encryption protocols?

30 views
Skip to first unread message

C Lesburg

unread,
Apr 15, 2020, 1:30:56 PM4/15/20
to Admin Discuss

Hello,

 

I am working with my internal network administrators to configure our firewall to allow inbound data transfer using Globus Personal Connect (within our firewall) from another site (outside of our firewall) which is running an instance of Globus Connect Server.

 

There is some documentation which indicates that we should allow outbound connections over port 2223 to the Globus relay servers (54.237.254.192/29) and inbound connections from the remote Globus Connect Server over ports 50000-51000. I also found a Google Groups posting from 2018 indicating that Globus uses TLS 1.2.

 

However, our internal risk assessment team has some questions about the nature of the data being transferred over these connections.

  1. Can you confirm the encryption protocol(s) being used over these connections?
  2. While it seems that the connection to 54.237.254.192/29 over port 2223 uses TLS 1.2, could you describe whatever protocol(s)/hashing algorithms that are used for the data transfer link from the Globus Connect Server?
  3. I'm a little confused if we should configure to allow inbound connection on ports 50000-51000 or rather an outbound connection and inbound data flow over these ports. Could you please clarify?

 

Cheers,

 

Charles

Greg Nawrocki

unread,
Apr 15, 2020, 4:31:24 PM4/15/20
to admin-...@globus.org, les...@gmail.com
Hi Charles,

Per the answers I gave you in the support ticket you submitted:

  1. Can you confirm the encryption protocol(s) being used over these connections?
  2. While it seems that the connection to 54.237.254.192/29 over port 2223 uses TLS 1.2, could you describe whatever protocol(s)/hashing algorithms that are used for the data transfer link from the Globus Connect Server?

Per the document : https://docs.globus.org/how-to/configure-firewall-gcp/ Globus uses a "data channel" for moving data between two endpoints. This data channel is established directly between the source and destination endpoints and cannot be accessed by the Globus service, only by the servers running on the endpoints. Encryption of the data channel may be selected by the user initiating the transfer or enforced for all transfers to or from an endpoint by the endpoint administrator. Transfers are encrypted by TLS using OpenSSL libraries installed at the endpoint. The cipher used for a transfer is negotiated between the source and destination endpoints and depends on the preference-ordered list of OpenSSL ciphers (default HIGH) on each endpoint. In addition to the data channel, Globus uses a TLS encrypted "control channel" to communicate with the source and destination endpoints for a transfer.


  1. I'm a little confused if we should configure to allow inbound connection on ports 50000-51000 or rather an outbound connection and inbound data flow over these ports. Could you please clarify?
For Globus Connect Personal all file transfers are done over outbound initiated connections, and the communication with Transfer is done over the outbound connection to the relay service, hence no need for inbound rules.

— Greg

Greg Nawrocki
University of Chicago
Globus
401 N Michigan Ave. - 9th Floor
Chicago, IL 60611

C Lesburg

unread,
Apr 16, 2020, 10:57:58 AM4/16/20
to Greg Nawrocki, admin-...@globus.org
Thanks!

On Apr 15, 2020, at 4:31 PM, Greg Nawrocki <gr...@globus.org> wrote:

Hi Charles,
Reply all
Reply to author
Forward
0 new messages