Andrew McNabETF Firewall Meeting, NeSC, 5 Nov 2002Slide 1 Firewall issues for Globus 2 and EDG Andrew McNab High Energy Physics University of Manchester.

Slides:

Advertisements

Similar presentations

30-31 Jan 2003J G Jensen, RAL/WP5 Storage Elephant Grid Access to Mass Storage.

Advertisements

Andrew McNabTestbed / HTTPS, GridPP6, 30 Jan 2003Slide 1 UK Testbed Status Andrew McNab High Energy Physics University of Manchester.

Andrew McNab - Manchester HEP - 17 September 2002 Putting Existing Farms on the Testbed Manchester DZero/Atlas and BaBar farms are available via the Testbed.

MyProxy Guy Warner NeSC Training.

Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.

Andrew McNab - Manchester HEP - 31 January 2002 Testbed Release in the UK Integration Team UK deployment TB1 Job Lifecycle VO: Authorisation VO: GIIS and.

EU 2nd Year Review – Jan – Title – n° 1 WP1 Speaker name (Speaker function and WP ) Presentation address e.g.

Workload management Owen Maroney, Imperial College London (with a little help from David Colling)

FP7-INFRA Enabling Grids for E-sciencE EGEE Induction Grid training for users, Institute of Physics Belgrade, Serbia Sep. 19, 2008.

NorduGrid Grid Manager developed at NorduGrid project.

CERN LCG Overview & Scaling challenges David Smith For LCG Deployment Group CERN HEPiX 2003, Vancouver.

Job Submission The European DataGrid Project Team

Andrew McNab - Manchester HEP - 29/30 March 2001 gridmapdir patch Overview of the problem Constraints from local systems Outline of how it works How to.

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

A Computation Management Agent for Multi-Institutional Grids

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Services Abderrahman El Kharrim

1 Java Networking – Part I CS , Spring 2008/9.

TCP. Learning objectives Reliable Transport in TCP TCP flow and Congestion Control.

Grids and Globus at BNL Presented by John Scott Leita.

Andrew McNab - Manchester HEP - 22 April 2002 UK Rollout and Support Plan Aim of this talk is to the answer question “As a site admin, what are the steps.

The SAM-Grid Fabric Services Gabriele Garzoglio (for the SAM-Grid team) Computing Division Fermilab.

TCP/IP protocols Communication over Internet is mostly TCP/IP (Transmission Control Protocol over Internet Protocol) TCP/IP "stack" is software which allows.

10 May 2007 HTTP - - User data via HTTP(S) Andrew McNab University of Manchester.

5 November 2001F Harris GridPP Edinburgh 1 WP8 status for validating Testbed1 and middleware F Harris(LHCb/Oxford)

Dynamic Firewalls and Service Deployment Models for Grid Environments Gian Luca Volpato, Christian Grimm RRZN – Leibniz Universität Hannover Cracow Grid.

OSG Site Provide one or more of the following capabilities: – access to local computational resources using a batch queue – interactive access to local.

Jozef Goetz, Application Layer PART VI Jozef Goetz, Position of application layer The application layer enables the user, whether human.

BaBar MC production BaBar MC production software VU (Amsterdam University) A lot of computers EDG testbed (NIKHEF) Jobs Results The simple question:

1 BIG FARMS AND THE GRID Job Submission and Monitoring issues ATF Meeting, 20/06/03 Sergio Andreozzi.

Computational grids and grids projects DSS,

DataGrid WP1 Massimo Sgaravatto INFN Padova. WP1 (Grid Workload Management) Objective of the first DataGrid workpackage is (according to the project "Technical.

Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.

Author - Title- Date - n° 1 Partner Logo EU DataGrid, Work Package 5 The Storage Element.

13 May 2004EB/TB Middleware meeting Use of R-GMA in BOSS for CMS Peter Hobson & Henry Nebrensky Brunel University, UK Some slides stolen from various talks.

First attempt for validating/testing Testbed 1 Globus and middleware services WP6 Meeting, December 2001 Flavia Donno, Marco Serra for IT and WPs.

TERENA 2003, May 21, Zagreb TERENA Networking Conference, 2003 MOBILE WORK ENVIRONMENT FOR GRID USERS. TESTBED Miroslaw Kupczyk Rafal.

Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.

Andrew McNab - Grid HTTP/HTTPS extensions Grid HTTP/HTTPS extensions 18 November 2002 Andrew McNab, University of Manchester

INFSO-RI Enabling Grids for E-sciencE OSG-LCG Interoperability Activity Author: Laurence Field (CERN)

Andrew McNab - Manchester HEP - 11 May 2001 Packaging / installation Ready to take globus from prerelease to release. Alex has prepared GSI openssh.

FTP File Transfer Protocol Graeme Strachan. Agenda  An Overview  A Demonstration  An Activity.

Jens G Jensen RAL, EDG WP5 Storage Element Overview DataGrid Project Conference Heidelberg, 26 Sep-01 Oct 2003.

INFSO-RI Enabling Grids for E-sciencE Αthanasia Asiki Computing Systems Laboratory, National Technical.

Andrew McNab - Manchester HEP - 17 September 2002 UK Testbed Deployment Aim of this talk is to the answer the questions: –“How much of the Testbed has.

High-Performance Computing Lab Overview: Job Submission in EDG & Globus November 2002 Wei Xing.

CTC228 Nov Today... Catching up with group projects URLs and DNS Nmap Review for Test.

Andrew McNabGrid in 2002, Manchester HEP, 7 Jan 2003Slide 1 Grid Work in 2002 Andrew McNab High Energy Physics University of Manchester.

Andrew McNab - Security issues - 4 Mar 2002 Security issues for TB1+ (some personal observations from a WP6 and sysadmin perspective) Andrew McNab, University.

Andrew McNab - Globus Distribution for Testbed 1 Globus Distribution for Testbed 1 Andrew McNab, University of Manchester

Data Management The European DataGrid Project Team

Andrew McNab - HTTP/HTTPS extensions HTTP/HTTPS as Grid data transport 6 March 2003 Andrew McNab, University of Manchester

1 FTP FILE TRANSFER PROTOCOL FTP uses TCP. FTP uses two simultaneous TCP connections. Server port 21 is used for control, server port 20 for data transfers.

15-Feb-02Steve Traylen, RAL WP6 Test Bed Report1 RAL/UK WP6 Test Bed Report Steve Traylen, WP6 PPGRID/RAL, UK

EGEE-II INFSO-RI Enabling Grids for E-sciencE Practical using WMProxy advanced job submission.

Gennaro Tortone, Sergio Fantinel – Bologna, LCG-EDT Monitoring Service DataTAG WP4 Monitoring Group DataTAG WP4 meeting Bologna –

WP1 Status and plans Francesco Prelz, Massimo Sgaravatto 4 th EDG Project Conference Paris, March 6 th, 2002.

Andrew McNab - Globus Distribution for Testbed 1 Status of the Globus Distribution for Testbed 1 Andrew McNab, University of Manchester

Remote Access Using a Netgear DG834 Router 1http://

1 Network Communications A Brief Introduction. 2 Network Communications.

June 2000 Globus UK Workshop R. Hughes-Jones Globus Current and Future Organizational / Management uHow do we keep informed of work in UK / HEP? èSimple.

NAT、DHCP、Firewall、FTP、Proxy

Grid Computing: Running your Jobs around the World

The EDG Testbed Deployment Details

MCA – 405 Elective –I (A) Java Programming & Technology

Sergio Fantinel, INFN LNL/PD

Scalability Tests With CMS, Boss and R-GMA

Network Requirements Javier Orellana

NET323 D: Network Protocols

Presentation transcript:

Andrew McNabETF Firewall Meeting, NeSC, 5 Nov 2002Slide 1 Firewall issues for Globus 2 and EDG Andrew McNab High Energy Physics University of Manchester

Andrew McNabETF Firewall Meeting, NeSC, 5 Nov 2002Slide 2 Sources for this (I did NOT consult this book! ) I DID use my experiences maintaining the EDG Testbed site at Manchester HEP and: –Von Welsh’s “Globus Firewall Requirements” –EDG WP6 “Installation Guide”

Andrew McNabETF Firewall Meeting, NeSC, 5 Nov 2002Slide 3 Overview “Well known” vs ephemeral ports Globus 2 “well known” services Globus 2 ephemeral services Additional EDG “well known” services The way EDG uses Globus on sites Possible solutions Going to HTTPS based services –see next talk for Grid Services and Firewalls

