Using Midframe Servers to Build Secure Sun Fire Link Interconnect Networks
In a distributed computer system, data is sent from one computer over a network to another computer. When the data is transmitted over the network, the data is sensitive to privacy, authenticity, and point of origin attacks. Deploying a secure distributed computer system can be difficult. Because the Sun Fire Link software is a distributed computer system, it is vulnerable to these types of attacks and must be protected.
Keeping the Sun Fire Link secure requires an ongoing effort. This article describes how to install and deploy the Sun Fire Link product so that it can be securely managed and operated. The article presents the software architecture and the steps for securing the Sun Fire Link interconnect. The commands used in configuration steps are either Sun Fire Link Manager (FM) or Solaris Operating Environment (Solaris OE) tools. The article requires a general knowledge of Solaris OE system administration.
The article also contains a section on how to create and configure a Sun Fire Link fabric, which is a collection of remote shared memory (RSM) partitions, each of which is made up of compute nodes and switch nodes.
The major elements of the recommendations are:
Configuring the Administration Software to use Secure Sockets Layer (SSL)
Configuring the tools to use role-based access control (RBAC)
Setting up a private management subnet
Setting up a midframe service processor (MSP)
Enabling all security features of the software
Securing the Sun Fire Link switch
This article builds upon the Sun BluePrints article "Securing the Sun Fire Midframe System Controller" Version 1.3, 10/23/02. For the Sun Fire Link Cluster to be secure you must follow all of the recommendations in this article.
This article is written for system installers and administrators who must install and deploy the Sun Fire Link product so that it can be securely managed and operated.
This article covers the following topics:
Sun Fire Link Overview
Sun Fire Software Overview
Securing the Midframe Sun Fire Link Cluster
Sun Fire Link Overview
The Sun Fire Link product is a high-bandwidth, low-latency cluster interconnect used with Sun Fire 6800 and Sun Fire 15K servers to expand high-end Sun Fire series system capabilities beyond the chassis. A Sun Fire Link cluster consists of up to eight Sun Fire 6800 and/or Sun Fire 15K nodes connected to each other by a Sun Fire Link optical network. Each node has a separate instance of Solaris OE software running under a layer of clustering software, which can be either Sun Cluster or Sun HPC ClusterTool software. This separate hardware will include Sun Fire Link switches too. A Sun Fire Link cluster also requires an Ethernet network to carry cluster administration traffic. It connects all cluster components that exchange control and status/error information. We recommend a dedicated server for running the required management software. The Sun BluePrints article "Securing the Sun Fire Midframe System Controller" discusses the Midframe Service Processor (MSP). The MSP is a dedicated server that restricts access to the private System Controller (SC) network. The MSP is a workstation. Its only function is to serve as a firewall and to run the FM software. The goal of the MSP is to serve as a barrier between the private management network and the open network.
Sun Cluster and Sun HPC ClusterToo software use the remote shared memory (RSM) interface for internode communication across a Fire Link network. RSM is a Sun messaging interface that is highly efficient for remote memory operations. For Sun Fire Link clusters of two or three nodes, the network connections can be point-to point (direct-connect topology) or through Sun Fire Link switches. For larger clusters (four to eight nodes), Sun Fire Link switches are required. The servers interface to the Sun Fire Link network is provided by an I/O subsystem specific to Sun Fire Links, called the Sun Fire Link assembly. These assemblies are installed in standard server I/O slots. Each Sun Fire Link assembly contains two optical transceiver modules called Sun Fire Link optical modules. Each optical module supports a full-duplex optical link. The Sun Fire Link assemblies are installed in pairs to enhance availability and to support message striping for higher bandwidth.
Figure 1 shows direct connect topology. Figure 2 shows switched connect topology.
FIGURE 1 Direct Connect Topology
FIGURE 2 Switched Topology