Security - LLNL-Collaboration/uiuc2015 GitHub Wiki

Possible Solutions

• A Broker that does some sort of secure forwarding via SSH. It would have to run on the front-end node of an LC machine.
  • One broker for everyone? Each person gets a broker? Run as a service?
  • Run as you and forward your stuff if approved by security
  • Run as a service, manage SSH forwarding for everyone
  • Per-user fits the LLNL way since everyone has different need-to-know and such
• Instead of SSH, use TLS directly
  • Would be the easiest to integrate into an application
  • Within an application, go to Lorenz page to say the service is available
  • Does not require a service, or per-user broker

Requirements

• If opening a port, we have to use SSL as someone can snoop it, so that is a requirement
• Have students do an analysis of the stack the build (or stacks) and all potential holes

Other Notes

• VisIt's method which we probably shouldn't use, but is an example of a successful approach:
  • VisIt opens a tunnel via SSH (instigated from client)
  • Engines set up multiple ports and multiplex them on the tunnel
  • VisIt uses its own authentication (approved by security ages ago)