Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec 2003 1 Secure Generic Connection Brokering SGCB enhancing secure submission of grid jobs.

Slides:

Advertisements

Similar presentations

Todd Tannenbaum Condor Team GCB Tutorial OGF 2007.

Advertisements

Current methods for negotiating firewalls for the Condor ® system Bruce Beckles (University of Cambridge Computing Service) Se-Chang Son (University of.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

5 January 2003USA-Israel BSF Grid collaboration1 Submitting Grid jobs through firewalls TAU: Halina Abramowicz, Itzhak Ben Akiva, David Horn WI: Ehud Duchovni,

Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.

Job submission architectures in GRID environment Masamichi Ando M1 Student Taura Lab. Department of Information Science and Technology.

Condor-G: A Computation Management Agent for Multi-Institutional Grids James Frey, Todd Tannenbaum, Miron Livny, Ian Foster, Steven Tuecke Reporter: Fu-Jiun.

Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.

Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.

Negotiating Unsolicited Connections to a Service Listening Behind a Firewall Ben Stroud CS525 Spring 10.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

1 PLuSH – Mesh Tree Fast and Robust Wide-Area Remote Execution Mikhail Afanasyev ‧ Jose Garcia ‧ Brian Lum.

JPDPS 2003 Grid computing SGCB1 Secure Generic Connection Brokering – SGCB enhancing secure submission of grid jobs across firewalls David Front, Lorne.

Enhanced Secure Dynamic DNS Update with Indirect Route David Wilkinson, C. Edward Chow, Yu Cai 06/11/2004 University of Colorado at Colorado Springs IEEE.

Investigations into BIND Dynamic Update with OpenSSL by David Wilkinson.

Algorithms for Self-Organization and Adaptive Service Placement in Dynamic Distributed Systems Artur Andrzejak, Sven Graupner,Vadim Kotov, Holger Trinks.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.

WP6: Grid Authorization Service Review meeting in Berlin, March 8 th 2004 Marcin Adamski Michał Chmielewski Sergiusz Fonrobert Jarek Nabrzyski Tomasz Nowocień.

Grid Toolkits Globus, Condor, BOINC, Xgrid Young Suk Moon.

Intranet, Extranet, Firewall. Intranet and Extranet.

CHAPTER 2 PCs on the Internet Suraya Alias. The TCP/IP Suite of Protocols Internet applications – client/server applications The client requested data.

SOCKS Group: Challenger Member: Lichun Zhan. Agenda Introduction SOCKS v4 SOCKS v5 Summary Conclusion References Questions.

CCI through Firewall TNG 2.4 Updated April 16, 2002.

Web Server Administration Chapter 10 Securing the Web Environment.

Firewalls Paper By: Vandana Bhardwaj. What this paper covers? Why you need a firewall? What is firewall? How does a network firewall interact with OSI.

Sonny (Sechang) Son Computer Sciences Department University of Wisconsin-Madison Dealing with Internet Connectivity in Distributed.

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.

Dynamic Firewalls and Service Deployment Models for Grid Environments Gian Luca Volpato, Christian Grimm RRZN – Leibniz Universität Hannover Cracow Grid.

Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.

11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.

Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.

PAPER PRESENTATION ON NETWORK SECURITY ISSUES BY M.D SAMEER YASMEEN SULTHANA.

Evaluation of Agent Teamwork High Performance Distributed Computing Middleware. Solomon Lane Agent Teamwork Research Assistant October 2006 – March 2007.

Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED.

Institute For Digital Research and Education Implementation of the UCLA Grid Using the Globus Toolkit Grid Center’s 2005 Community Workshop University.

NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.

EUROGRID – An Integrated User–Friendly Grid System Hans–Christian Hoppe, Karl Solchenbach A Member of the ExperTeam Group Pallas GmbH Hermülheimer Straße.

1 Network Firewalls CSCI Web Security Spring 2003 Presented By Yasir Zahur.

Virtual Private Grid (VPG) : A Command Shell for Utilizing Remote Machines Efficiently Kenji Kaneda, Kenjiro Taura, Akinori Yonezawa Department of Computer.

