Return-Path: X-Original-To: apmail-cassandra-user-archive@www.apache.org Delivered-To: apmail-cassandra-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id AF0087B3D for ; Wed, 9 Nov 2011 15:19:47 +0000 (UTC) Received: (qmail 39780 invoked by uid 500); 9 Nov 2011 15:19:45 -0000 Delivered-To: apmail-cassandra-user-archive@cassandra.apache.org Received: (qmail 39749 invoked by uid 500); 9 Nov 2011 15:19:45 -0000 Mailing-List: contact user-help@cassandra.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@cassandra.apache.org Delivered-To: mailing list user@cassandra.apache.org Received: (qmail 39741 invoked by uid 99); 9 Nov 2011 15:19:45 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 09 Nov 2011 15:19:45 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of mohitanchlia@gmail.com designates 209.85.160.172 as permitted sender) Received: from [209.85.160.172] (HELO mail-gy0-f172.google.com) (209.85.160.172) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 09 Nov 2011 15:19:39 +0000 Received: by gye5 with SMTP id 5so2207287gye.31 for ; Wed, 09 Nov 2011 07:19:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=bzP+PJcjtqrCx+oiOGdUDu5kd2FxkyHitcEX6F01Eoo=; b=PWAYYzQzAyYPV01nayvCPxawqyjRf1QSCHWXyznuANu79Nwzy7ru2i9UmGWe49O+oH ul27dtdtY3WIrNVN5jJQPu/fdqtiV0O3z8YSiIjeMrtveht72kD/feeFd6VwRxVHin5o Vupg9EmCBAh9KaHpDjxTjG+5vbevNxpL6e+9c= MIME-Version: 1.0 Received: by 10.68.35.103 with SMTP id g7mr4396118pbj.53.1320851957988; Wed, 09 Nov 2011 07:19:17 -0800 (PST) Received: by 10.68.58.227 with HTTP; Wed, 9 Nov 2011 07:19:17 -0800 (PST) In-Reply-To: References: <4EB9BBA8.9020902@gmail.com> Date: Wed, 9 Nov 2011 07:19:17 -0800 Message-ID: Subject: Re: security From: Mohit Anchlia To: user@cassandra.apache.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable We lockdown ssh to root from any network. We also provide individual logins including sysadmin and they go through LDAP authentication. Anyone who does sudo su as root gets logged and alerted via trapsend. We use firewalls and also have a separate vlan for datastore servers. We then open only specific ports from our application servers to datastore servers. You should also look at Cassandra authentication as additional means of securing your data. On Wed, Nov 9, 2011 at 6:39 AM, Sasha Dolgy wrote: > Firewall with appropriate rules. > >> On Tue, Nov 8, 2011 at 6:30 PM, Guy Incognito wrote: >>> >>> hi, >>> >>> is there a standard approach to securing cassandra eg within a corporat= e >>> network? =A0at the moment in our dev environment, anybody with network >>> connectivity to the cluster can connect to it and mess with it. =A0this= would >>> not be acceptable in prod. =A0do people generally write custom authenti= cators >>> etc, or just put the cluster behind a firewall with the appropriate rul= es to >>> limit access? >