Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dynamic Firewalls and Service Deployment Models for Grid Environments Gian Luca Volpato, Christian Grimm RRZN – Leibniz Universität Hannover Cracow Grid.

Published byJustin Stephens Modified over 8 years ago

Similar presentations

Presentation on theme: "Dynamic Firewalls and Service Deployment Models for Grid Environments Gian Luca Volpato, Christian Grimm RRZN – Leibniz Universität Hannover Cracow Grid."— Presentation transcript:

1 Dynamic Firewalls and Service Deployment Models for Grid Environments Gian Luca Volpato, Christian Grimm RRZN – Leibniz Universität Hannover Cracow Grid Workshop 2006 (CGW2006) 15 th -18 th October 2006

2 Regional Computing Centre for Lower Saxony Gian Luca Volpato | 16-10-2006 | Slide 2 Overview Dynamic Firewall General concepts Dyna-Fire Cooperative On-Demand Opening (CODO) Limitations Globus Toolkit deployment model Services at the Resource Provider Use of existing computing infrastructure Minimal number of connections through the site firewall

3 Regional Computing Centre for Lower Saxony Gian Luca Volpato | 16-10-2006 | Slide 3 A Firewall is a piece of hardware and/or software which functions in a network environment to prevent some communications forbidden by the security policy. * Good: it blocks unwanted and malicious traffic. Bad: it might be not flexible enough to allow seamless execution of Grid applications. * Wikipedia Firewall

4 Regional Computing Centre for Lower Saxony Gian Luca Volpato | 16-10-2006 | Slide 4 Dynamic Firewall Goal Protect a network so that it appears completely inaccessible from external systems but still responds to trusted clients, i.e. allow external connections on-demand. Current solutions Signaling protocol to add/remove filtering rules:  “Off-path”: communication between applications and firewalls  “In-path”: communication between application peers intercepted by intermediate firewalls

5 Regional Computing Centre for Lower Saxony Gian Luca Volpato | 16-10-2006 | Slide 5 Dyna-Fire & Cooperative On-Demand Opening One daemon runs on the same host of the firewall to: monitor all connection requests add/remove filtering rules in the firewall A connection is allowed when the client request is successfully authenticated and authorized. Signaling protocol: Dyna-Fire ==> messages carried by Port Knocking CODO ==> messages carried over SSL channel 1 2 Intranet Library Client Application Server Application Daemon

6 Regional Computing Centre for Lower Saxony Gian Luca Volpato | 16-10-2006 | Slide 6 Limitations of dynamic firewalls No mechanism to discover automatically the firewalls along the path Signaling before connection establishment? Static routing table configuration Dyna-Fire and Port Knocking CPU overhead for monitoring of connection attempts Exclusive reservation of some ports Unidirectional protocol exposed to reply and man-in-the-middle attacks CODO Applications (client and server!) must be recompiled/relinked with a special socket library Authorization policy is coarse-grained and not flexible

7 Regional Computing Centre for Lower Saxony Gian Luca Volpato | 16-10-2006 | Slide 7 Deployment model for Globus Toolkit 4 DMZ Local MDS-Index GridFTP Server RFT Server GRAM Server User Interface Batch System Nodes Intranet Batch System Master Constraints Use existing batch computing resources GT4 services must be reachable from the Internet Goals Avoid any connection between:  hosts in the Intranet and hosts in the external Internet Identify, analyze and reduce the connections between:  hosts in the Intranet and GT services in the DMZ

8 Regional Computing Centre for Lower Saxony Gian Luca Volpato | 16-10-2006 | Slide 8 Batch system Batch System Nodes Intranet Batch System Master DMZ GRAM Server Batch Sys. Login Node Install Globus GRAM on a host that can submit jobs to the Batch System Either: Enable shared file system between this node and the Batch System Modify GRAM scripts in order to use Batch System functions for file stage-in and file stage-out

9 Regional Computing Centre for Lower Saxony Gian Luca Volpato | 16-10-2006 | Slide 9 GridFTP option 1 Batch System Nodes Intranet Batch System Master DMZ GridFTP Server GridFTP server and Batch System have a shared file system Input files are transferred to the local GridFTP server before jobs are submitted to the local GRAM server Output files are stored in the local GridFTP server

