Security ForTLS Distribution

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Security ForTLS Distribution

Code Wiget
Hello,

I am working on the final deployment push. Since we are hosting some servers at AWS and some in another location, and we would like to cluster our nodes and use rpc’s, we added distribution over TLS. From my understanding, this changes the standard Erlang rpc’s to use use TLS connections rather than standard TCP.

From this article on erlang-solutions.com: https://www.erlang-solutions.com/blog/erlang-distribution-over-tls.html it is noted that a next concern is epmd, and how it is a security concern as it’s connection is over TCP. 

How should we address this? Is there a fix? And are there any other security concerns that need addressing before connecting nodes across multiple data centers?

Thanks for your advice!

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: Security ForTLS Distribution

Guilherme Andrade
Hi,

On 2 February 2018 at 21:57, asdf asdf <[hidden email]> wrote:
I am working on the final deployment push. Since we are hosting some servers at AWS and some in another location, and we would like to cluster our nodes and use rpc’s, we added distribution over TLS. From my understanding, this changes the standard Erlang rpc’s to use use TLS connections rather than standard TCP.

From this article on erlang-solutions.comhttps://www.erlang-solutions.com/blog/erlang-distribution-over-tls.html it is noted that a next concern is epmd, and how it is a security concern as it’s connection is over TCP. 

How should we address this? Is there a fix? And are there any other security concerns that need addressing before connecting nodes across multiple data centers?

I was faced with a similar problem some time ago. Because of all the gotchas and potential pitfalls I encountered (which, unfairly, I can no longer recall with clarity), I decided instead to go with RPC that doesn't depend on distribution.

For this, I created backwater[1], as most common RPC solutions require a lot of boilerplate type conversions and/or maintenance. It can generate the client code boilerplate necessary to call remote modules, and it uses the external term format[2] for both function arguments and return values. Depending on what sort of data you want to be passing around, this might be a good fit.

But hopefully someone else will be able to answer your actual question instead of dabbling in self-promotion :-).


_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: Security ForTLS Distribution

A. G. Madi
In reply to this post by Code Wiget
Hi,

I haven't found a way to use epmd over TLS yet, but I was just reading an article that might be helpful to you.  It describes a way to not have to use epmd at all.  Check it out; maybe you can use it. https://www.erlang-solutions.com/blog/erlang-and-elixir-distribution-without-epmd.html



On Friday, February 2, 2018 3:59 PM, asdf asdf <[hidden email]> wrote:


Hello,

I am working on the final deployment push. Since we are hosting some servers at AWS and some in another location, and we would like to cluster our nodes and use rpc’s, we added distribution over TLS. From my understanding, this changes the standard Erlang rpc’s to use use TLS connections rather than standard TCP.

From this article on erlang-solutions.com: https://www.erlang-solutions.com/blog/erlang-distribution-over-tls.html it is noted that a next concern is epmd, and how it is a security concern as it’s connection is over TCP. 

How should we address this? Is there a fix? And are there any other security concerns that need addressing before connecting nodes across multiple data centers?

Thanks for your advice!
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions



_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions