Re: Security for SUN-Cluster 3.0/2.2 with OPS (8.1.7)
From: Alex Noordergraaf (alex.noordergraaf@sun.com)Date: 11/05/01
- Previous message: Steve Ruby: "RE: Security for SUN-Cluster 3.0/2.2 with OPS (8.1.7)"
- In reply to: Trevor Fiatal: "Re: Security for SUN-Cluster 3.0/2.2 with OPS (8.1.7)"
- Next in thread: Vladimir Ivanov: "Re: Security for SUN-Cluster 3.0/2.2 with OPS (8.1.7)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <3BE6C221.767287B7@sun.com> Date: Mon, 05 Nov 2001 11:45:21 -0500 From: Alex Noordergraaf <alex.noordergraaf@sun.com> To: Trevor Fiatal <trevor@fiatal.net> Subject: Re: Security for SUN-Cluster 3.0/2.2 with OPS (8.1.7)
Trevor Fiatal wrote:
>
[...]
>
> > And there is no interest in running at the same time telnet, ftp, rsh
> > and ssh. Are you sure someone in your organisation will not one day use
> > telnet instead of ssh, just because he doesn't have ssh on his computer.
> > Just cut all those and dtlogin too. Ssh should be the only remote access
> > on your computer if you want it to be useful.
>
> Under most circumstances, I would agree with you.
>
> However, this thread concerns securing SunCluster 2.2 and 3.0
> systems. What you've just proposed will break SunCluster and most
> likely cause SunService to declare the broken cluster unsupportable
> until you reverse the changes. You *really* don't want a SunCluster
> system running in production without SunService support.
No - you _really_ don't want to!
Correspondingly, you need to be very careful about what applications and
OS modifications are made to the cluster nodes. Generally speaking OS
hardening isn't supported - though there are exceptions to this. Before
making these types of changes to your clusters I would strongly suggest
you speak with your local Sun support folks to make sure there aren't
any problems moving forward and your configuration is supported.
Also - there are known issues and bugs filed against the use of
ip_strict_dst_multihoming in SC2.2 clusters. This option is enabled, by
default, in the nddconfig script made available by the BluePrints
program and included in JASS and Titan. If you are using this script on
an SC2.2 cluster comment out, at least, the setting of this option.
-Alex
btw - please don't interpret this email as defining supported SC2.2
cluster configurations.
>
> -Trevor
>
> --
> Trevor Fiatal -- trevor@seven.com -- http://www.seven.com/
> Co-Founder, CSO
> SEVEN
> 510.967.4556 (work/mobile)
> 510.401.8054 (vmail/fax)
-- Alex Noordergraaf (voice) 781.442.3447 Enterprise Eng. Security Architect (email) alex.noordergraaf@sun.com BluePrints Security articles http://sun.com/security/blueprints
- Previous message: Steve Ruby: "RE: Security for SUN-Cluster 3.0/2.2 with OPS (8.1.7)"
- In reply to: Trevor Fiatal: "Re: Security for SUN-Cluster 3.0/2.2 with OPS (8.1.7)"
- Next in thread: Vladimir Ivanov: "Re: Security for SUN-Cluster 3.0/2.2 with OPS (8.1.7)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
