Presentation is loading. Please wait.

Presentation is loading. Please wait.

Andrew McNabETF Firewall Meeting, NeSC, 5 Nov 2002Slide 1 Firewall issues for Globus 2 and EDG Andrew McNab High Energy Physics University of Manchester.

Published byNeal Richardson Modified over 8 years ago

Similar presentations

Presentation on theme: "Andrew McNabETF Firewall Meeting, NeSC, 5 Nov 2002Slide 1 Firewall issues for Globus 2 and EDG Andrew McNab High Energy Physics University of Manchester."— Presentation transcript:

1 Andrew McNabETF Firewall Meeting, NeSC, 5 Nov 2002Slide 1 Firewall issues for Globus 2 and EDG Andrew McNab High Energy Physics University of Manchester

2 Andrew McNabETF Firewall Meeting, NeSC, 5 Nov 2002Slide 2 Sources for this (I did NOT consult this book! ) I DID use my experiences maintaining the EDG Testbed site at Manchester HEP and: –Von Welsh’s “Globus Firewall Requirements” –EDG WP6 “Installation Guide”

3 Andrew McNabETF Firewall Meeting, NeSC, 5 Nov 2002Slide 3 Overview “Well known” vs ephemeral ports Globus 2 “well known” services Globus 2 ephemeral services Additional EDG “well known” services The way EDG uses Globus on sites Possible solutions Going to HTTPS based services –see next talk for Grid Services and Firewalls

4 Andrew McNabETF Firewall Meeting, NeSC, 5 Nov 2002Slide 4 Well known vs ephemeral ports IANA defines at set of “well known” ports for services like SMTP, HTTP, DNS etc. –mostly < 1024 because of Unix restrictions on users starting services on ports < 1024 To connect to any service, a client typically chooses a random port number above 1023 –this is an “ephemeral port” Firewalls typically control access based on the “well known” side of the connection. –“allow from any port to port 80” ; “allow from port 80 to any port iff ACK bit set” (ie a reply)

5 Andrew McNabETF Firewall Meeting, NeSC, 5 Nov 2002Slide 5 Globus 2 “well known” services All of this is TCP GRAM for job submission –server listens on port 2119 –client’s range of ephemeral ports can be restricted by setting GLOBUS_TCP_PORT_RANGE MDS for information services –LDAP GRIS and GIIS listen on 2135 –LDAP client’s choose ephermeral ports randomly GridFTP for bulk file transfer –Server listens for control channel on 2811 –Clients connect with a range of ephemeral ports

6 Andrew McNabETF Firewall Meeting, NeSC, 5 Nov 2002Slide 6 Globus 2 ephemeral services (1) The “well-known” ports picture looks ok –no worse than running HTTP or SMTP etc However, Globus may use many services bound to ephemeral ports as well! GASS - temporary, https servers –Started by client (!) during job submission for job input and output files and executables –By jobmanager to listen for job control signals –All controllable by GLOBUS_TCP_PORT_RANGE –BUT, if your firewall imposes ranges, clients and servers must agree this beforehand.

7 Andrew McNabETF Firewall Meeting, NeSC, 5 Nov 2002Slide 7 Globus 2 ephemeral services (2) GridFTP –some of the same issues as existing FTP PASV –ephemeral ports chosen on client and server for data channels (range can be controlled) –single stream transfers: from client to server –multiple stream transfers: in same direction as data flow! (So basically impossible to do through NAT, unless you start reserving blocks of NAT ports per node) GASS/GridFTP bottom line: unless you agree port ranges with everyone you talk to, you have to make >1023 wide open.

8 Andrew McNabETF Firewall Meeting, NeSC, 5 Nov 2002Slide 8 EU DataGrid “well known” services These are well-behaved like HTTP or LDAP Top-level GIIS used by Resource Broker –LDAP on port 2170 Replica Catalog used by RB to find sites with data –LDAP on fixed port, advertised in URL (eg 9011) Resource Broker (sends jobs to “best” site) –port 7771 Logging and Bookeeping service –port 7846

9 Andrew McNabETF Firewall Meeting, NeSC, 5 Nov 2002Slide 9 EU DataGrid job submission

10 Andrew McNabETF Firewall Meeting, NeSC, 5 Nov 2002Slide 10 How EDG uses Globus on sites GRAM/GASS used to submit job to site –connection actually comes from Job Submission Service on Resource Broker –so need GRAM/GASS to work from RB to CE (gatekeeper) Input and output sandboxes transferred by GridFTP –this is done from Worker Nodes so they must have inbound and outbound GridFTP Storage Elements need access to other SE’s and Replica Catalogs

11 Andrew McNabETF Firewall Meeting, NeSC, 5 Nov 2002Slide 11 Possible solutions Most frequent current problem is Worker Node farms with private IP’s –there are ways of doing the GridFTP copies on the CE gatekeeper instead (eg an rsh wrapper) A longer term solution would be to support HTTP/HTTPS for data as well as GridFTP –HTTP(S) more friendly to firewalls, NAT and application proxies are available. Still leaves problem of many ports to manually allow for all the various information services

12 Andrew McNabETF Firewall Meeting, NeSC, 5 Nov 2002Slide 12 HTTPS in general EU DataGrid replacing Globus LDAP services with relational database, HTTP/HTTPS services –this can considerably simplify the port allocation problem by putting everything on 80/443 HTTPS has the firewall and NAT friendly properties already mentioned –with delegation extensions, it can be cached But the next talk is about Grid Services and Firewalls, so I will stop here...

