[gpfsug-discuss] GPFS (partly) inside dmz

Jonathan Buzzard jonathan at buzzard.me.uk
Mon Nov 2 14:20:06 GMT 2015


On Mon, 2015-11-02 at 14:53 +0100, Martin Gasthuber wrote:
> Hi,
> 
>   we are currently in discussion with our local network security people
> about the plan to make certain data accessible to outside scientists
> via ftp - this implies that the host running the ftp daemon runs with
> their ethernet ports inside a dmz. On the other hand, all NSD access is
> through IB (and should stay that way). The biggest concerns are around
> the possible intrude from that ftp host (running as GPFS client)
> through the IB infrastructure to other cluster nodes and possible
> causing big troubles on the scientific data. Did anybody here has
> similar constrains and possible solutions to mitigate that risk ?
> 

Would it not make sense to export it via NFS over Ethernet from the GPFS
cluster to the FTP node, firewall it up the wazoo and avoid the server
licenses anyway?

Note if you offer remote access to your "cluster" to local users already
the additional attack surface from an FTP server is minimal to begin
with.

All said and done, one however suspects that 99.999% of hackers have
precisely zero experience with Infiniband and thus would struggle to be
able to exploit the IB fabric beyond using IPoIB. 

JAB.

-- 
Jonathan A. Buzzard                 Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.





More information about the gpfsug-discuss mailing list