I was curious what was the dominant thinking about security. 

Here's my situation:

I have about a 100 servers coming up for a computational cluster. The 
access required is mainly ssh and a couple of other services. We know 
specific I/P addresses or domains that ought to be allowed access. 

Either I can have a single firewall protecting them or firewalls that run 
on each machine. I have always relied on the single firewall solution. But 
that exposes one to te single-point-of-failure arguments. 

What's the dominant thinking about this kind of security? If one has 100 
identical machines is it better to secure one "access machine" or them 
independantly.

Of course, each machine has the usual secure passwords etc. but this 
question is for precautions above that level.

Maybe this is too philosohpical and lacks a generic answer....

-- 
Rahul

On 2010-01-11, Rahul <nospam@nospam.invalid> wrote:

> Either I can have a single firewall protecting them or firewalls that run 
> on each machine.....

You need to get a good overall view of what "firewalls" are about.
The best I've ever seen on this particular subject is Building
Internet Firewalls by O'Reilly.  It's about the overall firewall
security concept more than naming a single firewall application or
product.  I didn't find it on their website, so maybe the book is not
longer in print, but here is a piece of it:

http://oreilly.com/catalog/fire/chapter/ch04.html

Some of their old books are available online.  Look around.  Buying it
used from ebay or amazon would be worth your while.  HTH.

nb

On Mon, 11 Jan 2010 21:37:34 +0000 (UTC), Rahul wrote:

> I have about a 100 servers coming up for a computational cluster. The
> access required is mainly ssh and a couple of other services. We know
> specific I/P addresses or domains that ought to be allowed access. 
>
> Either I can have a single firewall protecting them or firewalls that
> run on each machine. I have always relied on the single firewall
> solution. But that exposes one to te single-point-of-failure
> arguments. 

The typical approach, with HPC compute clusters, is to have the compute
nodes all on an isolated private network reachable only via the head or
login node(s).  Protect the login node(s) as you would any other that
provides that type of service to your user community.  Protect your head
node(s) as you would any other system providing remote services for your
user community.  If the head node(s) is/are also the login node(s),
adjust that protection accordingly.  The compute nodes, then, are
primarily raw CPU power.  Users shouldn't actively login to them at all.

> What's the dominant thinking about this kind of security? If one has
> 100 identical machines is it better to secure one "access machine" or
> them independantly.

Don't look at it as 100 identical systems, because that isn't what it
is.  Look at it as 1 system, with certain known points of access (head
node(s), login node(s)).  Protect those points of access as appropriate
for your organization.

-- 
----------------------------------------------------------------------
Sylvain Robitaille                               syl@encs.concordia.ca
 
Systems analyst / AITS                            Concordia University
Faculty of Engineering and Computer Science   Montreal, Quebec, Canada
----------------------------------------------------------------------

Sylvain Robitaille <syl@alcor.concordia.ca> wrote in 
news:slrnhkp74t.sth.syl@charlotte.encs.concordia.ca:

> On Mon, 11 Jan 2010 21:37:34 +0000 (UTC), Rahul wrote:
> 
>> What's the dominant thinking about this kind of security? If one has
>> 100 identical machines is it better to secure one "access machine" or
>> them independantly.
> 
> Don't look at it as 100 identical systems, because that isn't what it
> is.  Look at it as 1 system, with certain known points of access (head
> node(s), login node(s)).  Protect those points of access as appropriate
> for your organization.
> 

Thanks for your thoughts Sylvain! You make me feel more confident. On all 
past cluster I have done exactly what you said: used private I/Ps and 
protected all compute nodes. 

Access came via a single, protected login node which had outside access. 

Unfortunately this time I had a co-sys admin (more "senior" than me) on the 
project that was trying to convince me otherwise. I was skeptical but to be 
fair to him wanted to get more opinions.

Out of curiosity though: how does one apply the same argument to a non-HPC 
setting. Say I had 100 workstations I was buying. How does one justify a 
perimeter firewall against protecting each machine individually? 

-- 
Rahul

Rahul <nospam@nospam.invalid> wrote:

> Out of curiosity though: how does one apply the same argument to a non-HPC

> setting. Say I had 100 workstations I was buying. How does one justify a 
> perimeter firewall against protecting each machine individually? 

Some of this argument is going to depend on physical security.  If the 100
machines are in a locked room with no chance of anyone installing anything
on them, or changing their configurations, it's a different ballgame from
having the machines open-access.

