Re: Grid vs Firewalls

From: Dantong Yu (dtyu@rcf.rhic.bnl.gov)
Date: Wed Apr 17 2002 - 11:28:41 PDT

• Next message: Kate Keahey: "Re: Grid-enabled Transpgrid monitor"
• Previous message: Mary Thompson: "Re: problem with globusrun from a globus client with a private IP"
• In reply to: Mary Thompson: "Re: Grid vs Firewalls"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Dear All:
BNL is DOE research lab. Its security
has to comply with DOE policy. My argument
to BNL network security group is that:
globus is funded by DOE SciDAC and should be
supported by BNL network security group.
They agree with me on this.

Currently, the port range for globus job
is randomly chosen (6000~6099).

But when I have my security hat on, I think
that opening up several hundred ports on firewall
might compromise the firewall. Another issue is
the scalability with TCP port range: when you
fix the range of TCP, you can only handle fixed
number of grid users.

Therefore, we should decide how many the TCP
conduits should be reasonable
and how to choose them.

Another aspect with firewall issue is that:
Will Globus team improve the current design of
using big range of TCP ports?
http protocol only need limited number of TCP ports
to handle all http traffic. If this can be
implemented in Globus, the whole issue of
scalability and security can be fixed.

 Cheers
 Dantong

 
On Wed, 2002-04-17 at 13:55, Mary Thompson wrote:
> Dantong,
> Thanks for the information. Our problem seems to have been that too
> small a range (10 ports) was opened up for the TCP_PORT_RANGE. Having
> the information that other labs have agreed to open up ports for Globus
> may be useful in convincing our site adminstrators to do the same.
>
> Thanks, Mary
>
> Dantong Yu wrote:
> >
> > Dear All:
> >
> > In order to make grid software work, we set up
> > fire wall conduits (holes) which allow
> > incoming globus request.
> > Here is the complete list of conduits which
> > globus suite needs for the incoming requests:
> > (The spider.usatlas.bnl.gov is USATLAS testbed).
> >
> > conduit permit tcp host 130.199.6.84 eq 2119 any
> > --> Globus Gatekeeper daemon
> > conduit permit tcp host 130.199.6.84 eq 2135 any
> > --> Globus GRIS (Grid Resource Info. Service) daemon
> > conduit permit tcp host 130.199.6.84 eq 2811 any
> > --> Globus FTP Server
> > conduit permit tcp host 130.199.6.84 range 6000 6099 any
> > --> The current design of grid software does not support
> > port duplexing. Each grid job needs
> > 3~6 tcp port for Standard I/O and error.
> > This range is determined by the total number of jobs
> > which are submitted to/from your globus sites.
> > --> Globus tcp port range for job-manager communication (increase
> > range)
> >
> > Conduit permit tcp host 130.199.6.84 range 7030 7034 any (hitcnt=6952)
> > --> iperf testing, No globus, network performance
> > tune requests.
> >
> > conduit permit udp host 130.199.6.84 range 7030 7034 any (hitcnt=7004)
> > --> iperf testing
> >
> > There might be new ports opened for Globus CAS server.
> >
> >
> > Another way to approach this is to set up a gatekeeper
> > cross the firewall. The site security people might not
> > allow it, this is site-by-site case.
> >
> > Cheers
> > Dantong
> >
> > On Tue, 2002-04-16 at 18:29, Doug Olson wrote:
> > > BNL is running a firewall. Dantong Yu can
> > > give you the details but I believe in that
> > > case it is just holes in the firewall.
> > > Also I think that JLab is, Ian Bird is the
> > > contact there, although I don't think they
> > > are running any globus services, just using GSI.
> > > Doug
> > >
> > > > -----Original Message-----
> > > > From: mrt@lbl.gov [mailto:mrt@lbl.gov]On Behalf Of Mary Thompson
> > > > Sent: Tuesday, April 16, 2002 3:09 PM
> > > > To: Douglas L Olson
> > > > Subject: Grid vs Firewalls
> > > >
> > > >
> > > > Doug,
> > > > Have any of the PPDG sites had to deal with getting grid access thru
> > > > firewalls. This is becoming a major issue at the Fusion Sites and we are
> > > > trying to gather up all the collective wisdom on the subject.
> > > >
> > > > Thanks, Mary
> > > >
> > > > --
> > > > ---------------------------------------------------------------------
> > > > Mary R. Thompson <MRThompson@lbl.gov>
> > > > Distributed Security Research Group (510) 486-7408
> > > > Lawrence Berkeley National Lab
> > > > http://www-itg.lbl.gov/~mrt
> > > > ----------------------------------------------------------------------
> > > >
>
> --
> ---------------------------------------------------------------------
> Mary R. Thompson <MRThompson@lbl.gov>
> Distributed Security Research Group (510) 486-7408
> Lawrence Berkeley National Lab http://www-itg.lbl.gov/~mrt
> ----------------------------------------------------------------------

• Next message: Kate Keahey: "Re: Grid-enabled Transpgrid monitor"
• Previous message: Mary Thompson: "Re: problem with globusrun from a globus client with a private IP"
• In reply to: Mary Thompson: "Re: Grid vs Firewalls"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Apr 18 2002 - 12:58:19 PDT