Rod, just one question: what prevents you (LCG-wise) from moving all the WNs onto a private network?
LCG does not require outbound WN connectivity, to my knowldege - these are the applications, like
our own ATLAS DC, that require it. And as you certainly know, ATLAS jobs do not necessarily contact
anything in LCG space.
I am sure the day will come when ATLAS and others will be strongly advised by the security officers
not to contact anything from within the jobs - and maybe this day is tomorrow...
Oxana
Rod Walker wrote:
> Hi,
> In order to reduce the chances of WestGrid WN's launching a DOS attack
> on the Bank of Canada, the sysadmin wants to limit the outbound
> connections to LCG domains. My problem is defining this list in such a
> way that it will not change daily, but give maximum peace of mind to the
> sysadmins.
> Now I can build a list of SE's, RB's, webservers, Db's that a WN would
> possibly want to talk to. I`ll swallow the fact that this will change
> and experiment/users scripts can do anything at all.
>
> In turning this list into a firewall configuration, one must decide what
> the netmask is. I`m trying to allow small changes like adding nodes, or
> moving offices, but not new sites.
> -Adding just the specific node ip is not useful, as then adding an SE to
> the same subnet would require a firewall change.
> -Adding with netmask /24 would mean that all nodes in a subnet are
> accessible. This would only break when the subnet changes, but this can
> happen when switching offices for example.
> -Adding with netmask /16 would cover changes of subnets but might
> include some chemists machines. It is this that prevents our sysadmin
> from sleeping.
>
> So what is needed is a list of LCG networks together with their
> netmasks. Such a list would be useful for in and out firewalls, and if
> presented in an updated cut'n'paste iptables form, all the better.
> Although I argued the "open everything" line, sooner or later a users
> credentials will be maliciously used, and the firewall is the last best
> hope against DOS lawsuits.
>
> Cheers,
> Rod.
>
> --
> Rod Walker +1 6042913051
|