Internet Security and Firewall Design Chapter 32.

CEDPS Data Services Ann Chervenak USC Information Sciences Institute.

Introduction to Grids By: Fetahi Z. Wuhib [CSD2004-Team19]

SOCKS By BITSnBYTES (Bhargavi, Maya, Priya, Rajini and Shruti)

Module 10: Windows Firewall and Caching Fundamentals.

Globus and PlanetLab Resource Management Solutions Compared M. Ripeanu, M. Bowman, J. Chase, I. Foster, M. Milenkovic Presented by Dionysis Logothetis.

Distributed System Architectures Yonsei University 2 nd Semester, 2014 Woo-Cheol Kim.

Office of Science U.S. Department of Energy Grid Security at NERSC/LBL Presented by Steve Chan Network, Security and Servers

Dan Bradley Condor Project CS and Physics Departments University of Wisconsin-Madison CCB The Condor Connection Broker.

Data Security in Local Network Using Distributed Firewall Presented By- Rahul N.Bais Guide Prof. Vinod Nayyar H.O.D Prof.Anup Gade.

Parag Mhashilkar Computing Division, Fermi National Accelerator Laboratory.

Douglas Thain, John Bent Andrea Arpaci-Dusseau, Remzi Arpaci-Dusseau, Miron Livny Computer Sciences Department, UW-Madison Gathering at the Well: Creating.

Mobile Analyzer A Distributed Computing Platform Juho Karppinen Helsinki Institute of Physics Technology Program May 23th, 2002 Mobile.

PARALLEL AND DISTRIBUTED PROGRAMMING MODELS U. Jhashuva 1 Asst. Prof Dept. of CSE om.

GGF 17 - May, 11th 2006 FI-RG: Firewall Issues Overview Document update and discussion The “Firewall Issues Overview” document.

Sonny (Sechang) Son Computer Sciences Department University of Wisconsin-Madison Dealing with Internet Connectivity in Distributed.

1 Network Security. 2 Security Services Confidentiality: protection of any information from being exposed to unintended entities. –Information content.

Dynamic Deployment of VO Specific Condor Scheduler using GT4

Security for Open Science

Building Grids with Condor

Message Digest Cryptographic checksum One-way function Relevance

Firewalls Routers, Switches, Hubs VPNs

Grid Security Infrastructure

Zhihui Sun , Fazhi Qi, Tao Cui

Decrypted Encrypted Web Server Client-side Secure Tunnel

Presentation transcript:

Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec Secure Generic Connection Brokering SGCB enhancing secure submission of grid jobs across firewalls David Front, Lorne Levinson, Morton Taragin Weizmann Institute of Science, Rehovot Miron Livny, Se-Chang Son, University of Wisconsin, Madison Itzhak Ben-Akiva, Tel Aviv University, Tel Aviv

Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec Agenda The problem Requirements Architecture Performance, evaluation References

Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec The problem In order to use (Grid) servers, incoming connections should be created Organization security policies restrict connections to prevent malicious acts Incoming connections are more threatening than outgoing connections Hence, organization security managers object to allow incoming connections to grid domain firewalls

Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec The problem: 2 use cases server Server firewall client (Grid) network applications fail to create incoming connections, because of organization security policy, enforced by firewall/s In addition, client ’ s firewall prevents Connections to client. No direct connection is possible Client firewall 2 Server ’ s firewall prevents Connections to server. Server may connect client. 1

Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec Requirements A solution to securely submit jobs across firewalls should: 1.Satisfy security managers: allow incoming connections, yet not violate security policies 2.Not require dynamic firewall changes 3.Support communication with standard sockets 4.Not require changes at communicating applications 5.Not require kernel changes 6.Support various security schemes 7.Not require root privilege to install/run

Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec SGCB architecture Generic Connection Brokering (GCB) by Sechang Son and Miron Livny +Bypass by Douglas Thain and Miron Livny + Security layer for management messages: –Trivial security –GSI security Generic Connection Brokering (GCB)

Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec GCB use case 1: reversed TCP connection broker server Server firewall client 1 Register me 2 I want to connect server 3 Connect client connect() A GCB management message data Time

Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec GCB use case 2: relayed TCP connection server Server firewall client Client firewall 1 Register me 2 I want to connect server A GCB management message Connect() 3 Connect me 4 Connect me Connect() Data is relayed broker Time

Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec Firewalls holes without GCB Server incoming Server firewall Client outgoing Client firewall Holes for Server-client connections

Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec Firewalls holes with GCB Broker incoming Server outgoing Server firewall Client outgoing Client firewall Holes for management messages Holes for Server-client connections Broker firewall

Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec GCB socket SW layer GCB socket calls GCB_bind(), GCB_connect(), GCB_accept()... GCB calls do whatever is needed to connect, such as: communicate with other entities reverse connection direction initiate standard socket calls: GCB calls replace standard socket calls at server and client applications bind(), connect(), accept() … Standard socket calls call

Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec GCB_bind GCB_listen GCB_accept Time GCB_connect GCB layer: reversed TCP connection GCB_socket client machine broker machine server machine

Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec GCB layer: relayed TCP connection Time GCB_bind GCB_listen GCB_accept GCB_connect GCB_socket

Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec SGCB architecture - Bypass Applications must call GCB socket functions in order to use GCB Using Bypass avoids this need

Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec Bypass accept() 2 Application issues a system call GCB_accept() 3 Agent intercepts, and runs agent code 4 For example: call connect() connect() 1Agent squeezes in between application and system calls call Bypass is a code generator software, for making C++ interposition agents.

Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec Bypassing GCB Client Server Application connect accept socket bind listen broker GCB_socket GCB_bind GCB_listen GCB_accept GCB_connect Agent GCB Bypass agent implements GCB seamlessly to applications Time

Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec SGCB architecture - security GCB management messages are not secure: SGCB Security layer adds security

Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec GCB: No management message security Server/Client Broker Accept Data Connect Data Time

Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec SGCB security scheme 1: trivial security Server/Client Broker Data Accept Data Connect Applicable for management messages AUTH_assert AUTH_accept Time

Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec SGCB security scheme 2: GSI security Server/Client Broker Data Accept Data Connect Applicable for GCB management messages AUTH_assert certificate AUTH_accept certificate encrypt decrypt encryptdecrypt Time

Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec Broker location Broker incoming Server outgoing Client outgoing Broker DMZ A brokers has relaxed security policy, allowing incoming connections It is recommended to locate a broker at a DMZ with no other computers

Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec GCB TCP performance passing across a private network Relayed connection Reversed connection Time [msec] of 1030 Connection avg. time Data (echo) avg. time GCB does not cause a big time penalty

Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec Evaluation SGCB does satisfy its requirements, however: Scalability: The broker is a potential traffic bottleneck. Brokering of up to thousands machines, yet to be tested Robustness: The broker is a single point of failure Complexity: Adding SGCB and Bypass SW layers to a grid application adds complexity and causes a debugging challenge Experimental: Globus problems with GCB and bypass Applicability: SGCB is relevant for GT2 more than for GT3

Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec Status SGCB works with test applications: creates Bypass’ed connections across firewalls with trivial or GSI security. SGCB support for Globus is under development

Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec References Globus Toolkit Firewall Requirements: Von Welch GCB: Recovering Internet Symmetry in Distributed Computing, Sechang Son and Miron Livny, Computer Science Department, University of Wisconsin Bypass: Douglas Thain and Miron Livny SGCB user guide: David Front SSH tunnels and Globus (alternative attitude to connect across firewalls): Globus Grid and Firewalls: Issues and Solutions in a Utility Data Center Environment1, Sven Graupner, Carsten Reimann, HP Laboratories Palo Alto, HPL , October 2nd,