Hi Kyle,
Kyle Sparger wrote:
>
> > IMHO it's safe enough to make a new dedicated net (192.168.100.0/30 [has
> > anyone more than 4 nodes?]) for syncing.
>
> IMHO, I agree. But I also agree with Wayne that in some cases (eg, colo
> farms) this isn't feasible, and especially if you want to go the ip
> tunnelling method over public lines to separate physical locations. Of
> course, you could always use IPSec or some other encrypted tunnel, but,
> why do that if/when you can simply authenticate the messages themselves?
that's a good point.
> Actually, I was thinking from an end-user point of view. Spoof a ton of
> udp/icmp packets, and send them through as if they were regular traffic.
> Not a whole lot ipchains can do about it -- if you know a way, other than
> stopping it at the source, I'd like to know -- this sort of garbage is the
> bane of network engineers/ISPs 'round the world ;)
yeah, you seem to work in the same field as I do. BTW,
nice approach with the sperl bugfix on bugtraq!
See, designing a new network with security in mind is
always a highly problematic task. It's difficult to
decide how important the data and the availability
is for each project. Low level approach is like you
already mentioned putting a packetfilter with ipchains
rules before the cluster. Having intelligent ACLs on
the router and a good designed packetfilter can help
quite a lot. A mid level approach is to put a firewall
(like fw1, genugate, raptor, ...) after the packetfilter.
This has the nasty impact, that you most certainly do
NAPT and this can sometimes be a pain to configure with
a lvs-cluster behind the firewall, especially if you
run https and don't use cookies to authenticate. Then
there is the hardcore approach, were the security
starts at OS level, like for example the b1-security
stated in the orange book. Currently the most deployed
Unix is Solaris for b1-security but some companies
I know also try to make products for linux. This gives
you a good security but doesn't prevent from the
spoofing / DoS attacks. Whatever you try to prevent
this will most sure turn out to be what the attacker
had in mind. IDS systems are a very nice example of
a wrong approach to try avoiding such attacks.
> Thus the usage of the word "minimum" -- I was assuming that _all_ you were
> passing was that data. :) I didn't honestly think for a moment that it
> actually would be all you sent :)
> Thanks,
>
> Kyle Sparger - Senior System Administrator
> Dialtone Internet - Extremely Fast Web Systems
^^^^^^^^^^^^^^^^^^^^^^^^^^
How fast :) It's all relative.
|