinformatics.com> writes:
>>
>>> I won't fisk this, other than to note most of the exploits we have
>>> cleaned up for our customers, have been windows based attack vectors.
>>> Contrary to the implication here, the ssh-key attack vector, while a
>>> risk, isn't nearly as dangerous as others, in active use, out there.
>>
>> I'm really hoping you aren't accusing me of security theatre.
>
> Nope.  I thought I made it clear that I wasn't (and if not, then let
> me re-iterate that I am not accusing you of this).

Good. 8^)

> I am noting that the there may be something of an overhyping of this
> vulnerability from where we sit.  YMMV.

Well, it *is* being actively exploited on a big scale. It's not just a
theoretical thing.

> Likely it is a difference.  Most attacks we see are windows related,
> exploiting the inherent weakness of that platform, and is relative
> ease of compromise in order to compromise harder to take down systems.
> Why break through the heavily fortified door when the window (pun
> un-intended) is so easy to crack?  This is the nature (outside of
> incessant ssh probes) of all of the exploits we have seen be
> successful at our customers sites.

That's interesting. I haven't seen many cross-OS attacks. My theory has
always been that the mainstream windows evil-doer has lots and lots of
easy targets, and there is no point for him to spend the energy to learn
how to attack these weird Linux clusters. I can't say I'd love to be
proven wrong. 8^) 8^/

> I wrote up a whole series of posts on it, detailing everything (apart
> from the victims name/id/location/university) so that some others
> could learn and protect themselves.  My descriptions managed to get me
> ... moderated ... by someone who claimed I was being alarmist ... for
> posting the gory details and making suggestions to the same community
> on how to avoid it.

Too bad. The community needs more war stories. There is too much
covering up.

> I am simply saying that what we see may be different, and that I hear
> far too much "one-size-fits-all" security prescriptions, that often
> fail to deter attacks, and provide what I think is a false sense of
> security if you follow that and ignore the other issues.  I see to
> much of "if we install a firewall, we will be secure" mindset running
> about.

Exactly. Or, on the other hand, "firewalls are an inherently bad
solution; all endpoints should be properly secured and should not have
to rely on a firewall.".

Rigid dogma is always bad.

(Except, of course, when it comes to DELETING ALL THOSE PASSPHRASE-LESS
KEYS!)

-- 
                               / Swedish National Infrastructure for Computing
Leif Nixon - Security officer <  National Supercomputer Centre
                               \ Nordic Data Grid Facility

More information about the Beowulf mailing list

Home | Overview | Community | Archive | Tools | Showcase

Copyright © 2004 Beowulf.org. All Rights Reserved.