[OpenAFS] Firewall politics and AFS deployment

Noel Burton-Krahn noel@burton-krahn.com
Tue, 27 Sep 2005 09:46:09 -0700 

Hi Simeon,

Port forwarding would do the trick, but AFS requires several ports.  How 
about setting up a VPN to allow external clients access to your AFS servers? 
I use www.natnix.com.

--Noel

----- Original Message ----- 
From: "Simeon Miteff" <simeon@up.ac.za>
To: <openafs-info@openafs.org>
Sent: Tuesday, September 27, 2005 7:37 AM
Subject: [OpenAFS] Firewall politics and AFS deployment


> Dear All
>
> We're facing a difficult problem with our planned deployment of AFS here 
> at the University of Pretoria. I'm hoping that we can gain some insight 
> into how things work on other similar networks. I apologise in advance for 
> the long post, unfortunately I can't think of a short way to explain our 
> problem.
>
> Background:
>
> UP has 4 different NIS/NFS domains run by individual departments on our 
> campus who use UNIX. The central IT department has historically only 
> catered for Windows clients, and we never had any central HPC resources, 
> or UNIX file servers, etc. The shortcomings of NIS/NFS was never a problem 
> within these "unix pockets", as there was no inter-departimental 
> collaboration and/or resource sharing on a systems level.
>
> Now, recently, we obtained some hardware to build a common university 
> cluster, and  that (among other things) has prompted us to look to AFS as 
> a solution for making access to shared clusters/machines transparent to 
> users. The idea is for each of these NIS/NFS domains to become 4 separate 
> AFS cells.
>
> Now the problem:
>
> Some years ago our network used to be fairly open/lightly firewalled (as I 
> imagine most university networks were). Then some machines got hacked 
> (*cough*windows*cough*), and then a decision was made to change the 
> network to a Internet--->DMZ---->LAN type of setup. The LAN has 
> transparent access to the DMZ, but not vice-versa.
>
> Now, external collaborators (untrusted as far as our IT dept. is 
> concerned), need to access some of the clusters. This is a 
> political/funding issue which we cannot compromise on. The solution was to 
> put those clusters in the DMZ.
>
> If we want to deploy AFS clients on these cluster hosts, we'll need to 
> either:
>
> 1) Open a handful of ports on the DMZ firewall to the LAN, for each 
> file/db/kerberos/ldap server on the LAN (something which our IT dept is 
> strongly opposed to).
>
> 2) Move all our AFS servers to the DMZ and open port 7001 from the DMZ to 
> any machine on campus (they're unhappy about that too, but I guess we have 
> a better chance of convincing them to allow this option).
>
> Option 1) seems to be the most reasonable from the UNIX admin's 
> perspective, as it will not require us to make major changes to the way we 
> plan to deploy our AFS cells on the LAN, but it's the path of most 
> resistance in terms of politics.
>
> Option 2) is more likely to happen in terms of politics, but defeats the 
> point of a nice distributed AFS system.
>
> Looking at the public CellServDB, I can't help wondering how AFS servers 
> are connected at other universities? Are we overly firewalled? Do other 
> HPC centres maintain separate AFS cells for cluster users?
>
> Any thoughts?
>
> Kind regards,
> Simeon.
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>