[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 20010207: LDM and firewalls

This archive contains answers to questions sent to Unidata support through mid-2025. Note that the archive is no longer being updated. We provide the archive for reference; many of the answers presented here remain technically correct, even if somewhat outdated. For the most up-to-date information on the use of NSF Unidata software and data services, please consult the Software Documentation first.

Subject: Re: 20010207: LDM and firewalls
Date: Mon, 12 Feb 2001 13:53:31 -0700

Unidata Support wrote:
> 
> ------- Forwarded Message
> 
> >From: Tim Alberta <address@hidden>
> >Subject: LDM and firewalls
> >Organization: UCAR/COMET
> >Keywords: 200102072310.f17NAVL10055 LDM firewall
> 
> Hi Anne et al.,
> 
> Regarding our LDM, what would the ramifications be if COMET goes behind
> the UCAR firewall?  Are there things we would or would not be able to
> do?  Would it require a lot of effort on our part to get things working?
> 
> Thanks for any info you can provide (that will allow us to maintain the
> status quo)
> 
> Tim
> 
> ------- End of Forwarded Message

Hi Tim,

Mike says: 

"As far as the UCAR security perimeter goes, LDM is an approved service
and as such is supported to exposed hosts on the perimeter.  It should
be relatively transparent for COMET to deal with in that respect.

There is a big difference between being behind a firewall/perimeter and
blocking port access per system.  First, you may have two different
approaches of controlling connections like whatever isn't denied is
allowed or the opposite of whatever isn't allowed is denied.  When
you're
behind a perimeter, others usually decide the connection policy, but
when
it is specified per machine, the person who runs the machine decides."

So, you could be on the security perimeter and the ldm would be able to
connect to the world.  In contrast, if you were inside the firewall,
your ldm would only be able to talk to other UCAR machines.  For
example, you could connect to the LDM on iita.rap.ucar.edu, which is on
the perimeter and connects to the world.  But, you'd have to be
satisified with the data that iita is providing or get them to request
what you want.  I think the only aspect of your LDM that would need to
change is to request data from another UCAR LDM.

Mike's other point, which is beyond the scope of the LDM, is about who
decides what you make available if you're within the perimeter.  If you
were inside you might be subject to code reviews and such.   I think
this is why we chose to remain outside several years ago.  FYI.

Hope this is helpful!

Anne
-- 
***************************************************
Anne Wilson                     UCAR Unidata Program            
address@hidden                 P.O. Box 3000
                                  Boulder, CO  80307
----------------------------------------------------
Unidata WWW server       http://www.unidata.ucar.edu/
****************************************************

Prev by Date: 20010212: ldm - low priority
Next by Date: Re: ldm shutdown script?
Previous by thread: 20010212: ldm - low priority
Next by thread: Re: ldm shutdown script?
Index(es):
- Date
- Thread