[cgl_discussion] Security for internal messaging between diff erent nodes of the cl uster?

Pradeep Kathail pkathail at cisco.com
Sat Feb 15 16:36:48 PST 2003

At 2/13/2003 05:39 PM -0500, Makan Pourzandi (LMC) wrote:
>Hi Pradeep, 
>Sorry to be late in my answer, 
>> -----Original Message-----
>> From: Pradeep Kathail [mailto:pkathail at cisco.com]
>> Sent: Tuesday, February 11, 2003 3:08 PM
>> To: Makan Pourzandi (LMC); 'Mika Kukkonen'
>> Cc: Cgl_Discussion (E-mail)
>> Subject: RE: [cgl_discussion] Security for internal messaging between
>> diff erent nodes of the cl uster?
>> >> 
>> >> 
>> >> Maximum security and maximum performance are orthogonal 
>> >> goals, and I am
>> >> all in favor of letting the distro's and their customers to 
>> >> decide which
>> >> one they value more. 
>> >> 
>> >> But the discussion below is quite academic: could you guys 
>> >> come up with
>> >> a certain feature where this trade-off is an issue, and a 
>> decision by
>> >> us is needed? 
>> >> 
>> >
>> >Hi, 
>> >
>> >I believe that this is a possible issue when the boundaries 
>> between inside and outside of the cluster are somehow fuzzy. 
>> For example, a server recieving SIP requests need to access 
>> some databases in the backend or some other nodes for more 
>> info regarding the subscriber or available services. 
>> >There is also the case of servers providing some services 
>> through the third party software (software can be provided by 
>> open source projects, commercial, customer, .... ). This 
>> means that in some cases the server can run "untrusted" 
>> applications. Untrusted applications can be bogus or have 
>> Trojans. This means clearly that you need to protect some of 
>> your internal communications from untrusted software. 
>> Are you planning to have data encrypted between client server 
>> pair? There
>Not realy, actually it comes back to data encrypted between different servers. 
>> will be some scalability concern with this approach. If not, 
>> then we need
>> to protect resources like IPC by enhancing kernel resource protection.
>> Securing channel does not help from rogue applications running on the
>> box.
>You are right, my point concerns more a cluster with many nodes in which we want to restrict access from some nodes running not trusted software to other nodes. 

I am trying to understand the communication model between these nodes.

1. Are the nodes running not-trusted software allowed to talk to 
   any node in the cluster (intermediate nodes) in full/ half 
   duplex mode?
2. Are the intermediate nodes allowed to talk to any node in the cluster  
   in full/ half duplex mode?
3. If answer to above two questions is NO, then why non-trusted nodes
   are part of cluster.
4. If answer is yes, Can non-trusted software bring down the service
   by overloading or corrupting the intermediate nodes?


>Let's take an example for more clarity. In many telco applications, we could easily seperate the nodes accessing Internet and the ones accessing to for example the back end systems. With the sip server type servers, it is no more easy to do. Because almost all nodes need to connect to the nodes outside of the cluster. Further more, you have to run third party software on these nodes. What is going to happen when there is a security breach in one of those nodes running unsecure software? If there is no data protection for internal messages, this will result in one malicious node being able to contaminate or spy on ALL info communicated inside the cluster. It's a known probelm: hard outside, soft inside. Protected internal messages can reduce this risk by avoiding that the malicious node can read the info exchanged between healthy nodes. 
>> Brgds.
>> Pradeep

More information about the cgl_discussion mailing list