On Mon, 2015-11-02 at 14:53 +0100, Martin Gasthuber wrote: > Hi, > > we are currently in discussion with our local network security people > about the plan to make certain data accessible to outside scientists > via ftp - this implies that the host running the ftp daemon runs with > their ethernet ports inside a dmz. On the other hand, all NSD access is > through IB (and should stay that way). The biggest concerns are around > the possible intrude from that ftp host (running as GPFS client) > through the IB infrastructure to other cluster nodes and possible > causing big troubles on the scientific data. Did anybody here has > similar constrains and possible solutions to mitigate that risk ? >
Would it not make sense to export it via NFS over Ethernet from the GPFS cluster to the FTP node, firewall it up the wazoo and avoid the server licenses anyway? Note if you offer remote access to your "cluster" to local users already the additional attack surface from an FTP server is minimal to begin with. All said and done, one however suspects that 99.999% of hackers have precisely zero experience with Infiniband and thus would struggle to be able to exploit the IB fabric beyond using IPoIB. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. _______________________________________________ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss
