[OpenAFS] Firewall politics and AFS deployment
Tue, 27 Sep 2005 09:46:09 -0700
Port forwarding would do the trick, but AFS requires several ports. How
about setting up a VPN to allow external clients access to your AFS servers?
I use www.natnix.com.
----- Original Message -----
From: "Simeon Miteff" <firstname.lastname@example.org>
Sent: Tuesday, September 27, 2005 7:37 AM
Subject: [OpenAFS] Firewall politics and AFS deployment
> Dear All
> We're facing a difficult problem with our planned deployment of AFS here
> at the University of Pretoria. I'm hoping that we can gain some insight
> into how things work on other similar networks. I apologise in advance for
> the long post, unfortunately I can't think of a short way to explain our
> UP has 4 different NIS/NFS domains run by individual departments on our
> campus who use UNIX. The central IT department has historically only
> catered for Windows clients, and we never had any central HPC resources,
> or UNIX file servers, etc. The shortcomings of NIS/NFS was never a problem
> within these "unix pockets", as there was no inter-departimental
> collaboration and/or resource sharing on a systems level.
> Now, recently, we obtained some hardware to build a common university
> cluster, and that (among other things) has prompted us to look to AFS as
> a solution for making access to shared clusters/machines transparent to
> users. The idea is for each of these NIS/NFS domains to become 4 separate
> AFS cells.
> Now the problem:
> Some years ago our network used to be fairly open/lightly firewalled (as I
> imagine most university networks were). Then some machines got hacked
> (*cough*windows*cough*), and then a decision was made to change the
> network to a Internet--->DMZ---->LAN type of setup. The LAN has
> transparent access to the DMZ, but not vice-versa.
> Now, external collaborators (untrusted as far as our IT dept. is
> concerned), need to access some of the clusters. This is a
> political/funding issue which we cannot compromise on. The solution was to
> put those clusters in the DMZ.
> If we want to deploy AFS clients on these cluster hosts, we'll need to
> 1) Open a handful of ports on the DMZ firewall to the LAN, for each
> file/db/kerberos/ldap server on the LAN (something which our IT dept is
> strongly opposed to).
> 2) Move all our AFS servers to the DMZ and open port 7001 from the DMZ to
> any machine on campus (they're unhappy about that too, but I guess we have
> a better chance of convincing them to allow this option).
> Option 1) seems to be the most reasonable from the UNIX admin's
> perspective, as it will not require us to make major changes to the way we
> plan to deploy our AFS cells on the LAN, but it's the path of most
> resistance in terms of politics.
> Option 2) is more likely to happen in terms of politics, but defeats the
> point of a nice distributed AFS system.
> Looking at the public CellServDB, I can't help wondering how AFS servers
> are connected at other universities? Are we overly firewalled? Do other
> HPC centres maintain separate AFS cells for cluster users?
> Any thoughts?
> Kind regards,
> OpenAFS-info mailing list