Click to edit Master title style,Click to edit Master text styles,Second level,Third level,Fourth level,Fifth level,anne itti,|16-10-2006|Slide,Regional Computing Centre for Lower Saxony,Dynamic Firewalls and Service Deployment Models for Grid Environments,Gian Luca Volpato,Christian Grimm,RRZN Leibniz Universitt Hannover,Cracow Grid Workshop 2006(CGW2006),15,th,-18,th,October 2006,Overview,Dynamic Firewall,General concepts,Dyna-Fire,Cooperative On-Demand Opening(CODO),Limitations,Globus Toolkit deployment model,Services at the Resource Provider,Use of existing computing infrastructure,Minimal number of connections through the site firewall,A Firewall is a piece of hardware and/or software which functions in a network environment to prevent some communications forbidden by the security policy.*,Good,:it blocks unwanted and malicious traffic.,Bad,:it might be not flexible enough to allow seamless execution of Grid applications.,*Wikipedia,Firewall,Dynamic Firewall,Goal,Protect a network so that it appears completely inaccessible from external systems but still responds to trusted clients,i.e.allow external connections on-demand.,Current solutions,Signaling protocol to add/remove filtering rules:,“Off-path:communication between applications and firewalls,“In-path:communication between application peers intercepted by intermediate firewalls,Dyna-Fire&Cooperative On-Demand Opening,One,daemon,runs on the same host of the firewall to:,monitor all connection requests,add/remove filtering rules in the firewall,A connection is allowed when the client request is successfully authenticated and authorized.,Signaling protocol:,Dyna,-Fire,=,messages carried by,Port Knocking,CODO =messages carried over,SSL channel,1,2,Intranet,Library,Client Application,Server Application,Daemon,Limitations of dynamic firewalls,No mechanism to discover automatically the firewalls along the path,Signaling before connection establishment?,Static routing table configuration,Dyna-Fire and Port Knocking,CPU overhead for monitoring of connection attempts,Exclusive reservation of some ports,Unidirectional protocol exposed to reply and man-in-the-middle attacks,CODO,Applications(client and server!)must be recompiled/relinked with a special socket library,Authorization policy is coarse-grained and not flexible,Deployment model for Globus Toolkit 4,DMZ,Local,MDS-Index,GridFTP Server,RFT,Server,GRAM Server,User Interface,Batch System Nodes,Intranet,Batch System,Master,Constraints,Use existing batch computing resources,GT4 services must be reachable from the Internet,Goals,Avoid any connection between:,hosts in the,Intranet,and hosts in the,external Internet,Identify,analyze and reduce the connections between:,hosts in the,Intranet,and GT services in the,DMZ,Batch system,Batch System Nodes,Intranet,Batch System,Master,DMZ,GRAM Server,Batch Sys.Login Node,Install Globus GRAM on a host that can submit jobs to the Batch System,Either:,Enable shared file system between this node and the Batch System,Modify GRAM scripts in order to use Batch System functions for file stage-in and file stage-out,GridFTP option 1,Batch System Nodes,Intranet,Batch System,Master,DMZ,GridFTP Server,GridFTP server and Batch System have a shared file system,Input files are transferred to the local GridFTP server before jobs are submitted to the local GRAM server,Output files are stored in the local GridFTP server,GridFTP option 2,Batch System Nodes,Intranet,DMZ,GridFTP Server,Batch System,Master,System nodes have direct access to the local GridFTP server,Input files are transferred to the local GridFTP server before jobs are submitted to the local GRAM server,Output files are uploaded to the local GridFTP server,Reliable File Transfer,DMZ,Batch System Nodes,Intranet,Batch System,Master,GRAM Server,Batch Sys.Login Node,RFT,Server,GridFTP Server,RFT server is installed on the same host where the GRAM server runs,Connections are established:,within the DMZ,between the DMZ and the external Internet,MDS,Batch System Nodes,Intranet,Batch System,Master,DMZ,GRAM Server,Batch Sys.Login Node,RFT,Server,GridFTP Server,Local,MDS-Index,Deploy one MDS-Index that collects monitoring information from all local GRAM and RFT servers(in future also GridFTP servers),Connections are established:,within the DMZ,between the DMZ and the external Internet,Batch System Master and GRAM server(Ganglia,Nagios,etc.),User Interface,Batch System Nodes,Intranet,Batch System,Master,DMZ,GRAM Server,Batch Sys.Login Node,RFT,Server,GridFTP Server,Local,MDS-Index,User Interface,The User Interface is used to submit/monitor/manage Grid jobs,Connections are established:,within the DMZ,between the DMZ and the external Internet,Full model,User Interface,Batch System Nodes,Intranet,Batch System,Master,DMZ,GRAM Server,Batch Sys.Login Node,RFT,Server,GridFTP Server,Local,MDS-Index,GRAM,RFT,Batch System,User Interface,MDS,GridFTP,Shared File System,Summary,Dynamic Firewall,General concepts,Dyna-Fire,Cooperative on Demand Ope