Valeri Galtsev wrote:
On Thu, July 20, 2017 8:07 am, Peter Larsen wrote:
On 07/16/2017 12:30 PM, Andreas Benzler wrote:
- The firewall is placed in front of the cluster.
- After you have found a safe base for this, you freeze it.
Sorry, but this statement really urks me in a wrong way. Why do you think a firewall is the ONLY part that needs to be provide security? That's the way I read this statement - that it doesn't matter anywhere else. In addition, the majority of attacks and compromises come from INSIDE the firewall - ie. the "wannacry" and similar attacks are all distributed via email, executed on a local workstation and it propagates from there - your external firewall is not even hit before your servers/cluster is scanned.
I will second that. I personally run servers under assumption that bad guys are already inside. Doesn't negate other measures as firewall, brute force attack protection etc. But I've seen bad guys attempting to elevate privileges (unsuccessfully) twice during last over decade and a half. Both times I thanked myself for taking appropriate security measures.
<snip> A cluster for heavy duty computing, of which I run several, is a whole 'nother ballgame. I think I mentioned, but let me recap: 1. only a few people have access to the systems (/bin/noLogin, otherwise); 2) my users have jobs that can be running one, two, or even three weeks straight. And several users' jobs can overlap. We cannot update something that might affect the running jobs (like, say, glibc).
Now, some things, like say bind, no problem. But more serious things might break their jobs, and that's not acceptable. We make arrangements to update a few times a year.
Note that there was an update to, I believe, glibc early in 6.x that *did* break computations - results with the update were different than the glibc before that, so we have to be cautious.
As most folks here where I work know, my job here is to keep the researchers going, not to run systems to run systems (another group here does seem to feel the latter way....) Oh, and my personal mission statement is xkcd 705. <g>
mark