Browse Prior Art Database

Grid

IP.com Disclosure Number: IPCOM000020401D
Original Publication Date: 2003-Nov-19
Included in the Prior Art Database: 2003-Nov-19
Document File: 3 page(s) / 38K

Publishing Venue

IBM

Abstract

Grid aware firewalls extending the trust base for secure GridFTP data transfers.

This text was extracted from a PDF file.
At least one non-text object (such as an image or picture) has been suppressed.
This is the abbreviated version, containing approximately 54% of the total text.

Page 1 of 3

Grid

GridFTP (Grid File Transfer Protocol) allows two way transfers and third party transfers of data. The FTP (File Transfer Protocol) exchange is as follows:

FTP Client (gsincftp) GridFTP Server (port 2811/tcp)

(SYN SYN/ACK exchange)

(command channel

is established )

2. command get <file>


3.

1.

(SYN SYN/ACK exchange)

(data channel

is established )

GridFTP Server starts a connection back to the client for the data channel on an ephemeral port

The problem occurs when a firewall is used on the client. The protocol exchange is blocked when the server attempts to make a connection back to the target by the target's firewall. This can be seen in the following packet exchange.

1

[This page contains 4 pictures or other non-text objects]

Page 2 of 3

FTP Client (gsincftp) GridFTP Server (port 2811/tcp)

(SYN SYN/ACK exchange)

(command channel

is established )

2. command get <file>

(SYN SYN/ACK exchange)

(data channel

connection is rejected

by the firewall which stops
incoming SYNs )

The idea behind GridFTP Firewall is that since there is a trust base between the Grid user and the client machine, it should be able to drop a file filter, opening an incoming GridFTP data connection.

GridFTP is capable of performing third party transfers. The same problem occurs, but occurs with two way transfers when the client is pulling a file to the local filesystem.

The idea is to automatically create a tunnel for the incoming data or create a hole in the firewall for the incoming data connection. The user is cap...