Firewall Issues for Glast servers

Production Servers

Glast currently has 10 identical 2x2 CPU linux servers glastlnx01-10, with plans to add more later. The plan is to configure these servers identically as far as possible, so that applications can be moved between them as needed to balance the load. Typical applications include web application servers (tomcat, perhaps others) running custom applications, MySQL servers, Glast data server (provides data to collaborators), servers for receiving data from Nasa, and miscellaneous services such as batch interface servers.

Some of these services require direct access from off-site, but the majority of ports that are used by these servers are intended only for internal communication. The security team has suggested moving the tomcat servers from port 8080 to 2000, since 2000 is blocked at the firewall, but this seems arbitrary since there are other services running which are probably more susceptible to attack than the web servers (used for administering and testing web apps).

Development Servers

In addition to these production server developers regularly run web application servers and other servers on their development machines

Proposal

For the production server I would suggest that a range of ports be blocked at the SLAC (or some local) firewall, and that services not intended for external use be run on these ports. This gives the deployer of the service the freedom (and responsibility) to decide whether this service should be accessible from offsite or not. Note also that since these ports sometimes need to be accessed from offsite for development, testing or maintenance, this will require continued access to VPN or similar service.

For developer machines the solution is less clear.