If they're open-access I'd trust no machine. 

-- 
Jeremy C B Nicoll - my opinions are my own.

Email sent to my from-address will be deleted. Instead, please reply
to newsreplynnn@wingsandbeaks.org.uk replacing "nnn" by "284".  

Jeremy Nicoll - news posts <jn.nntp.scrap004@wingsandbeaks.org.uk> wrote
in news:gemini.kw6uqm000jyrf02n4@wingsandbeaks.org.uk.invalid: 

> Some of this argument is going to depend on physical security.  If the
> 100 machines are in a locked room with no chance of anyone installing
> anything on them, or changing their configurations, it's a different
> ballgame from having the machines open-access.
> 
> If they're open-access I'd trust no machine. 
> 
> 


Thanks!

Any realistic scenario seems intermediate to the two "very secure" and 
"open" situations you describe. The firewall seems one of many options to 
enforce a trust system. I guess most machines are not "open access" but 
there is a finite, small list of domains that you want access to but on 
certin ports. 

Let me rephrase my Question: "Does it make more sense to enforce this trust 
via a centralized firewall mechanism or on a machine by machine level?" 
What are the pros and cons?

-- 
Rahul

Rahul wrote:
> Jeremy Nicoll - news posts <jn.nntp.scrap004@wingsandbeaks.org.uk> wrote
> in news:gemini.kw6uqm000jyrf02n4@wingsandbeaks.org.uk.invalid: 
> 
>> Some of this argument is going to depend on physical security.  If the
>> 100 machines are in a locked room with no chance of anyone installing
>> anything on them, or changing their configurations, it's a different
>> ballgame from having the machines open-access.
>>
>> If they're open-access I'd trust no machine. 
>>
>>
> 
> 
> Thanks!
> 
> Any realistic scenario seems intermediate to the two "very secure" and 
> "open" situations you describe. The firewall seems one of many options to 
> enforce a trust system. I guess most machines are not "open access" but 
> there is a finite, small list of domains that you want access to but on 
> certin ports. 
> 
> Let me rephrase my Question: "Does it make more sense to enforce this trust 
> via a centralized firewall mechanism or on a machine by machine level?" 
> What are the pros and cons?
> 
both effectively. each machine has its own set of privelieges, but 
implement it by using a central firewall.

unless of course its full of smart nerds, who will simply set up a proxy...

Rahul <nospam@nospam.invalid> wrote:
> Jeremy Nicoll - news posts <jn.nntp.scrap004@wingsandbeaks.org.uk> wrote
> 
> Let me rephrase my Question: "Does it make more sense to enforce this trust 
> via a centralized firewall mechanism or on a machine by machine level?" 
> What are the pros and cons?
> 

best is tiered approach: start with real hardware firewall
applicance for the entire network. This guy needs to be
single-function, reliable, as close as possible to non-hackable.
hence an appliance rather than a cheapo PC running a general
purpose OS. This is the first level and needs to have
proper physical security. Redundant hardware is best if you
can't tolerate outages.

Add common firewall on the clients as a second level.

Stan

Rahul <nospam@nospam.invalid> wrote:

> Any realistic scenario seems intermediate to the two "very secure" and 
> "open" situations you describe. The firewall seems one of many options to 
> enforce a trust system. I guess most machines are not "open access" but 
> there is a finite, small list of domains that you want access to but on 
> certin ports.

How are you going to stop someone plugging a wireless dongle into one of the
machines, or replugging its LAN cable or interfering at a patch panel, if
stuff isn't locked up?
 
> Let me rephrase my Question: "Does it make more sense to enforce this
> trust via a centralized firewall mechanism or on a machine by machine
> level?" What are the pros and cons?

Centralised firewall sounds good to me, provided it is IMPOSSIBLE for anyone
to get internet access without going through the firewall.

If it's not impossible, firewalls on each machine are not going to help much
unless you can guarantee they can't be bypassed.




I used to work in a bank's computer centre.  Data security was a big issue.

It's instructive to consider the approach.  In most cases programs that
could do dangerous things were not restricted access from a security point
of view (though they were restricted just to prevent naive users from
accidentally doing damage to data they already had access to).  

Instead, access to data was highly controlled.  It didn't matter what
program someone tried to use to read or write a file, the file was
protected.

