Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec Secure Generic Connection Brokering SGCB enhancing secure submission of grid jobs across firewalls David Front, Lorne Levinson, Morton Taragin Weizmann Institute of Science, Rehovot Miron Livny, Se-Chang Son, University of Wisconsin, Madison Itzhak Ben-Akiva, Tel Aviv University, Tel Aviv
Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec Agenda The problem Requirements Architecture Performance, evaluation References
Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec The problem In order to use (Grid) servers, incoming connections should be created Organization security policies restrict connections to prevent malicious acts Incoming connections are more threatening than outgoing connections Hence, organization security managers object to allow incoming connections to grid domain firewalls
Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec The problem: 2 use cases server Server firewall client (Grid) network applications fail to create incoming connections, because of organization security policy, enforced by firewall/s In addition, client ’ s firewall prevents Connections to client. No direct connection is possible Client firewall 2 Server ’ s firewall prevents Connections to server. Server may connect client. 1
Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec Requirements A solution to securely submit jobs across firewalls should: 1.Satisfy security managers: allow incoming connections, yet not violate security policies 2.Not require dynamic firewall changes 3.Support communication with standard sockets 4.Not require changes at communicating applications 5.Not require kernel changes 6.Support various security schemes 7.Not require root privilege to install/run
Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec SGCB architecture Generic Connection Brokering (GCB) by Sechang Son and Miron Livny +Bypass by Douglas Thain and Miron Livny + Security layer for management messages: –Trivial security –GSI security Generic Connection Brokering (GCB)
Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec GCB use case 1: reversed TCP connection broker server Server firewall client 1 Register me 2 I want to connect server 3 Connect client connect() A GCB management message data Time
Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec GCB use case 2: relayed TCP connection server Server firewall client Client firewall 1 Register me 2 I want to connect server A GCB management message Connect() 3 Connect me 4 Connect me Connect() Data is relayed broker Time
Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec Firewalls holes without GCB Server incoming Server firewall Client outgoing Client firewall Holes for Server-client connections
Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec Firewalls holes with GCB Broker incoming Server outgoing Server firewall Client outgoing Client firewall Holes for management messages Holes for Server-client connections Broker firewall
Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec GCB socket SW layer GCB socket calls GCB_bind(), GCB_connect(), GCB_accept()... GCB calls do whatever is needed to connect, such as: communicate with other entities reverse connection direction initiate standard socket calls: GCB calls replace standard socket calls at server and client applications bind(), connect(), accept() … Standard socket calls call
Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec GCB_bind GCB_listen GCB_accept Time GCB_connect GCB layer: reversed TCP connection GCB_socket client machine broker machine server machine
Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec GCB layer: relayed TCP connection Time GCB_bind GCB_listen GCB_accept GCB_connect GCB_socket
Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec SGCB architecture - Bypass Applications must call GCB socket functions in order to use GCB Using Bypass avoids this need
Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec Bypass accept() 2 Application issues a system call GCB_accept() 3 Agent intercepts, and runs agent code 4 For example: call connect() connect() 1Agent squeezes in between application and system calls call Bypass is a code generator software, for making C++ interposition agents.
Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec Bypassing GCB Client Server Application connect accept socket bind listen broker GCB_socket GCB_bind GCB_listen GCB_accept GCB_connect Agent GCB Bypass agent implements GCB seamlessly to applications Time
Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec SGCB architecture - security GCB management messages are not secure: SGCB Security layer adds security
Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec GCB: No management message security Server/Client Broker Accept Data Connect Data Time
Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec SGCB security scheme 1: trivial security Server/Client Broker Data Accept Data Connect Applicable for management messages AUTH_assert AUTH_accept Time
Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec SGCB security scheme 2: GSI security Server/Client Broker Data Accept Data Connect Applicable for GCB management messages AUTH_assert certificate AUTH_accept certificate encrypt decrypt encryptdecrypt Time
Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec Broker location Broker incoming Server outgoing Client outgoing Broker DMZ A brokers has relaxed security policy, allowing incoming connections It is recommended to locate a broker at a DMZ with no other computers
Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec GCB TCP performance passing across a private network Relayed connection Reversed connection Time [msec] of 1030 Connection avg. time Data (echo) avg. time GCB does not cause a big time penalty
Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec Evaluation SGCB does satisfy its requirements, however: Scalability: The broker is a potential traffic bottleneck. Brokering of up to thousands machines, yet to be tested Robustness: The broker is a single point of failure Complexity: Adding SGCB and Bypass SW layers to a grid application adds complexity and causes a debugging challenge Experimental: Globus problems with GCB and bypass Applicability: SGCB is relevant for GT2 more than for GT3
Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec Status SGCB works with test applications: creates Bypass’ed connections across firewalls with trivial or GSI security. SGCB support for Globus is under development
Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec References Globus Toolkit Firewall Requirements: Von Welch GCB: Recovering Internet Symmetry in Distributed Computing, Sechang Son and Miron Livny, Computer Science Department, University of Wisconsin Bypass: Douglas Thain and Miron Livny SGCB user guide: David Front SSH tunnels and Globus (alternative attitude to connect across firewalls): Globus Grid and Firewalls: Issues and Solutions in a Utility Data Center Environment1, Sven Graupner, Carsten Reimann, HP Laboratories Palo Alto, HPL , October 2nd,