[Linux-cluster] Cluster Communications Security
Scott Becker
scottb at bxwa.com
Wed Nov 14 21:48:21 UTC 2007
I'm on the verge of reimplementing fence_apc in C to use ssh. Before I
spend the time on this to be able to fence securely, I wanted to see if
there's any compelling reasons I needed a private subnet anyway. I don't
have any GFS, each node will have it's own copy of the web content.
I control all the hosts on the subnet so outside interference would be
sending in the blind or exploiting a weakness.
I believe the luci to ricci communication uses ssh so that should be OK.
Does cman ever send root passwords?
thanks
scottb
Rick Stevens wrote:
> On Wed, 2007-11-14 at 13:00 -0800, Scott Becker wrote:
>
>> What's the general consensus of security risks of cman communications
>> over a public subnet?
>> The faq only briefly mentions it.
>>
>
> cman is pretty important. If it's on a public subnet, someone could
> spoof IPs and screw with your locks, spew garbage (e.g. floodping) on
> the wire and lots of other nefarious things. I'd keep it private.
>
> If possible, I'd tend to keep it on its own VLAN as well. You really
> only want cluster-centric traffic on those wires.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-cluster/attachments/20071114/64515e99/attachment.htm>
More information about the Linux-cluster
mailing list