[Beowulf] Intra-cluster security

Leif Nixon nixon at nsc.liu.se
Mon Sep 14 00:45:42 PDT 2009


Joe Landman <landman at scalableinformatics.com> writes:

> Leif Nixon wrote:
>> Joe Landman <landman at scalableinformatics.com> writes:
>>
>>> I won't fisk this, other than to note most of the exploits we have
>>> cleaned up for our customers, have been windows based attack vectors.
>>> Contrary to the implication here, the ssh-key attack vector, while a
>>> risk, isn't nearly as dangerous as others, in active use, out there.
>>
>> I'm really hoping you aren't accusing me of security theatre.
>
> Nope.  I thought I made it clear that I wasn't (and if not, then let
> me re-iterate that I am not accusing you of this).

Good. 8^)

> I am noting that the there may be something of an overhyping of this
> vulnerability from where we sit.  YMMV.

Well, it *is* being actively exploited on a big scale. It's not just a
theoretical thing.

> Likely it is a difference.  Most attacks we see are windows related,
> exploiting the inherent weakness of that platform, and is relative
> ease of compromise in order to compromise harder to take down systems.
> Why break through the heavily fortified door when the window (pun
> un-intended) is so easy to crack?  This is the nature (outside of
> incessant ssh probes) of all of the exploits we have seen be
> successful at our customers sites.

That's interesting. I haven't seen many cross-OS attacks. My theory has
always been that the mainstream windows evil-doer has lots and lots of
easy targets, and there is no point for him to spend the energy to learn
how to attack these weird Linux clusters. I can't say I'd love to be
proven wrong. 8^) 8^/

> I wrote up a whole series of posts on it, detailing everything (apart
> from the victims name/id/location/university) so that some others
> could learn and protect themselves.  My descriptions managed to get me
> ... moderated ... by someone who claimed I was being alarmist ... for
> posting the gory details and making suggestions to the same community
> on how to avoid it.

Too bad. The community needs more war stories. There is too much
covering up.

> I am simply saying that what we see may be different, and that I hear
> far too much "one-size-fits-all" security prescriptions, that often
> fail to deter attacks, and provide what I think is a false sense of
> security if you follow that and ignore the other issues.  I see to
> much of "if we install a firewall, we will be secure" mindset running
> about.

Exactly. Or, on the other hand, "firewalls are an inherently bad
solution; all endpoints should be properly secured and should not have
to rely on a firewall.".

Rigid dogma is always bad.

(Except, of course, when it comes to DELETING ALL THOSE PASSPHRASE-LESS
KEYS!)

-- 
                               / Swedish National Infrastructure for Computing
Leif Nixon - Security officer <  National Supercomputer Centre
                               \ Nordic Data Grid Facility



More information about the Beowulf mailing list