[Beowulf] iptaled

Joe Landman landman at scalableinformatics.com
Thu Sep 29 21:20:28 EDT 2005



Chris Samuel wrote:
> On Thu, 29 Sep 2005 11:03 pm, Bogdan Costescu wrote:
> 
>> Isn't then better to just put the whole network behind some
>> firewall and forget about protection ?
> 
> In my experience all the clusters I've seen have the compute nodes on private 
> IP networks behind the head/management nodes.

I have seen one university instance where every compute node had a 
public interface.  I never quite understood that, and the person who 
built it (who is a pretty bright person himself) explained it in terms 
of "the grid" and the authentication broker/gateways.

He was (and is) into the grid bit, but I never saw this as a preferred 
approach for a production system.

Putting each node in your cluster on the public net, significantly 
increases your security perimeter, increases the amount of monitoring 
you need to do, and should generally keep you awake at night.  Even with 
IPtables and other tools, you are still more exposed than not.

There may be a set of perfectly valid reasons to do this, but in the end 
you have to balance security (reducing exposure points to a controllable 
few) versus functionality.

--
Joseph Landman, Ph.D
Founder and CEO
Scalable Informatics LLC,
email: landman at scalableinformatics.com
web  : http://www.scalableinformatics.com
phone: +1 734 786 8423
fax  : +1 734 786 8452
cell : +1 734 612 4615
_______________________________________________
Beowulf mailing list, Beowulf at beowulf.org
To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf



More information about the Beowulf mailing list