[OpenAFS] Firewall politics and AFS deployment
Tue, 27 Sep 2005 16:37:30 +0200 (SAST)
We're facing a difficult problem with our planned deployment of AFS here
at the University of Pretoria. I'm hoping that we can gain some insight
into how things work on other similar networks. I apologise in advance for
the long post, unfortunately I can't think of a short way to explain our
UP has 4 different NIS/NFS domains run by individual departments on our
campus who use UNIX. The central IT department has historically only
catered for Windows clients, and we never had any central HPC resources,
or UNIX file servers, etc. The shortcomings of NIS/NFS was never a problem
within these "unix pockets", as there was no inter-departimental
collaboration and/or resource sharing on a systems level.
Now, recently, we obtained some hardware to build a common university
cluster, and that (among other things) has prompted us to look to AFS as
a solution for making access to shared clusters/machines transparent to
users. The idea is for each of these NIS/NFS domains to become 4 separate
Now the problem:
Some years ago our network used to be fairly open/lightly firewalled (as
I imagine most university networks were). Then some machines got hacked
(*cough*windows*cough*), and then a decision was made to change the
network to a Internet--->DMZ---->LAN type of setup. The LAN has
transparent access to the DMZ, but not vice-versa.
Now, external collaborators (untrusted as far as our IT dept. is
concerned), need to access some of the clusters. This is a political/funding
issue which we cannot compromise on. The solution was to put those
clusters in the DMZ.
If we want to deploy AFS clients on these cluster hosts, we'll need to
1) Open a handful of ports on the DMZ firewall to the LAN, for each
file/db/kerberos/ldap server on the LAN (something which our IT dept is
strongly opposed to).
2) Move all our AFS servers to the DMZ and open port 7001 from the DMZ to
any machine on campus (they're unhappy about that too, but I guess we have
a better chance of convincing them to allow this option).
Option 1) seems to be the most reasonable from the UNIX admin's
perspective, as it will not require us to make major changes to the way
we plan to deploy our AFS cells on the LAN, but it's the path of most
resistance in terms of politics.
Option 2) is more likely to happen in terms of politics, but defeats the
point of a nice distributed AFS system.
Looking at the public CellServDB, I can't help wondering how AFS servers
are connected at other universities? Are we overly firewalled? Do other
HPC centres maintain separate AFS cells for cluster users?