10 Regional Computing Centre for Lower Saxony Gian Luca Volpato | 16-10-2006 | Slide 10 GridFTP option 2 Batch System Nodes Intranet DMZ GridFTP Server Batch System Master System nodes have direct access to the local GridFTP server Input files are transferred to the local GridFTP server before jobs are submitted to the local GRAM server Output files are uploaded to the local GridFTP server

11 Regional Computing Centre for Lower Saxony Gian Luca Volpato | 16-10-2006 | Slide 11 Reliable File Transfer DMZ Batch System Nodes Intranet Batch System Master GRAM Server Batch Sys. Login Node RFT Server GridFTP Server RFT server is installed on the same host where the GRAM server runs Connections are established: within the DMZ between the DMZ and the external Internet

12 Regional Computing Centre for Lower Saxony Gian Luca Volpato | 16-10-2006 | Slide 12 MDS Batch System Nodes Intranet Batch System Master DMZ GRAM Server Batch Sys. Login Node RFT Server GridFTP Server Local MDS-Index Deploy one MDS-Index that collects monitoring information from all local GRAM and RFT servers (in future also GridFTP servers) Connections are established: within the DMZ between the DMZ and the external Internet Batch System Master and GRAM server (Ganglia, Nagios, etc.)

13 Regional Computing Centre for Lower Saxony Gian Luca Volpato | 16-10-2006 | Slide 13 User Interface Batch System Nodes Intranet Batch System Master DMZ GRAM Server Batch Sys. Login Node RFT Server GridFTP Server Local MDS-Index User Interface The User Interface is used to submit/monitor/manage Grid jobs Connections are established: within the DMZ between the DMZ and the external Internet

14 Regional Computing Centre for Lower Saxony Gian Luca Volpato | 16-10-2006 | Slide 14 Full model User Interface Batch System Nodes Intranet Batch System Master DMZ GRAM Server Batch Sys. Login Node RFT Server GridFTP Server Local MDS-Index GRAM RFT Batch System User Interface MDS GridFTP Shared File System

15 Regional Computing Centre for Lower Saxony Gian Luca Volpato | 16-10-2006 | Slide 15 Summary Dynamic Firewall General concepts Dyna-Fire Cooperative on Demand Opening (CODO) Limitations Globus Toolkit deployment model GT4 services in DMZ Use of existing computing infrastructure Minimal number of connections through the firewall

16 Regional Computing Centre for Lower Saxony Gian Luca Volpato | 16-10-2006 | Slide 16 Thank you! Questions?

Download ppt "Dynamic Firewalls and Service Deployment Models for Grid Environments Gian Luca Volpato, Christian Grimm RRZN – Leibniz Universität Hannover Cracow Grid."

Similar presentations

1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.

1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.

Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.
Slides for Grid Computing: Techniques and Applications by Barry Wilkinson, Chapman & Hall/CRC press, © 2009. Chapter 1, pp 19-28. For educational use only.

Slides for Grid Computing: Techniques and Applications by Barry Wilkinson, Chapman & Hall/CRC press, © Chapter 1, pp For educational use only.
INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.

INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
1-2.1 Grid computing infrastructure software Brief introduction to Globus © 2010 B. Wilkinson/Clayton Ferner. Spring 2010 Grid computing course. Modification.

1-2.1 Grid computing infrastructure software Brief introduction to Globus © 2010 B. Wilkinson/Clayton Ferner. Spring 2010 Grid computing course. Modification.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
4b.1 Grid Computing Software Components of Globus 4.0 ITCS 4010 Grid Computing, 2005, UNC-Charlotte, B. Wilkinson, slides 4b.

4b.1 Grid Computing Software Components of Globus 4.0 ITCS 4010 Grid Computing, 2005, UNC-Charlotte, B. Wilkinson, slides 4b.
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall
Globus Computing Infrustructure Software Globus Toolkit 11-2.

Globus Computing Infrustructure Software Globus Toolkit 11-2.
Www.BeyondSecurity.comwww.SecurITeam.com Beyond Security Ltd. Port Knocking Beyond Security Noam Rathaus CTO Sunday, July 11, 2004 Presentation on.

Beyond Security Ltd. Port Knocking Beyond Security Noam Rathaus CTO Sunday, July 11, 2004 Presentation on.
Firewall and Proxy Server Director: Dr. Mort Anvari Name: Anan Chen Date: Summer 2000.

Firewall and Proxy Server Director: Dr. Mort Anvari Name: Anan Chen Date: Summer 2000.

Similar presentations

Ads by Google