| UNAVCO
 


Knowledge Base

SuomiNet Site Network Rules Regarding Port Access

SuomiNet Site network rules regarding port access.

SuomiNet sites must be on a network. That is, they must have 24/7 internet connection to allow automated data transfer via the LDM developed by UNIDATA. All the Suominet sites must comply with the LDM port requirements regardless of whether they have a firewall installed. If they cannot comply with these standards, then LDM cannot be used to transfer data. We are not allowing exceptions to LDM data transfer. We are also requiring that we be able to ssh into the SuomiNet field cpu’s.

For LDM to run properly behind a firewall, item #1 is required and item #2 is optional:

  1. The firewall must allow port 388 to be open for TCP packets.

  2. Port 111 can be allowed and portmapper should be running.

Having port 388 allowed and reserved for LDM is required, and portmapper running and port 111 allowed is recommended, although not absolutely necessary.

For ssh to work ssh must be installed and port 23 must be allowed.

Example situation UCAR:

A firewall is installed. Most cpu’s behind the firewall have port 388 blocked to the outside world, but open to UCAR subnet IP#’s. UCAR has designated "semi exposed" hosts which have port 388, the ssh port (23) port 111, the ftp port, and some other ports open. A local group system administrator designates a machine as semi exposed by setting the last part or local IP# within a range of designated #’s. The router allow ports 388, 23, etc. for these semi exposed hosts to the world at large. The local group system administrators are responsible for installing sufficient security on the semi exposed host cpu’s. LDM traffic other than UCAR to UCAR is handled on one of these semi exposed hosts.

SuomiNet cpu’s will have security patches installed before leaving UNAVCO, as well as the Linux OS, LDM, JSTREAM, ssh, and other functions needed to operate as SuomiNet cpu’s. If SuomiNet cpu’s will be behind a firewall the firewall must either allow port 388 and port 23 to all cpu’s behind that firewall -or- the Suominet cpu must be in a semi exposed host category behind the firewall and the router programmed to allow ports 388, and 23 (111 recommended) to semi exposed hosts. We are recommending that SuomiNet cpu’s be set up in a semi exposed configuration (only a subset of ports opened) rather than being totally outside of any local firewalls. If the local system administrator feels that additional security is necessary they can limit the outside world IP#’s allowed to use these ports at the subnet level. A list of IP subnets that must be allowed access to the Suominet cpu ports 388 and 23 is being compiled and will be provided on request.

The IP# and name.subnet.univeristy.edu which will be assigned to the suominet cpu must be specified before the cpu is shipped from UNAVCO so that we can correctly configure LDM.

Attached Files (1)
Comments
There are no comments for this article. Be the first to post a comment.
Name
Email
Security Code Security Code
Related Articles RSS Feed
SuomiNet Efforts in the U.S. Southern Great Plains (paper, year?)
Viewed 4613 times since Wed, Dec 30, 2009
SuomiNet - Site Configurations
Viewed 2111 times since Wed, Dec 30, 2009
GPS Receiver and Antenna Testing Report for SuomiNet (2000)
Viewed 4079 times since Wed, Mar 24, 2010
SuomiNet - Site Wireless Configuration
Viewed 1545 times since Thu, Dec 17, 2009
SuomiNet Trimble 4700 Firmware
Viewed 1828 times since Thu, Oct 30, 2008
SuomiNet - Support Overview
Viewed 3672 times since Fri, Sep 3, 2010
Impact of GPS-Based Water Vapor Fields on Mesoscale Model Forecasts (presentation)
Viewed 30151 times since Wed, Dec 30, 2009
SuomiNet - Cost Share Confirmation Letter
Viewed 973 times since Wed, Dec 30, 2009
Trimble WinFlash - How to load new firmware onto the Trimble 4700 receiver
Viewed 19404 times since Mon, Dec 14, 2009
SuomiNet - FreeWave Wireless Communication Link
Viewed 1603 times since Wed, Dec 30, 2009
MENU

Last modified: Monday, 12-May-2014 00:18:29 UTC