Hello to all,
> Date: Sun, 3 Apr 2005 15:31:34 +0100
> From: "Burke, S (Stephen)" <[log in to unmask]>
> Subject: Re: Choice of RLS port number
>
> > The answer may be simply that grid systems should be outside the
> >firewalls and not inside
Might be, this depends on the exact site policy.
What I find not much acceptable though, is claiming a single site policy
as fair/authoritative enough to demand architectural changes to grid m/w.
> Basically it seems to me that what you're saying is that at Brunel
> you're no longer able to use the internet. Blocking inbound ports is one
> thing, but if you can't even make outbound connections you can't use it.
I believe what most people at Brunel know as the 'Internet" and what most
others know about the "Internet" are fundamentally different experiences.
To be honest, even CERN itself has blockage of ports that is far too near
the edge of security, when put on the flexibility-security axis. :(
> Brunel should perhaps not have joined the grid, since your policy is
> apparently not to allow any use except web browsing ... that may be a
> bit more secure, but it's not very useful for a technology-oriented
> university!
There is not a single RFC citing blockage of those particular ports,
therefore doing so should be considered as "non-standard setup". Yet.
There is a good reason why the IETF processes are painful, up to retarted...
We shouldn't mix up Best Practices with Major Hacks that are done within
most network policies; which are basically circumstancial solutions
due to staffing shortage, in properly supporting network environments,
or just patchwork to address bad protocol design. It happens, trully.
> I don't believe there is any such thing. Hackers can clearly use any
> port, including port 80. In the past they may have picked, say, 7777
> because if all ports are open it makes no difference, but if they find
> that those ports are generally closed they'll just move to others.
It seems there is some contention in respect to what kind of ports
should the middleware use.
Since the port range 21xx is nearly empty, it might be a viable idea
to consider moving all remaining grid m/w services within that range.
Doing so, would keep some (a few?) of the network admins happy,
as it allows them to collectively apply policies or ship around ports.
If people find such idea both interesting and feasible, it might be that
the next generation of grid m/w could be dual-ported to 21xx addresses.
MDS ports are already there (2135, 2170), gatekeeper is there (2119),
and most other ports in lcg m/w have distinct 2 digit suffixes,
as is the case with 2811, 7771, 7772, 3306, 7512, 7777, 8080, 3306, 3147.
This could be a good chance, too, to move grid-specific services
currently running at ports like 80 or 389, 3306 to another particular range,
so eg. a machine can be both eg. a web server and a storage element.
AFAIK, currently this can be tricky (my reference is lcg-port-table.pdf).
Making the changes on the server parts is very (port forwarding), but the
client components of the services will have to change. What do you think?
> > o Move the middleware to web services - everyone knows how to
> > ship HTTP around. But it won't happen for a while (and bulk data
> > transfers will still be an exception)
Yeah right... and then we get the very same discussion
a few years down the road, only shifted in complexity!
PS.
Any criticism found above please mark it as "constructive" :)
--
echo "sysadmin know better bash than english" | sed s/min/mins/ \
| sed 's/better bash/bash better/' # Yelling in a CERN forum
|