Presentation is loading. Please wait.

Presentation is loading. Please wait.

Www.infotech.monash.edu.au Presented by Xiaoyu Qin 21637881 Virtualized Access Control & Firewall Virtualization.

Published byMeghan Byrd Modified over 8 years ago

Similar presentations

Presentation on theme: "Www.infotech.monash.edu.au Presented by Xiaoyu Qin 21637881 Virtualized Access Control & Firewall Virtualization."— Presentation transcript:

1 www.infotech.monash.edu.au Presented by Xiaoyu Qin 21637881 Virtualized Access Control & Firewall Virtualization

2 www.infotech.monash.edu.au 2 Outline Background Project Aims & Previous Research Research Problem Research Approach & Method Analysis Demo Implementation Design Review Future Work Conclusion

3 www.infotech.monash.edu.au 3 Background – Grid Network & Security Application Solutions –Globus Security Infrastructure –Security of Open Grid Services Architecture –Security as Services –Public Key Infrastructure Virtual Organization & Virtual Connectivity Gateway Solutions –Common Solutions –Grid Firewall & Firewall Traversal

4 www.infotech.monash.edu.au 4 Background – Understanding Virtualization Pooling & Reallocating –Resource: Pooling –Infrastructure: Multiplying, Clustering Simulation –Simulators: VMs –Application Virtualization: Sandbox –Network: Tunnelling –Grid: Virtual Organization * Firewall Virtualization –Dynamic Firewall –Zone Based Virtual Firewall –Virtual Access Control

5 www.infotech.monash.edu.au 5 Project Aims & Previous Research – Security Gateway for Grid Grid Security Scenario –Unpredictable application & users –Dynamic –Large quantity of devices Security Gateway –Packet Filtering –Access Control –Intrusion Detection/Prevention

6 www.infotech.monash.edu.au 6 Project Aims & Previous Research – Firewall Traversal & Firewall Virtualization Firewall Proxy Model Firewall Control Model

7 www.infotech.monash.edu.au 7 Research Problem – NAT Problem Server IP + Port == A TCP Service Source IP + Port != Client User Identity

8 www.infotech.monash.edu.au 8 Research Approach & Method Research Approach –A grid firewall solution –Without NAT problem –Easy to implement & deploy Research Method –Problem Oriented Research

9 www.infotech.monash.edu.au 9 Analysis – Problem Breaking Down Grid Security Gateway Access Control on Demand Permit/Filter (Non)- Authorized Communication By ACL Determine (Non)- Authorized Communication By ACL f: (Communication, ACL) -> Permit/Filter g: Communication -> Identity (*Session Key) h: (Identity, ACL) -> Permit/Filter f = h(g(Communication), ACL)

10 www.infotech.monash.edu.au 10 Analysis – Research Questions Central Question : –How do we determine the identity information? Q1: What can a firewall determine? How? –What can a pure network firewall determine? –Is there any other choice (IPTables) which can do more? Q2: How to generate and carry the information which can be determined? –Can the program change some existing properties of the communication? How? –Can the program add new properties? How?

11 www.infotech.monash.edu.au 11 Analysis – Research Hypotheses Capability of Network Firewall –IP: Source and target IP address –TCP: Source and target port –Protocol Special Capability of IPTables –Owner: uid, pid, gid...... (IPFW has also ‘out uid’) Change existing properties of communication –Packet based: >Changing Address: Authentication based NAT/PAT >Changing protocol: Tunnel/Proxy (useless) –Connection based: >Extra handshake (hard to implement) Can the program add new properties? How? –Application specific Tunnel/Proxy

12 www.infotech.monash.edu.au 12 Analysis – Possible Solution: NAT/PAT Cons –Customize IP assigning mechanism >Not supported by most of current VPN solutions >Hard to program –Check after tunnel created >Complex control signal –Delay caused –Hard to program but possible* Pro –Existing firewall can be used, but extra component to run the program is still needed.

