An amalgam of recent conversations

This would normally be OT with respect to HPC, if not for Microsoft starting to compete with one of the fastest growing and sustaining markets.

Rather than report all the conversations we have had, I am going to synthesize them into an effective “single” conversation. This has happened about 5 times this week, online, in person, visiting customers, and so forth.
Them: “We need low cost and highly secure methods of accessing our cluster resources. Keyloggers are dangerous and unfortunately common on windows, so simple passwords cannot be used. We need to keep all our viri and firewall software up to date, but they still don’t protect us. ”
Us: “Ok, would you consider an OS shift? Linux on the desktop is immune to windows viri, keyloggers, and others. You can do all your windows-y stuff like run Excel, Word, PowerPoint through any number of technologies, including VMware, Citrix, VNC, … . What you get in return is a system that is much harder to compromise and knock over. You have to use worst practices, such as giving every user administrative privileges, poorly set access controls on critical files and functionality in order to get hacked. Moreover, you can use Linux to protect your windows, by running windows in a VMWare session atop Linux, using the excellent Linux networking and filtering stack to control access, and using the nearly universal Linux mounting and strong VPN capabilities to access remote data. In the worst case, if you are hacked, with a VMWare system, just copy over your last known good image and go from there. Far less pain than the alternative. Oh, and its not that hard to have VMWare start up automatically when a user logs in, so all they think they see is windows, with a strange login sceen.” *
Them: (rapid blinking) “No can do. Windows is the desktop and the desktop will be windows. We just have to figure out how to solve this problem.”
Us: “Uh … but if you want the problem solved, it may not be easily, or cheaply solved on windows.”
Them: (more rapid blinking) “No can do. Windows is the desktop and the desktop will be windows. We just have to figure out how to solve this problem.”
Us: “Ok, so if it costs you $1000/machine to solve this, is this ‘cheap’ ?”
Them: (more rapid blinking) “uh … er … uh …”
Us: “So if the solution is free, as in zero acquisition cost, and a one time setup cost in terms of labor, less than or at worst roughly equal to what you would have with the other possible solutions, though likely significantly less based upon our experience, would this solve your problem?”
Them: (more rapid blinking) “uh … er … uh … No can do. Windows is the desktop …”
That was the gist of the conversations. Not all of them went like that, but 5 of them boiled down to the unfortunate fact that it is really hard to secure windows, hard to prevent keyloggers from intercepting passwords, and imposing multi-factor access controls could be a good thing if it weren’t too onerous, though how one would do multi-factor access controls on CIFS file systems is … not all that obvious.
What does this have to do with HPC?
Since Microsoft decided that HPC is a great possible market for them, and have decided not to work in the existing market and create their own, that means it is possible that large numbers of machines running windows may be ganged together into a cluster. Great, thats what clustering is all about. Except that it is really hard to lock these machines down to prevent unauthorized access/usage. All you need is one admin accidently doing something like using IE* to browse a web page with one of the myriad of malware bits that will happily worm its way onto the system … or even worse, if the admins use Outlook, and get an email with malicious content slipping through the system. Of course the detractors of this message will say “never!”. I know of at least one major fortune 500, who shall remain nameless, that begs to differ.
So here you have this great collection of machines that are hard to lock down. Corporate IT demands specific patch sets, antivirus, and firewall configurations which are not conducive to clusters. And given the experiences of the fortune 500’s admins that I know dealing with this, those lists need to be updated frequently, and the systems patched incessantly. Which means interruption, downtime, … A recent zero day virus burned through one of these companies. Hit a few thousand machines before they could get control. All were up to date on patches.
Just like locking down desktops, locking down servers is necessary. If you have a system that makes this hard, or harder than it needs to be, you are going to spend more money, time, effort dealing with the securing of the system, and the aftermath of the design issues.
Linux isn’t perfect. But I can limit potential damage in Linux, and I can lock it down very securely, and still have a perfectly usable, functional, and fast system. I am not convinced this is possible in windows, without spending exhorbitant amounts of time and effort, not to mention money. In this day and age, with attacks on a massive uptick, the cost of insecurity surely must be factored into any purchase decision. If you are going to run an insecure system, you need to run it in a secure container so that the insecure system cannot be easily compromised. Otherwise you need to pay your money to make the system secure.
Not a Hobson’s choice. There are obvious solutions.
* no, I am not a VMware spokes-critter, I own none of their stock, yes we want to work with them as they have a neat solution that I have been using in one form or the other for 6 years, but they aren’t the only ones, Xen looks neat, as does OpenVZ
Update: Some conversations recently have demonstrated a strong denial that anti-virus is needed on every windows machine. Specifically, HPC nodes have been claimed to be able to run without it (from people in Microsoft no less 🙁 ). I would agree to this if they were running Linux or some other OS. But when running windows, why not see what the premier windows cluster site does?
Hey, I could be wrong. Always a possibility. Maybe they are running windows machines without an antivirus tool. Looks like they are using Symantec (note to self, they know what they are doing, so switch windows machines to that) though, and I suspect that they work fairly hard to lock things down. That they need additional software at extra cost, installation time, and maintainence cannot reduce the cost of running on that OS.
Leaving an machine that has not been locked down on the net is a really bad idea. A recent exploit is detailed here.
If you can’t lock down your desktop, how are you going to lock down your cluster?