Andrew McNabETF Firewall Meeting, NeSC, 5 Nov 2002Slide 4 Well known vs ephemeral ports IANA defines at set of “well known” ports for services like SMTP, HTTP, DNS etc. –mostly < 1024 because of Unix restrictions on users starting services on ports < 1024 To connect to any service, a client typically chooses a random port number above 1023 –this is an “ephemeral port” Firewalls typically control access based on the “well known” side of the connection. –“allow from any port to port 80” ; “allow from port 80 to any port iff ACK bit set” (ie a reply)

Andrew McNabETF Firewall Meeting, NeSC, 5 Nov 2002Slide 5 Globus 2 “well known” services All of this is TCP GRAM for job submission –server listens on port 2119 –client’s range of ephemeral ports can be restricted by setting GLOBUS_TCP_PORT_RANGE MDS for information services –LDAP GRIS and GIIS listen on 2135 –LDAP client’s choose ephermeral ports randomly GridFTP for bulk file transfer –Server listens for control channel on 2811 –Clients connect with a range of ephemeral ports

Andrew McNabETF Firewall Meeting, NeSC, 5 Nov 2002Slide 6 Globus 2 ephemeral services (1) The “well-known” ports picture looks ok –no worse than running HTTP or SMTP etc However, Globus may use many services bound to ephemeral ports as well! GASS - temporary, https servers –Started by client (!) during job submission for job input and output files and executables –By jobmanager to listen for job control signals –All controllable by GLOBUS_TCP_PORT_RANGE –BUT, if your firewall imposes ranges, clients and servers must agree this beforehand.

Andrew McNabETF Firewall Meeting, NeSC, 5 Nov 2002Slide 7 Globus 2 ephemeral services (2) GridFTP –some of the same issues as existing FTP PASV –ephemeral ports chosen on client and server for data channels (range can be controlled) –single stream transfers: from client to server –multiple stream transfers: in same direction as data flow! (So basically impossible to do through NAT, unless you start reserving blocks of NAT ports per node) GASS/GridFTP bottom line: unless you agree port ranges with everyone you talk to, you have to make >1023 wide open.

Andrew McNabETF Firewall Meeting, NeSC, 5 Nov 2002Slide 8 EU DataGrid “well known” services These are well-behaved like HTTP or LDAP Top-level GIIS used by Resource Broker –LDAP on port 2170 Replica Catalog used by RB to find sites with data –LDAP on fixed port, advertised in URL (eg 9011) Resource Broker (sends jobs to “best” site) –port 7771 Logging and Bookeeping service –port 7846

Andrew McNabETF Firewall Meeting, NeSC, 5 Nov 2002Slide 9 EU DataGrid job submission

Andrew McNabETF Firewall Meeting, NeSC, 5 Nov 2002Slide 10 How EDG uses Globus on sites GRAM/GASS used to submit job to site –connection actually comes from Job Submission Service on Resource Broker –so need GRAM/GASS to work from RB to CE (gatekeeper) Input and output sandboxes transferred by GridFTP –this is done from Worker Nodes so they must have inbound and outbound GridFTP Storage Elements need access to other SE’s and Replica Catalogs

Andrew McNabETF Firewall Meeting, NeSC, 5 Nov 2002Slide 11 Possible solutions Most frequent current problem is Worker Node farms with private IP’s –there are ways of doing the GridFTP copies on the CE gatekeeper instead (eg an rsh wrapper) A longer term solution would be to support HTTP/HTTPS for data as well as GridFTP –HTTP(S) more friendly to firewalls, NAT and application proxies are available. Still leaves problem of many ports to manually allow for all the various information services

Andrew McNabETF Firewall Meeting, NeSC, 5 Nov 2002Slide 12 HTTPS in general EU DataGrid replacing Globus LDAP services with relational database, HTTP/HTTPS services –this can considerably simplify the port allocation problem by putting everything on 80/443 HTTPS has the firewall and NAT friendly properties already mentioned –with delegation extensions, it can be cached But the next talk is about Grid Services and Firewalls, so I will stop here...