[fi-rg] Common classification

[Leon Gommans]

Please find below, a list of common issue as I believe can be found
in the high level classification documents. Please add/change/modify/comment

*Software:*

Ports numbers and amount of ports unknown until application starts:
Consequence: big holes (many ports) are required if amount and/or port
numbers are unknown, single hole case (e.g. HTTP port 80) causes referral
problems. Only specific, predetermined applications that use a low number
and very well defined ports can be supported adequately.
*
Hardware:*

High performance datastreams accross long connections need
enough buffer space and switching capacity.

*Network:*

Grid hardware resources running certain applications can not be place 
inside the DMZ.
Sometimes applications must past more then 2 DMZs.
Putting Grid applications inside the DMZ can sometimes not be avoided.
Firewalls, when involved in bypass connections must perform elaborate 
routing functions,
ie. by separating private and public IP addresses.
*
Security Policy:*

Firewalls may not be aware how many different applications may use the 
same port.
Firewalls may not be aware of the amount of ports that are actually 
required v.s. configured.
Firewalls may need to open up to 10.000 ports for certain applications
Firewalls may not have enough information to authorize complex grid 
applications.
Firewalls must not only protect from evil from the public network, but 
also prevent the public network from being abused.
Firewalls may not be able to extend the security context between two 
applications.
Firewalls may not be aware if a hosts connecting is actually trusted.

Kind regards .. Leon.