Download ppt "Andrew McNabETF Firewall Meeting, NeSC, 5 Nov 2002Slide 1 Firewall issues for Globus 2 and EDG Andrew McNab High Energy Physics University of Manchester."

Similar presentations

30-31 Jan 2003J G Jensen, RAL/WP5 Storage Elephant Grid Access to Mass Storage.

30-31 Jan 2003J G Jensen, RAL/WP5 Storage Elephant Grid Access to Mass Storage.
Andrew McNabTestbed / HTTPS, GridPP6, 30 Jan 2003Slide 1 UK Testbed Status Andrew McNab High Energy Physics University of Manchester.

Andrew McNabTestbed / HTTPS, GridPP6, 30 Jan 2003Slide 1 UK Testbed Status Andrew McNab High Energy Physics University of Manchester.
Andrew McNab - Manchester HEP - 17 September 2002 Putting Existing Farms on the Testbed Manchester DZero/Atlas and BaBar farms are available via the Testbed.

Andrew McNab - Manchester HEP - 17 September 2002 Putting Existing Farms on the Testbed Manchester DZero/Atlas and BaBar farms are available via the Testbed.
MyProxy Guy Warner NeSC Training.

MyProxy Guy Warner NeSC Training.
Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.

Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.
Andrew McNab - Manchester HEP - 31 January 2002 Testbed Release in the UK Integration Team UK deployment TB1 Job Lifecycle VO: Authorisation VO: GIIS and.

Andrew McNab - Manchester HEP - 31 January 2002 Testbed Release in the UK Integration Team UK deployment TB1 Job Lifecycle VO: Authorisation VO: GIIS and.
EU 2nd Year Review – 04-05 Jan. 2003 – Title – n° 1 WP1 Speaker name (Speaker function and WP ) Presentation address e.g. https://edms.cern.ch/document/366530.

EU 2nd Year Review – Jan – Title – n° 1 WP1 Speaker name (Speaker function and WP ) Presentation address e.g.
Workload management Owen Maroney, Imperial College London (with a little help from David Colling)

Workload management Owen Maroney, Imperial College London (with a little help from David Colling)
FP7-INFRA-222667 Enabling Grids for E-sciencE www.eu-egee.org EGEE Induction Grid training for users, Institute of Physics Belgrade, Serbia Sep. 19, 2008.

FP7-INFRA Enabling Grids for E-sciencE EGEE Induction Grid training for users, Institute of Physics Belgrade, Serbia Sep. 19, 2008.
NorduGrid Grid Manager developed at NorduGrid project.

NorduGrid Grid Manager developed at NorduGrid project.
CERN LCG Overview & Scaling challenges David Smith For LCG Deployment Group CERN HEPiX 2003, Vancouver.

CERN LCG Overview & Scaling challenges David Smith For LCG Deployment Group CERN HEPiX 2003, Vancouver.
Job Submission The European DataGrid Project Team

Job Submission The European DataGrid Project Team
Andrew McNab - Manchester HEP - 29/30 March 2001 gridmapdir patch Overview of the problem Constraints from local systems Outline of how it works How to.

Andrew McNab - Manchester HEP - 29/30 March 2001 gridmapdir patch Overview of the problem Constraints from local systems Outline of how it works How to.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
A Computation Management Agent for Multi-Institutional Grids

A Computation Management Agent for Multi-Institutional Grids
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Services Abderrahman El Kharrim

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Services Abderrahman El Kharrim
1 Java Networking – Part I CS 236607, Spring 2008/9.

1 Java Networking – Part I CS , Spring 2008/9.
TCP. Learning objectives Reliable Transport in TCP TCP flow and Congestion Control.

TCP. Learning objectives Reliable Transport in TCP TCP flow and Congestion Control.
Grids and Globus at BNL Presented by John Scott Leita.

Grids and Globus at BNL Presented by John Scott Leita.
Andrew McNab - Manchester HEP - 22 April 2002 UK Rollout and Support Plan Aim of this talk is to the answer question “As a site admin, what are the steps.

Andrew McNab - Manchester HEP - 22 April 2002 UK Rollout and Support Plan Aim of this talk is to the answer question “As a site admin, what are the steps.

Similar presentations

Ads by Google