1 / 12

Firewall issues for Globus 2 and EDG

Firewall issues for Globus 2 and EDG. Andrew McNab High Energy Physics University of Manchester. Sources for this. (I did NOT consult this book! ) I DID use my experiences maintaining the EDG Testbed site at Manchester HEP and: Von Welsh’s “Globus Firewall Requirements”

Download Presentation

Firewall issues for Globus 2 and EDG

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Firewall issues for Globus 2 and EDG Andrew McNab High Energy Physics University of Manchester ETF Firewall Meeting, NeSC, 5 Nov 2002

  2. Sources for this • (I did NOT consult this book! ) • I DID use my experiences maintaining the EDG Testbed site at Manchester HEP and: • Von Welsh’s “Globus Firewall Requirements” • EDG WP6 “Installation Guide” ETF Firewall Meeting, NeSC, 5 Nov 2002

  3. Overview • “Well known” vs ephemeral ports • Globus 2 “well known” services • Globus 2 ephemeral services • Additional EDG “well known” services • The way EDG uses Globus on sites • Possible solutions • Going to HTTPS based services • see next talk for Grid Services and Firewalls ETF Firewall Meeting, NeSC, 5 Nov 2002

  4. Well known vs ephemeral ports • IANA defines at set of “well known” ports for services like SMTP, HTTP, DNS etc. • mostly < 1024 because of Unix restrictions on users starting services on ports < 1024 • To connect to any service, a client typically chooses a random port number above 1023 • this is an “ephemeral port” • Firewalls typically control access based on the “well known” side of the connection. • “allow from any port to port 80” ; “allow from port 80 to any port iff ACK bit set” (ie a reply) ETF Firewall Meeting, NeSC, 5 Nov 2002

  5. Globus 2 “well known” services • All of this is TCP • GRAM for job submission • server listens on port 2119 • client’s range of ephemeral ports can be restricted by setting GLOBUS_TCP_PORT_RANGE • MDS for information services • LDAP GRIS and GIIS listen on 2135 • LDAP client’s choose ephermeral ports randomly • GridFTP for bulk file transfer • Server listens for control channel on 2811 • Clients connect with a range of ephemeral ports ETF Firewall Meeting, NeSC, 5 Nov 2002

  6. Globus 2 ephemeral services (1) • The “well-known” ports picture looks ok • no worse than running HTTP or SMTP etc • However, Globus may use many services bound to ephemeral ports as well! • GASS - temporary, https servers • Started by client (!) during job submission for job input and output files and executables • By jobmanager to listen for job control signals • All controllable by GLOBUS_TCP_PORT_RANGE • BUT, if your firewall imposes ranges, clients and servers must agree this beforehand. ETF Firewall Meeting, NeSC, 5 Nov 2002

  7. Globus 2 ephemeral services (2) • GridFTP • some of the same issues as existing FTP PASV • ephemeral ports chosen on client and server for data channels (range can be controlled) • single stream transfers: from client to server • multiple stream transfers: in same direction as data flow! • (So basically impossible to do through NAT, unless you start reserving blocks of NAT ports per node) • GASS/GridFTP bottom line: unless you agree port ranges with everyone you talk to, you have to make >1023 wide open. ETF Firewall Meeting, NeSC, 5 Nov 2002

  8. EU DataGrid “well known” services • These are well-behaved like HTTP or LDAP • Top-level GIIS used by Resource Broker • LDAP on port 2170 • Replica Catalog used by RB to find sites with data • LDAP on fixed port, advertised in URL (eg 9011) • Resource Broker (sends jobs to “best” site) • port 7771 • Logging and Bookeeping service • port 7846 ETF Firewall Meeting, NeSC, 5 Nov 2002

  9. EU DataGrid job submission ETF Firewall Meeting, NeSC, 5 Nov 2002

  10. How EDG uses Globus on sites • GRAM/GASS used to submit job to site • connection actually comes from Job Submission Service on Resource Broker • so need GRAM/GASS to work from RB to CE (gatekeeper) • Input and output sandboxes transferred by GridFTP • this is done from Worker Nodes so they must have inbound and outbound GridFTP • Storage Elements need access to other SE’s and Replica Catalogs ETF Firewall Meeting, NeSC, 5 Nov 2002

  11. Possible solutions • Most frequent current problem is Worker Node farms with private IP’s • there are ways of doing the GridFTP copies on the CE gatekeeper instead (eg an rsh wrapper) • A longer term solution would be to support HTTP/HTTPS for data as well as GridFTP • HTTP(S) more friendly to firewalls, NAT and application proxies are available. • Still leaves problem of many ports to manually allow for all the various information services ETF Firewall Meeting, NeSC, 5 Nov 2002

  12. HTTPS in general • EU DataGrid replacing Globus LDAP services with relational database, HTTP/HTTPS services • this can considerably simplify the port allocation problem by putting everything on 80/443 • HTTPS has the firewall and NAT friendly properties already mentioned • with delegation extensions, it can be cached • But the next talk is about Grid Services and Firewalls, so I will stop here... ETF Firewall Meeting, NeSC, 5 Nov 2002

More Related