Hi Gregg,
There are two parts to this answer -- a part about OPeNDAP and a part
about LAS.
Regarding OPeNDAP, there are no "actively exploited
vulnerabilities" in OPeNDAP. (Can you share where this incorrect
information has come from?) There was an actively exploited
vulnerability one time last April (or so) on an OPeNDAP server
implementation that was already obsolete at the time (the so-called
"Server-3"). The other OPeNDAP servers -- notably TDS from Unidata and
HYRAX from OPeNDAP, Inc. -- do not share any of the code that was found
to be vulnerable in Server-3. These servers have never been
compromised. One should not install the obsolete Server-3. But the
administrative barriers to installing the alternative (and better)
OPeNDAP servers have already been overcome in a number of NOAA Labs.
OPeNDAP servers are running openly at NCDC, NMFS, NDBC, PMEL and
elsewhere in NOAA.
For the second part of your question -- one can run LAS without running
OPeNDAP at all, or by
running a "private" (not accessible outside of the server firewall)
OPeNDAP server. Here are the trade-offs:
- LAS with a "private" OPeNDAP (access to the OPeNDAP server closed
off outside the
institution firewall)
- LAS' utilization of OPeNDAP is as a middleware tier:
the public talks to LAS; and LAS talks to OPeNDAP. But the public
never directly talks to the OPeNDAP server as a part of LAS per se.
For this reason it is possible to set
up a 98% functional LAS without ever exposing OPeNDAP to the public
- Why "98%" functional? What you cannot do if your OPeNDAP
server is private is to give the public direct
access to "server-side transformations". For example, a Matlab desktop
user could not ask the OPeNDAP server (which is co-located
with the LAS) to provide vertically averaged fields directly into the
Matlab workspace. However, that same Matlab user could go to his/her
Web browser and ask LAS to provide a netCDF file of that same
vertically-averaged data. Hence I say it is 98% functionality.
- LAS with no OPeNDAP at all
- lack of any OPeNDAP removes the ability to perform analysis
functions -- e.g. to average over regions -- since those analysis
functions are performed inside of the OPeNDAP server (LAS uses an
enhanced OPeNDAP server called F-TDS). Users will get error messages
if they attempt to perform those operations. I believe that users
also lose the ability to perform differences, because LAS relies upon
its local OPeNDAP (F-TDS) server to perform regridding. (And the data
go through this same path even in the case where regridding is not
actually performed.)
Note that the restrictions on running OPeNDAP, to the degree that they
apply to TDS and HYRAX at all, are truly non-issues for services
provided on private NOAA intranets (not exposed to the public
Internet). There is no security basis for hesitating with the full
installation of LAS for private intranet purposes.
Hope this helps to clarify.
- Steve
================================
Gregg Phillips wrote:
Good
Afternoon,
I was wondering if you must run OPeNDAP in order to run LAS? According
to the NCIRT (https://www.csp.noaa.gov/noaa/advisories/20070427/), NOAA
labs are not allowed to run OPeNDAP due to actively exploited
vulnerabilities.
Any guidance would be appreciated.
TIA,
Gregg.
--
Steve Hankin, NOAA/PMEL -- Steven.C.Hankin@xxxxxxxx
7600 Sand Point Way NE, Seattle, WA 98115-0070
ph. (206) 526-6080, FAX (206) 526-6744
"The only thing necessary for the triumph of evil is for good men
to do nothing." -- Edmund Burke
|