[Beowulf] iptaled
Glen Gardner
Glen.Gardner at verizon.net
Thu Sep 29 19:53:11 PDT 2005
Exposing compute nodes and even I/O servers to the outside is common in
grids. The idea is that many remote small systems can be linked via an
external network to form a supercomputer. The big problem is the
latency in cross country links. Security can be handled well enough.
Setups like this are common , really. The ROCKS cluster distribution can
install a grid ready cluster. It even configures the compute nodes to
use SSH and all the remote user needs is a similar ROCKS cluster in
order to add remote nodes. Security is accomplished with SSH security
certificates and very fine grained permissions on the compute nodes
internally. My only gripe with this setup is that it is very much a
canned distribution and does not offer much departure from the default
configuration. The use of globus makes it VERY complex, and a simpler
means of gridding would make a lot more sense.
Glen
On Thu, 2005-09-29 at 21:20 -0400, Joe Landman wrote:
>
> Chris Samuel wrote:
> > On Thu, 29 Sep 2005 11:03 pm, Bogdan Costescu wrote:
> >
> >> Isn't then better to just put the whole network behind some
> >> firewall and forget about protection ?
> >
> > In my experience all the clusters I've seen have the compute nodes on private
> > IP networks behind the head/management nodes.
>
> I have seen one university instance where every compute node had a
> public interface. I never quite understood that, and the person who
> built it (who is a pretty bright person himself) explained it in terms
> of "the grid" and the authentication broker/gateways.
>
> He was (and is) into the grid bit, but I never saw this as a preferred
> approach for a production system.
>
> Putting each node in your cluster on the public net, significantly
> increases your security perimeter, increases the amount of monitoring
> you need to do, and should generally keep you awake at night. Even with
> IPtables and other tools, you are still more exposed than not.
>
> There may be a set of perfectly valid reasons to do this, but in the end
> you have to balance security (reducing exposure points to a controllable
> few) versus functionality.
>
> --
> Joseph Landman, Ph.D
> Founder and CEO
> Scalable Informatics LLC,
> email: landman at scalableinformatics.com
> web : http://www.scalableinformatics.com
> phone: +1 734 786 8423
> fax : +1 734 786 8452
> cell : +1 734 612 4615
> _______________________________________________
> Beowulf mailing list, Beowulf at beowulf.org
> To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf
More information about the Beowulf
mailing list