landman at scalableinformatics.com
Thu Sep 29 21:20:28 EDT 2005
Chris Samuel wrote:
> On Thu, 29 Sep 2005 11:03 pm, Bogdan Costescu wrote:
>> Isn't then better to just put the whole network behind some
>> firewall and forget about protection ?
> In my experience all the clusters I've seen have the compute nodes on private
> IP networks behind the head/management nodes.
I have seen one university instance where every compute node had a
public interface. I never quite understood that, and the person who
built it (who is a pretty bright person himself) explained it in terms
of "the grid" and the authentication broker/gateways.
He was (and is) into the grid bit, but I never saw this as a preferred
approach for a production system.
Putting each node in your cluster on the public net, significantly
increases your security perimeter, increases the amount of monitoring
you need to do, and should generally keep you awake at night. Even with
IPtables and other tools, you are still more exposed than not.
There may be a set of perfectly valid reasons to do this, but in the end
you have to balance security (reducing exposure points to a controllable
few) versus functionality.
Joseph Landman, Ph.D
Founder and CEO
Scalable Informatics LLC,
email: landman at scalableinformatics.com
web : http://www.scalableinformatics.com
phone: +1 734 786 8423
fax : +1 734 786 8452
cell : +1 734 612 4615
Beowulf mailing list, Beowulf at beowulf.org
To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf
More information about the Beowulf