[Beowulf] Intra-cluster security
nixon at nsc.liu.se
Mon Sep 14 00:45:42 PDT 2009
Joe Landman <landman at scalableinformatics.com> writes:
> Leif Nixon wrote:
>> Joe Landman <landman at scalableinformatics.com> writes:
>>> I won't fisk this, other than to note most of the exploits we have
>>> cleaned up for our customers, have been windows based attack vectors.
>>> Contrary to the implication here, the ssh-key attack vector, while a
>>> risk, isn't nearly as dangerous as others, in active use, out there.
>> I'm really hoping you aren't accusing me of security theatre.
> Nope. I thought I made it clear that I wasn't (and if not, then let
> me re-iterate that I am not accusing you of this).
> I am noting that the there may be something of an overhyping of this
> vulnerability from where we sit. YMMV.
Well, it *is* being actively exploited on a big scale. It's not just a
> Likely it is a difference. Most attacks we see are windows related,
> exploiting the inherent weakness of that platform, and is relative
> ease of compromise in order to compromise harder to take down systems.
> Why break through the heavily fortified door when the window (pun
> un-intended) is so easy to crack? This is the nature (outside of
> incessant ssh probes) of all of the exploits we have seen be
> successful at our customers sites.
That's interesting. I haven't seen many cross-OS attacks. My theory has
always been that the mainstream windows evil-doer has lots and lots of
easy targets, and there is no point for him to spend the energy to learn
how to attack these weird Linux clusters. I can't say I'd love to be
proven wrong. 8^) 8^/
> I wrote up a whole series of posts on it, detailing everything (apart
> from the victims name/id/location/university) so that some others
> could learn and protect themselves. My descriptions managed to get me
> ... moderated ... by someone who claimed I was being alarmist ... for
> posting the gory details and making suggestions to the same community
> on how to avoid it.
Too bad. The community needs more war stories. There is too much
> I am simply saying that what we see may be different, and that I hear
> far too much "one-size-fits-all" security prescriptions, that often
> fail to deter attacks, and provide what I think is a false sense of
> security if you follow that and ignore the other issues. I see to
> much of "if we install a firewall, we will be secure" mindset running
Exactly. Or, on the other hand, "firewalls are an inherently bad
solution; all endpoints should be properly secured and should not have
to rely on a firewall.".
Rigid dogma is always bad.
(Except, of course, when it comes to DELETING ALL THOSE PASSPHRASE-LESS
/ Swedish National Infrastructure for Computing
Leif Nixon - Security officer < National Supercomputer Centre
\ Nordic Data Grid Facility
More information about the Beowulf