Cluster Security

Bright Cluster Manager® was designed to offer the maximum possible level of security on your cluster. Security settings are configurable to suit your local requirements.

Security is ensured on multiple levels:

1. Firewall configuration on all nodes exposed to the network outside the cluster.
2. Certificate based authentication for the cluster management infrastructure.
3. Secure Shell (SSHSecure Shell, or SSH, is a network protocol that allows data to be exchanged using a secure channel between two networked devices.) access.
4. Support for automatic security updates.
5. Standard Linux security.

Firewall

The first level of security is provided by a firewall that limits access to all nodes that are connected to networks outside the cluster. Those nodes are normally limited to the head node and (optional) failover, login and I/O nodes. However, Bright Cluster Manager does support network configurations where compute nodes are also connected to the outside world. In that case, it is recommended to run a firewall on all nodes, possibly with different firewall configurations for different types of nodes.

Bright Cluster Manager uses the Shoreline Firewall (more commonly known as "Shorewall") to provide firewall and gateway functionality. Shorewall is a flexible and powerful high-level interface to the netfilter packet filtering framework inside the Linux kernel. Behind the scenes, Shorewall uses the standard iptables command to configure netfilter in the kernel.

By default, Shorewall enables only SSHSecure Shell or SSH is a network protocol that allows data to be exchanged using a secure channel between two networked devices. traffic, but many sites will also want to allow other encrypted cluster management traffic to let the cluster be managed from remote through the cluster management GUI. The cluster management GUI communicates with the cluster management daemon (CMDaemon) over encrypted connections.

Certificate-Based Authentication

The cluster management infrastructure (i.e. the CMDaemon) requires public key authentication using X.509v3X.509 is an ITU-T standard for a public key infrastructure (PKI) for single sign-on (SSO) and Privilege Management Infrastructure (PMI). X.509 specifies, amongst other things, standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation algorithm. certificates. This means in practice that a person authenticating to the cluster management infrastructure must present his/her certificate (i.e the public key) and in addition must have access to the private key that corresponds to the certificate. A certificate includes a profile that determines which cluster management operations the holder of the certificate may perform.

Secure Shell Access

The head node is normally accessible by administrators and users using SSH. Within the cluster, the default configuration is to also allow users SSH access to regular nodes, but this can easily be disabled.

Automated Security Updates

Keeping your cluster up-to-date — in particular with security updates and patches — is very important. Bright Cluster Manager can be kept up-to-date very easily. It can check for software security updates and download and install them automatically. Security updates are either downloaded from the repository of the Linux distribution or from the Bright Computing repository.

Standard Linux Security

Bright Cluster Manager supports all standard Linux security tools and methods, such as PAMPluggable Authentication Modules, or PAM, is a mechanism to integrate multiple low-level authentication schemes into a high-level application programming interface (API). It allows programs that rely on authentication to be written independently of the underlying authentication scheme modules and shadow passwords.