[gpfsug-discuss] GPFS (partly) inside dmz

Wahl, Edward ewahl at osc.edu
Mon Nov 2 15:22:19 GMT 2015 

First off let me recommend vsftpd.   We've used that in a few single point to point cases to excellent results. 

Next, I'm going to agree with Johnathan here, any hacker that someone gains advantage on an FTP server will probably not have the knowledge to take advantage of the IB, however there are some steps you could take to mitigate this on a node such as you are thinking of:

-Perhaps an NFS share from an NSD across IB instead of being a native GPFS client?  This would remove any possibility of escalation exploits gaining access to other servers via SSH keys on the IB fabric but will reduce this nodes speed of access.  On the other hand almost any  IB faster than SDR probably is going to wait on the external network unless it's 40Gb or 100Gb attached.

-firewalled access and/or narrow corridor for ftp access. This is pretty much a must.

-fail2ban like product checking the ftp logs. Takes some work, but if the firewall isn't narrow enough this is worth it.

Ed Wahl
OSC


________________________________________
From: gpfsug-discuss-bounces at spectrumscale.org [gpfsug-discuss-bounces at spectrumscale.org] on behalf of Martin Gasthuber [martin.gasthuber at desy.de]
Sent: Monday, November 02, 2015 8:53 AM
To: gpfsug main discussion list
Subject: [gpfsug-discuss] GPFS (partly) inside dmz

Hi,

  we are currently in discussion with our local network security people about the plan to make certain data accessible to outside scientists via ftp - this implies that the host running the ftp daemon runs with their ethernet ports inside a dmz. On the other hand, all NSD access is through IB (and should stay that way). The biggest concerns are around the possible intrude from that ftp host (running as GPFS client) through the IB infrastructure to other cluster nodes and possible causing big troubles on the scientific data. Did anybody here has similar constrains and possible solutions to mitigate that risk ?

best regards,
  Martin

_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss

More information about the gpfsug-discuss mailing list