Re: Cluster Communications Security

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I'm on the verge of reimplementing fence_apc in C to use ssh. Before I spend the time on this to be able to fence securely, I wanted to see if there's any compelling reasons I needed a private subnet anyway. I don't have any GFS, each node will have it's own copy of the web content.

I control all the hosts on the subnet so outside interference would be sending in the blind or exploiting a weakness.

I believe the luci to ricci communication uses ssh so that should be OK. Does cman ever send root passwords?

    thanks
    scottb


Rick Stevens wrote: 
On Wed, 2007-11-14 at 13:00 -0800, Scott Becker wrote:
  
What's the general consensus of security risks of cman communications 
over a public subnet?
The faq only briefly mentions it.
    

cman is pretty important.  If it's on a public subnet, someone could
spoof IPs and screw with your locks, spew garbage (e.g. floodping) on
the wire and lots of other nefarious things.  I'd keep it private.

If possible, I'd tend to keep it on its own VLAN as well.  You really
only want cluster-centric traffic on those wires.
  
--
Linux-cluster mailing list
Linux-cluster@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/linux-cluster
[Index of Archives]     [Corosync Cluster Engine]     [GFS]     [Linux Virtualization]     [Centos Virtualization]     [Centos]     [Linux RAID]     [Fedora Users]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite Camping]

  Powered by Linux