13 www.infotech.monash.edu.au 13 Analysis – Possible Solution: Tunnel/Proxy Few Firewall Choice: IPTables, IPFW… Tunnel Proxy Choice –Does it create process for each session? –Can the process owner one-to-one map to the client identity? –SSH Port Forwarding >Pros: –Commonly used –Gateway-to-Gateway –Only tunnel the request (Comparing with VPN) >Cons: Client command & settings Other methods can be examined

14 www.infotech.monash.edu.au 14 Demo Implementation VAC> show use whitelist service 0 10.1.1.2:80 TCP //Http AppServer ACCEPT User xyqin1 Client>ssh -N -f -L 80:10.1.1.2:80 xyqin1@VFW

15 www.infotech.monash.edu.au 15 Design Review NAT Problem –NAT between the gateways does not harm Efficiency Cost –Pre-defined tunnel and filtering rules –One time encapsulating –Only tunnel the request –Non-Cipher SSH is a choice & SSH is not the only choice Capability & Reliability –Clustering –Load Balance

16 www.infotech.monash.edu.au 16 Future Work Virtualization –Scalable (Zones, Multiple Instances) –Dynamic Access Control –Clustering Usability –Client side program –Remote Administration Distributable –Authentication Server Extendable –Extensions? API?

17 www.infotech.monash.edu.au 17 Conclusion It is possible and necessary to implement authentication based access control on grid gateway, which is secure, extensible and interoperable with grid. Pure network filtering firewall is very weak solution for grid security purpose. Grid security needs application level methods because of virtualization.

18 www.infotech.monash.edu.au 18 Q & A

Download ppt "Www.infotech.monash.edu.au Presented by Xiaoyu Qin 21637881 Virtualized Access Control & Firewall Virtualization."

Similar presentations

Caltech Proprietary Videoconferencing Security in VRVS 3.0 and Future Videoconferencing Security in VRVS 3.0 and Future Kun Wei California Institute of.

Caltech Proprietary Videoconferencing Security in VRVS 3.0 and Future Videoconferencing Security in VRVS 3.0 and Future Kun Wei California Institute of.
Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Module 13: Implementing ISA Server 2004 Enterprise Edition: Site-to-Site VPN Scenario.

Module 13: Implementing ISA Server 2004 Enterprise Edition: Site-to-Site VPN Scenario.
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206) 217-7048

Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)
H. 323 and firewalls: Problem Statement and Solution Framework Author: Melinda Shore, Nokia Presenter: Shannon McCracken.

H. 323 and firewalls: Problem Statement and Solution Framework Author: Melinda Shore, Nokia Presenter: Shannon McCracken.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
1 Configuring Virtual Private Networks for Remote Clients and Networks.

1 Configuring Virtual Private Networks for Remote Clients and Networks.
The Aerospace Clinic 2002 Team Members Nick Hertl (Project Manager) Will Berriel Richard Fujiyama Chip Bradford Faculty Advisor Professor Michael Erlinger.

The Aerospace Clinic 2002 Team Members Nick Hertl (Project Manager) Will Berriel Richard Fujiyama Chip Bradford Faculty Advisor Professor Michael Erlinger.
Notes to the presenter. I would like to thank Jim Waldo, Jon Bostrom, and Dennis Govoni. They helped me put this presentation together for the field.

Notes to the presenter. I would like to thank Jim Waldo, Jon Bostrom, and Dennis Govoni. They helped me put this presentation together for the field.
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Goal of The Paper  What exactly is a VPN?  Why do you need a VPN?  what are some of the technologies used in deploying a VPN?  How does a VPN work?

Goal of The Paper  What exactly is a VPN?  Why do you need a VPN?  what are some of the technologies used in deploying a VPN?  How does a VPN work?
IT:Network:Applications VIRTUAL DESKTOP INFRASTRUCTURE.

IT:Network:Applications VIRTUAL DESKTOP INFRASTRUCTURE.
Circuit & Application Level Gateways CS-431 Dick Steflik.

Circuit & Application Level Gateways CS-431 Dick Steflik.
5/3/2006 tlpham VOIP/Security 1 Voice Over IP and Security By Thao L. Pham CS 525.

5/3/2006 tlpham VOIP/Security 1 Voice Over IP and Security By Thao L. Pham CS 525.
1 © J. Liebeherr, All rights reserved Virtual Private Networks.

1 © J. Liebeherr, All rights reserved Virtual Private Networks.
Brian Dwyer – CITA370. Introduction  Network Device Security  Identity Management AAA Process Model ○ Authentication ○ Authorization ○ Accounting (Sometimes.

Brian Dwyer – CITA370. Introduction  Network Device Security  Identity Management AAA Process Model ○ Authentication ○ Authorization ○ Accounting (Sometimes.
Copyright Microsoft Corp. 2006 Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices.

Copyright Microsoft Corp Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices.

Similar presentations

Ads by Google