Some basic Questions...

Walter B. Ligon III walt at parl.ces.clemson.edu
Tue Jun 13 06:11:32 PDT 2000 

--------

> >    Nobody has acces to the nodes machines, in theory. The only one
> > that could acces them is the root for administration reasons... and if
> > somebody get the root password, why care about the 486 without
> > internet acces?
> 
> This is a Very Bad position to take.  A firewall is *not* complete
> protection; it is only one level in a protection system.  Your 486 nodes
> are only as safe as your gateway machine.

This is not necessarily a bad position to take.  This is not the same as a
firewall situation.  In a network protected by a firewall there is useful
data and/or functionality on a node behind the firewall and the firewall
attempts to filter packets routed to that node in order to provide protection.
In a properly configured beowulf there isn't anything of value on a node that
isn't on the master node AND the master node does not route packets.  Thus,
in order to attack the node the attacker has to compromise the master first,
and having done so has already gained access to the useful parts of the
system.

The reason for secure shell on a beowulf is in the case where users do not
trust one another.  If users are working with information that must be
secured from other users, and thus need to be sure that their passwords
are not compromised and one user cannot masquerade as another - THEN security
is an issue.  Of course *I* would contend a beowulf is inherently insecure
in that situation and should not be used as such, but that's *my* opinion.

To take this a step further, a "well-designed" beowulf shouldn't allow logins
to the nodes anyway - they should not have rsh or ssh or telnet or FTP or
password files or any of that.  Nodes should exist as slave processors for
executing processes under the control of the master node.  Inter-node
security becomes a non-issue.  Think about it, do you need security to
keep someone who gains acceess to one processor of an SMP from getting access
to another processor?

Walt

-- 
Dr. Walter B. Ligon III
Associate Professor
ECE Department
Clemson University

More information about the Beowulf mailing list