On 07/16/2017 12:30 PM, Andreas Benzler wrote:
- The firewall is placed in front of the cluster.
- After you have found a safe base for this, you freeze it.
Sorry, but this statement really urks me in a wrong way. Why do you think a firewall is the ONLY part that needs to be provide security? That's the way I read this statement - that it doesn't matter anywhere else. In addition, the majority of attacks and compromises come from INSIDE the firewall - ie. the "wannacry" and similar attacks are all distributed via email, executed on a local workstation and it propagates from there - your external firewall is not even hit before your servers/cluster is scanned.
Another aspect here is all the other stuff outside the kernel. Even if you do "yum update" frequently if you don't restart, there are several daemons and features of your system that doesn't get patched - the code is in memory and changing the disk has no effect at all.
Bottom line is, I would not be proud of tripple digit single server uptimes. It simply tells me, I can find lots of ways in - not that you're running a rock solid setup.
-- Regards, Peter Larsen