Re: VMS cluster behind a *NIX firewall - VMS

This is a discussion on Re: VMS cluster behind a *NIX firewall - VMS ; On Thu, Aug 02, 2007 at 01:12:24AM +0000, Main, Kerry wrote: > Anton, > > Is the concern the network folks have related to non-TCPIP > protocols on the net or OpenVMS itself? > > If it is network protocols, ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Re: VMS cluster behind a *NIX firewall

  1. Re: VMS cluster behind a *NIX firewall

    On Thu, Aug 02, 2007 at 01:12:24AM +0000, Main, Kerry wrote:
    > Anton,
    >
    > Is the concern the network folks have related to non-TCPIP
    > protocols on the net or OpenVMS itself?
    >
    > If it is network protocols, they are worried about, then setting
    > up a private VLAN for the cluster SCS traffic and restricting
    > the primary NICs to TCPIP only would solve that.
    >
    > If they are worried about OpenVMS security, I guess that is a an
    > education problem.
    >
    > [Can't help smiling on this - what they are doing is like
    > protecting a police station by placing a rent-a-cop in front of it.]


    I think they (probably justifiably) doubt my ability to ensure the
    cluster is properly maintained, so that it cannot be exploited in any
    way by.. whoever. And given they have no VMS expertise, and cannot help
    me with this, they saw it safer to arrange things this way, at least for
    now. As I said, if everythig goes well, and I succeed in making the
    cluster a useful and secure computing resource, they might be more relaxed.

    To conclude, the issue is probably more myself than VMS.

    > Here are a few security whitepapers that may be of interest
    > to your network folks:
    >
    > http://h71028.www7.hp.com/ERC/downlo...A0-2896ENW.pdf
    > This whitepaper presents an overview of OpenVMS security and its role in enterprise business continuity. The whitepaper supports the conclusion that IT environments requiring elevated security capabilities need OpenVMS now more than ever, whether on HP Integrity servers, AlphaServer systems, or a combination of both. (November 2005)
    >
    > http://h71000.www7.hp.com/openvms/wh...s/TCS_2004.pdf
    > Techwise Research - This whitepaper provides a detailed comparison of potential vulnerabilities and security-related cluster crashes for HP OpenVMS, IBM AIX, and Sun Solaris Server Clusters. (June 2004)


    Thank you for this. I'll have a look, or maybe I had already, I had
    to read quite a lot lately..

    On a related subject, I wonder if HP could promote VMS
    in my University given VMS strengths you just commented above. I don't just
    mean the core Information Services people, who maintain the main parts
    of the various Uni computing services, but also the end users, researchers,
    perhaps even undergraduates. Regarding the latter, the idea is to at
    least make them aware that (a) VMS exists and (b) is alive and well and
    modern in 2007.

    For example, energy efficiency is likely to be at the top of the
    agenda for people like Director of the Information Services. The Uni
    is starting to look back at the model where we use powerful servers and
    thin clients instead of PCs. The energy savings would be huge. I've
    seen some 4Wt Sun Ray thin clients used in IT services hooked to a linux
    server. Looks quite impressive. Given that most office computers do
    nothing more than run an emil client, web browser and an text editor,
    such model is likely to be their preferred one. Perhaps these servers
    could run VMS instead.

    Of course, if there will be some VMS presence on campus, it
    will make my life much easier - I might be able to get some in-house
    technical help, and would not be considered such a madman (lunatic/crackpot).

    thanks a lot
    anton

    --
    Anton Shterenlikht
    Room 2.6, Queen's Building
    Mech Eng Dept
    Bristol University
    University Walk, Bristol BS8 1TR, UK
    Tel: +44 (0)117 928 8233
    Fax: +44 (0)117 929 4423

  2. Re: VMS cluster behind a *NIX firewall

    Anton,
    there is a large HP office in Bristol and there are people there who
    can help educate your University. There are also local consultants who
    can help.


  3. Re: VMS cluster behind a *NIX firewall

    In article <20070802080816.GA2585@mech-aslap33.men.bris.ac.uk>,
    Anton Shterenlikht wrote:

    > On Thu, Aug 02, 2007 at 01:12:24AM +0000, Main, Kerry wrote:
    > > Anton,
    > >
    > > Is the concern the network folks have related to non-TCPIP
    > > protocols on the net or OpenVMS itself?
    > >
    > > If it is network protocols, they are worried about, then setting
    > > up a private VLAN for the cluster SCS traffic and restricting
    > > the primary NICs to TCPIP only would solve that.
    > >
    > > If they are worried about OpenVMS security, I guess that is a an
    > > education problem.
    > >
    > > [Can't help smiling on this - what they are doing is like
    > > protecting a police station by placing a rent-a-cop in front of it.]

    >
    > I think they (probably justifiably) doubt my ability to ensure the
    > cluster is properly maintained, so that it cannot be exploited in any
    > way by.. whoever. And given they have no VMS expertise, and cannot help
    > me with this, they saw it safer to arrange things this way, at least for
    > now.


    Looking at the positive side of this, you should have a relatively safe
    playground in which to experiment and learn, so any mistakes you may
    make shouldn't be catastrophic.

    > As I said, if everythig goes well, and I succeed in making the
    > cluster a useful and secure computing resource, they might be more relaxed.
    >
    > To conclude, the issue is probably more myself than VMS.


    A downside in the long term is that if your system isn't exposed to the
    big bad world, it might be hard to prove to others that it can cope.



    >
    > For example, energy efficiency is likely to be at the top of the
    > agenda for people like Director of the Information Services. The Uni
    > is starting to look back at the model where we use powerful servers and
    > thin clients instead of PCs. The energy savings would be huge. I've
    > seen some 4Wt Sun Ray thin clients used in IT services hooked to a linux
    > server. Looks quite impressive. Given that most office computers do
    > nothing more than run an emil client, web browser and an text editor,
    > such model is likely to be their preferred one. Perhaps these servers
    > could run VMS instead.


    There is also the potential to save on management costs.

    Energy efficiency is indeed a hot issue in today's energy conscious
    environment, and I would imagine that proposals to achieve that will go
    down extremely well in a university setting.

    > Of course, if there will be some VMS presence on campus, it
    > will make my life much easier - I might be able to get some in-house
    > technical help, and would not be considered such a madman (lunatic/crackpot).
    >


    Please contact the folks Ian Miller suggests.

    --
    Paul Sture

    Sue's OpenVMS bookmarks:
    http://eisner.encompasserve.org/~stu...bookmarks.html

  4. Re: VMS cluster behind a *NIX firewall

    On Thu, 02 Aug 2007 01:08:16 -0700, Anton Shterenlikht
    wrote:

    > To conclude, the issue is probably more myself than VMS.


    When you get more comfortable with it, make your cluster _the_ firewall
    behind a router (which also acts a firewall) that supports both routable
    and non-routable IPs and then put everyone else on the non-routable IPs
    and give the VMS nodes a non-routable alias IP.
    That is what I do.
    --
    PL/I for OpenVMS
    www.kednos.com

+ Reply to Thread