If you tried to use, say, a disk sector editor to alter the tracks which
held a file's data, the sector editor allowed or disallowed that based on
what file occupied the tracks.  So you use use a sector editor on your own
data but not system or financial data. 


So, I think you need to decide precisely what you're trying to protect and
why.  Then you need to find a method that does it.  For example, there's
(perhaps) no need to firewall a machine if you don't care what the machine
is used for.  Maybe you can arrange to wipe and reload such machines' disks
every night.  Maybe you can put glue into their NICs.  Maybe the machines
can be in a faraday cage so no wireless internet access is possible...


-- 
Jeremy C B Nicoll - my opinions are my own.

Email sent to my from-address will be deleted. Instead, please reply
to newsreplynnn@wingsandbeaks.org.uk replacing "nnn" by "284".  

Rahul wrote:

> ... "Does it make more sense to enforce this trust via a centralized
> firewall mechanism or on a machine by machine level?" What are the
> pros and cons?

There is no single answer to this question.  The variables to consider
are generally site-specific, but as someone already suggested they can
be condensed to "what are you protecting, from what threats, and why?"

What approach is best to accomplish that protection largely depends on
the answer to the above.  One size does not fit all.

Traffic filtering policies on each machine can have a finer granularity
than what's on a central firewall (which will filter at best, only
the traffic that passes through it).  On the other hand, managing such
protection from a central firewall scales better for protecting larger
numbers of systems.

Depending on the site's policies and resources, these considerations
need to be factored in with the above, to come up with pros and cons of
each approach and what makes most sense.

As others have suggested, in the most generic sense, what is likely to
work best for most sites will be a combination of a central firewall
for managing traffic that passes from the site to the public network
(and in the other direction), with per-system "personal" firewalls
to filter traffic that stays within the local network.  Ideally the
per-system filters can be made to be identical and managed centrally,
but again, whether that's even possible, or how best to accomplish it
is site-specific.

-- 
----------------------------------------------------------------------
Sylvain Robitaille                               syl@encs.concordia.ca
 
Systems analyst / AITS                            Concordia University
Faculty of Engineering and Computer Science   Montreal, Quebec, Canada
----------------------------------------------------------------------

Rahul wrote:

> Out of curiosity though: how does one apply the same argument to a
> non-HPC setting.

One doesn't.  The two scenarios are completely different.

> Say I had 100 workstations I was buying. How does one justify a 
> perimeter firewall against protecting each machine individually? 

If you're buying 100 workstations, plan to budget for both a perimeter
firewall, and individual protection for each machine.  If you can't
get the budget, that might mean you can buy only 95 workstations.
(actually 99 workstations; appropriate one to use as the perimeter
firewall, and the individual protection for the others will be in the form
of tcp_wrappers/xinetd configuration, perhaps with iptables configuration
in addition)

Appropriate configuration for the perimeter firewall and the individual
protection, as I note in an earlier message (and others have noted
previously) is site-specific.  You won't be able to get anything that
specific from a newsgroup.

-- 
----------------------------------------------------------------------
Sylvain Robitaille                               syl@encs.concordia.ca
 
Systems analyst / AITS                            Concordia University
Faculty of Engineering and Computer Science   Montreal, Quebec, Canada
----------------------------------------------------------------------

Sylvain Robitaille <syl@alcor.concordia.ca> wrote in 
news:slrnhkumc2.1pt.syl@charlotte.encs.concordia.ca:

> Appropriate configuration for the perimeter firewall and the individual
> protection, as I note in an earlier message (and others have noted
> previously) is site-specific.  You won't be able to get anything that
> specific from a newsgroup.
> 

Thanks! Of course, I didn't want to ask for specific settings. I just 
wanted opinions on the philosophy and overall structure. Central vs 
distributed.

-- 
Rahul

Rahul wrote:
> Sylvain Robitaille <syl@alcor.concordia.ca> wrote in 
> news:slrnhkumc2.1pt.syl@charlotte.encs.concordia.ca:
> 
>> Appropriate configuration for the perimeter firewall and the individual
>> protection, as I note in an earlier message (and others have noted
>> previously) is site-specific.  You won't be able to get anything that
>> specific from a newsgroup.
>>
> 
> Thanks! Of course, I didn't want to ask for specific settings. I just 
> wanted opinions on the philosophy and overall structure. Central vs 
> distributed.
> 
central management, and occams razor* on the protection.

*"entities should not be multpplied beyond necessity". OWTTE