On 07/16/2017 12:30 PM, Andreas Benzler wrote:
> - The firewall is placed in front of the cluster.
> - After you have found a safe base for this, you freeze it.
Sorry, but this statement really urks me in a wrong way. Why do you
think a firewall is the ONLY part that needs to be provide security?
That's the way I read this statement - that it doesn't matter anywhere
else. In addition, the majority of attacks and compromises come from
INSIDE the firewall - ie. the "wannacry" and similar attacks are all
distributed via email, executed on a local workstation and it propagates
from there - your external firewall is not even hit before your
servers/cluster is scanned.
Another aspect here is all the other stuff outside the kernel. Even if
you do "yum update" frequently if you don't restart, there are several
daemons and features of your system that doesn't get patched - the code
is in memory and changing the disk has no effect at all.
Bottom line is, I would not be proud of tripple digit single server
uptimes. It simply tells me, I can find lots of ways in - not that
you're running a rock solid setup.
--
Regards, Peter Larsen
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
