[gpfsug-discuss] GPFS (partly) inside dmz

Frederik Ferner frederik.ferner at diamond.ac.uk
Mon Nov 2 14:46:49 GMT 2015 

On 02/11/15 13:53, Martin Gasthuber wrote:
> we are currently in discussion with our local network security people
> about the plan to make certain data accessible to outside scientists
> via ftp - this implies that the host running the ftp daemon runs with
> their ethernet ports inside a dmz. On the other hand, all NSD access
> is through IB (and should stay that way). The biggest concerns are
> around the possible intrude from that ftp host (running as GPFS
> client) through the IB infrastructure to other cluster nodes and
> possible causing big troubles on the scientific data. Did anybody
> here has similar constrains and possible solutions to mitigate that
> risk ?

Martin,

we have a very similar situation here at Diamond with our GridFTP/Globus 
endpoint. We have a machine with full access to our high performance 
file systems in our internal network, which then exports those over NFS 
over a private point to point fibre to a machine in the DMZ. This is 
also firewalled with IPTables on the link on the internal machine to 
only allow NFS traffic. This has so far provided sufficient performance 
to our users.

Kind regards,
Frederik

-- 
Frederik Ferner
Senior Computer Systems Administrator (storage) phone: +44 1235 77 8624
Diamond Light Source Ltd.                       mob:   +44 7917 08 5110

Duty Sys Admin can be reached on x8596


(Apologies in advance for the lines below. Some bits are a legal
requirement and I have no control over them.)

-- 
This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail.
Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. 
Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message.
Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom

More information about the gpfsug-discuss mailing list