Upload
justin-stephens
View
216
Download
0
Tags:
Embed Size (px)
Citation preview
Dynamic Firewalls and Service Deployment Models for Grid Environments
Gian Luca Volpato, Christian Grimm
RRZN – Leibniz Universität Hannover
Cracow Grid Workshop 2006 (CGW2006)15th-18th October 2006
Gian Luca Volpato | 16-10-2006 | Slide 2
Regional Computing Centre for Lower Saxony
Overview
Dynamic FirewallGeneral conceptsDyna-FireCooperative On-Demand Opening (CODO)Limitations
Globus Toolkit deployment modelServices at the Resource ProviderUse of existing computing infrastructureMinimal number of connections through the site firewall
Gian Luca Volpato | 16-10-2006 | Slide 3
Regional Computing Centre for Lower Saxony
A Firewall is a piece of hardware and/or software which functions in a network environment to prevent some communications forbidden by the security policy. *
Good: it blocks unwanted and malicious traffic.
Bad: it might be not flexible enough to allow seamless execution of Grid applications.
* Wikipedia
Firewall
Gian Luca Volpato | 16-10-2006 | Slide 4
Regional Computing Centre for Lower Saxony
Dynamic Firewall
Goal
Protect a network so that it appears completely inaccessible from external systems but still responds to trusted clients, i.e. allow external
connections on-demand.
Current solutions
Signaling protocol to add/remove filtering rules: “Off-path”: communication between applications and firewalls “In-path”: communication between application peers intercepted by
intermediate firewalls
Gian Luca Volpato | 16-10-2006 | Slide 5
Regional Computing Centre for Lower Saxony
Dyna-Fire &Cooperative On-Demand Opening
One daemon runs on the same host of the firewall to: monitor all connection requests add/remove filtering rules in the firewall
A connection is allowed when the client request is successfully authenticated and authorized.
Signaling protocol: Dyna-Fire ==> messages carried by Port Knocking CODO ==> messages carried over SSL channel
1
2
Intranet
Library
Client Application
Server Application
Daemon
Gian Luca Volpato | 16-10-2006 | Slide 6
Regional Computing Centre for Lower Saxony
Limitations of dynamic firewalls
No mechanism to discover automatically the firewalls along the pathSignaling before connection establishment?Static routing table configuration
Dyna-Fire and Port KnockingCPU overhead for monitoring of connection attemptsExclusive reservation of some portsUnidirectional protocol exposed to reply and man-in-the-middle attacks
CODOApplications (client and server!) must be recompiled/relinked with a special socket
libraryAuthorization policy is coarse-grained and not flexible
Gian Luca Volpato | 16-10-2006 | Slide 7
Regional Computing Centre for Lower Saxony
Deployment model for Globus Toolkit 4
DMZ
Local MDS-Index
GridFTP Server
RFT Server
GRAM Server
User Interface
Batch System Nodes
Intranet
Batch SystemMaster
Constraints Use existing batch computing resources GT4 services must be reachable from the Internet
Goals Avoid any connection between:
hosts in the Intranet and hosts in the external Internet
Identify, analyze and reduce the connections between:hosts in the Intranet and GT services in the DMZ
Gian Luca Volpato | 16-10-2006 | Slide 8
Regional Computing Centre for Lower Saxony
Batch system
Batch System Nodes
Intranet
Batch SystemMaster
DMZ
GRAM Server
Batch Sys. Login Node
Install Globus GRAM on a host that can submit jobs to the Batch System
Either: Enable shared file system between this node and the Batch
System Modify GRAM scripts in order to use Batch System functions
for file stage-in and file stage-out
Gian Luca Volpato | 16-10-2006 | Slide 9
Regional Computing Centre for Lower Saxony
GridFTP option 1
Batch System Nodes
Intranet
Batch SystemMaster
DMZ
GridFTP Server
GridFTP server and Batch System have a shared file system
Input files are transferred to the local GridFTP server before jobs are submitted to the local GRAM server
Output files are stored in the local GridFTP server
Gian Luca Volpato | 16-10-2006 | Slide 10
Regional Computing Centre for Lower Saxony
GridFTP option 2
Batch System Nodes
Intranet
DMZ
GridFTP Server
Batch SystemMaster
System nodes have direct access to the local GridFTP server
Input files are transferred to the local GridFTP server before jobs are submitted to the local GRAM server
Output files are uploaded to the local GridFTP server
Gian Luca Volpato | 16-10-2006 | Slide 11
Regional Computing Centre for Lower Saxony
Reliable File Transfer
DMZ
Batch System Nodes
Intranet
Batch SystemMaster
GRAM Server
Batch Sys. Login Node
RFT Server
GridFTP Server
RFT server is installed on the same host where the GRAM server runs
Connections are established: within the DMZ between the DMZ and the external Internet
Gian Luca Volpato | 16-10-2006 | Slide 12
Regional Computing Centre for Lower Saxony
MDS
Batch System Nodes
Intranet
Batch SystemMaster
DMZ
GRAM Server
Batch Sys. Login Node
RFT Server
GridFTP Server
Local MDS-Index
Deploy one MDS-Index that collects monitoring information from all local GRAM and RFT servers (in future also GridFTP servers)
Connections are established: within the DMZ between the DMZ and the external Internet Batch System Master and GRAM server (Ganglia, Nagios, etc.)
Gian Luca Volpato | 16-10-2006 | Slide 13
Regional Computing Centre for Lower Saxony
User Interface
Batch System Nodes
Intranet
Batch SystemMaster
DMZ
GRAM Server
Batch Sys. Login Node
RFT Server
GridFTP Server
Local MDS-Index
User Interface
The User Interface is used to submit/monitor/manage Grid jobs
Connections are established: within the DMZ between the DMZ and the external Internet
Gian Luca Volpato | 16-10-2006 | Slide 14
Regional Computing Centre for Lower Saxony
Full model
User Interface
Batch System Nodes
Intranet
Batch SystemMaster
DMZ
GRAM Server
Batch Sys. Login Node
RFT Server
GridFTP Server
Local MDS-Index
GRAM
RFT
Batch System
User InterfaceMDS
GridFTP
Shared File System
Gian Luca Volpato | 16-10-2006 | Slide 15
Regional Computing Centre for Lower Saxony
Summary
Dynamic FirewallGeneral conceptsDyna-FireCooperative on Demand Opening (CODO)Limitations
Globus Toolkit deployment modelGT4 services in DMZUse of existing computing infrastructureMinimal number of connections through the firewall