[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: network monitoring



also sprach Andrew Miehs <andrew@2sheds.de> [2004.10.31.0907 +0100]:
> On the one hand, you are happy to install via nfs, but on the
> other hand, you want monitoring done via 'ssh'?

Well, I agree that NFS is somewhat of a kludge. However, I want SSH
to contact the servers to execute commands to prevent that someone
else just executes them without authenticating.

> If you really need this much security, you should probably look at
> implementing ALL your connections via IPSEC - and possibly look at
> storing your ssl keys on a floppy, or usb stick as someone else
> suggested.

Hey, IPsec is a good idea. I will be looking into that. Does anyone
have stats on NFS over IPsec? These are 2 GHz machines...

> Nagios mainly uses SNMP to pull its data - authenitcated but not
> encrypted. Big Sister - Have heard its similar to big brother
> - simple to set up (compared to nagios) and for your small network
> should be more than adequate. Big Brother (and probably big
> sister) have client software that runs on each machine that sends
> the status info back to the display server.

Yeah, but I want a pulll approach, not a push approach!

> To be honest, I don't know what sort of data you have running on
> these boxes, 

Nothing special.

> but I would create a relatively secure gateway, and have my
> cluster behind this.

Done.

> This way you could possibly reduce your internal secuity
> requirements, and not need encryption everywhere. Just make sure
> you back up your data regularily

The problem is people plugging laptops in on the cluster side.

> All logins via the gateway - squid access to the internet from the
> cluster network.

I think I am going to make IPsec mandatory. That's the best way
probably to shield the local network.

Thanks for the pointer. I did not think about it myself. Doh!

-- 
Please do not send copies of list mail to me; I read the list!
 
 .''`.     martin f. krafft <madduck@debian.org>
: :'  :    proud Debian developer, admin, user, and author
`. `'`
  `-  Debian - when you have better things to do than fixing a system
 
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!

Attachment: signature.asc
Description: Digital signature


Reply to: