Todd Tannenbaum Condor Team GCB Tutorial OGF 2007.

Slides:



Advertisements
Similar presentations
Caltech Proprietary Videoconferencing Security in VRVS 3.0 and Future Videoconferencing Security in VRVS 3.0 and Future Kun Wei California Institute of.
Advertisements

Jaime Frey Computer Sciences Department University of Wisconsin-Madison OGF 19 Condor Software Forum Routing.
Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Current methods for negotiating firewalls for the Condor ® system Bruce Beckles (University of Cambridge Computing Service) Se-Chang Son (University of.
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.1 Firewalls.
OhioNET EZProxy Service
Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Dan Bradley Computer Sciences Department University of Wisconsin-Madison Schedd On The Side.
CS 4700 / CS 5700 Network Fundamentals Lecture 15: NAT (You Better Forward Those Ports) Revised 3/9/2013.
IUT– Network Security Course 1 Network Security Firewalls.
CS 4700 / CS 5700 Network Fundamentals Lecture 13: Middleboxes and NAT (Duct tape for IPv4) Revised 3/9/2013.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
Module 5: Configuring Access for Remote Clients and Networks.
Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.
Presented by Serge Kpan LTEC Network Systems Administration 1.
What we will cover… Home Networking: Network Address Translation (NAT) Mobile Routing.
Mobility in the Internet Part II CS 444N, Spring 2002 Instructor: Mary Baker Computer Science Department Stanford University.
(NHA) The Laboratory of Computer Communication and Networking Network Host Analyzer.
Lesson 19: Configuring Windows Firewall
A Guide to major network components
Firewall and Proxy Server Director: Dr. Mort Anvari Name: Anan Chen Date: Summer 2000.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Web Proxy Server Anagh Pathak Jesus Cervantes Henry Tjhen Luis Luna.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Firewalls CS158B Don Tran. What is a Firewall? A firewall can be a program or a device that controls access to a network.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
Hafez Barghouthi. Model for Network Access Security (our concern) Patrick BoursAuthentication Course 2007/20082.
CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.
Module 7: Configuring TCP/IP Addressing and Name Resolution.
Intranet, Extranet, Firewall. Intranet and Extranet.
Network Address Translation (NAT)
Network Address Translation
CS 5565 Network Architecture and Protocols
 Introduction  VoIP  P2P Systems  Skype  SIP  Skype - SIP Similarities and Differences  Conclusion.
CS 3214 Computer Systems Godmar Back Lecture 24 Supplementary Material.
Firewalls Paper By: Vandana Bhardwaj. What this paper covers? Why you need a firewall? What is firewall? How does a network firewall interact with OSI.
Sonny (Sechang) Son Computer Sciences Department University of Wisconsin-Madison Dealing with Internet Connectivity in Distributed.
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
1 NAT Network Address Translation Motivation for NAT To solve the insufficient problem of IP addresses IPv6 –All software and hardware need to be updated.
The Glidein Service Gideon Juve What are glideins? A technique for creating temporary, user- controlled Condor pools using resources from.
Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
0Gold 11 0Gold 11 LapLink Gold 11 Firewall Service How Connections are Created A Detailed Overview for the IT Manager.
Grid Appliance – On the Design of Self-Organizing, Decentralized Grids David Wolinsky, Arjun Prakash, and Renato Figueiredo ACIS Lab at the University.
Windows 7 Firewall.
CHAPTER 3 PLANNING INTERNET CONNECTIVITY. D ETERMINING INTERNET CONNECTIVITY REQUIREMENTS Factors to be considered in internet access strategy: Sufficient.
ETICS All Hands meeting Bologna, October 23-25, 2006 NMI and Condor: Status + Future Plans Andy PAVLO Peter COUVARES Becky GIETZEL.
(c) University of Technology, Sydney Firewall Architectures.
Module 10: How Middleboxes Impact Performance
Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.
1 Network Firewalls CSCI Web Security Spring 2003 Presented By Yasir Zahur.
RTCWEB Considerations for NATs, Firewalls and HTTP proxies draft-hutton-rtcweb-nat-firewall- considerations A. Hutton, T. Stach, J. Uberti.
Making SIP NAT Friendly Jonathan Rosenberg dynamicsoft.
Module 10: Windows Firewall and Caching Fundamentals.
Firewall C. Edward Chow CS691 – Chapter 26.3 of Matt Bishop Linux Iptables Tutorial by Oskar Andreasson.
6.1 © 2004 Pearson Education, Inc. Exam Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 6: Designing.
IP Addressing.
Dan Bradley Condor Project CS and Physics Departments University of Wisconsin-Madison CCB The Condor Connection Broker.
INFSO-RI ETICS Local Setup Experiences A Case Study for Installation at Customers Location 4th. All Hands MeetingUwe Müller-Wilm VEGA Bologna, Nov.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Sonny (Sechang) Son Computer Sciences Department University of Wisconsin-Madison Dealing with Internet Connectivity in Distributed.
Polytechnic University Firewall and Trusted Systems Presented by, Lekshmi. V. S cos
CS 3700 Networks and Distributed Systems
Supplementary Material
Supplementary Material
Dynamic Deployment of VO Specific Condor Scheduler using GT4
CS 3700 Networks and Distributed Systems
Firewalls Purpose of a Firewall Characteristic of a firewall
CS 3700 Networks and Distributed Systems
By Seferash B Asfa Wossen Strayer University 3rd December 2003
Presentation transcript:

Todd Tannenbaum Condor Team GCB Tutorial OGF 2007

What is GCB? GCB is the Generic Connection Broker Included in Condor (Nov 2005) and later Linux-only It solves the firewall traversal problem So what is the firewall traversal problem?

A Simple Condor Pool Matchmaker Executor Submitter Communication is initiated in two directions Note: This is a subset of communication in Condor

What If There Is A Firewall? Firewalls usually block incoming traffic on most ports Incoming depends on your perspective: Organizations have firewalls to protect from computers outside the organization Individual computers have firewalls to protect from other computers

A Condor Pool With Firewall Matchmaker Executor Submitter X X

How Can You Traverse Firewalls? Punch a hole Configure firewall to allow traffic on a certain range of ports to come through Tell Condor to restrict itself to use only this range Bummer: Condor can use many ports Bummer: Punching holes makes people nervous

How Can You Traverse Firewalls? Use Condor-C Matchmaker Executor Submitter Re-Submitter Put host on network edge Open a couple of ports for it Delegate jobs to this host

How Can You Traverse Firewalls? Change Condor to always use outgoing traffic What if there are two firewalls or private networks? Which direction is outgoing? GCB automates this solution It knows which direction is outgoing It can proxy if there are two firewalls

GCB: Contacting Executor (One Possible Scenario) Matchmaker Executor Submitter GCB Executor registers with GCB (Permanent TCP connection) 2. Executor advertises to matchmaker (GCB IP address) 2 3. After match, submitter contacts executor, via GCB 3 4. GCB tell executor to open connection 5. Executor opens connection to submitter 5

GCB (Acting as Proxy) Matchmaker Executor Submitter 1. Assume 1 port open for matchmaker. (Can avoid…) 2. Executor advertises with GCB (permanent connection) 3. Executor advertises to matchmaker (GCB IP address) 4. After match, submitter contacts executor, via GCB 5. Communication flows through GCB, using both connections 1 5 GCB 2 3 4

GCB Advantages Good connectivity Works with multiple private networks Works with network address translation Dont need to punch holes in firewall GCB does not need to be run as root No changes to firewall configuration

GCB Disadvantages GCB is a point of failure All communications through GCB, so if GCB fails… Computers behind a firewall share an IP address (of GCB) Makes host-based security difficult Doesnt work with Kerberos security Can slow down network performance Scalability issues A single GCB server is limited by number of ports available on computer Complex to configure and debug

Now for the Nitty Gritty…

Setting Up GCB 1. Install GCB 2. Configure GCB 3. Configure Condor to use GCB

Install GCB GCB comes with Condor GCB has two programs gcb_broker : The big brains of GCB gcb_relay_server : proxy for private net to private net communication GCB was written independently of Condor Cant read condor_config directly So create environment in condor_config GCB reads from environment

Install GCB GCB should be on computer with no other services GCB can use lots of ports, so avoid port competition with other programs Using GCB can slow down communication, so keeping GCB on its own computer helps speed GCB needs to be on edge of network On public network and private network At least one GCB per private network

Configure GCB To run from condor_master: # Specify that you only want the master # and the broker running DAEMON_LIST = MASTER, GCB_BROKER # Define the path to the broker binary # for the master to spawn GCB_BROKER=$(RELEASE_DIR)/libexec/gcb_broker

Configure GCB GCB expects configuration in environment. Sample: GCB_BROKER_ENVIRONMENT = # Provide the full path to the gcb_relay_server GCB_BROKER_ENVIRONMENT = GCB_RELAY_SERVER=$(GCB_RELAY) # Tell GCB to write all log files into the Condor log # directory GCB_BROKER_ENVIRONMENT=(GCB_BROKER_ENVIRONMENT);GCB_LOG_DIR=$(LOG) # Tell GCB it can connect to private network GCB_BROKER_ENVIRONMENT=$(GCB_BROKER_ENVIRONMENT);GCB_ACTIVE_TO_CLIENT=yes # Set public IP address for GCB broker GCB_BROKER_ARGS = -i # Provide the full path to the gcb_relay_server GCB_BROKER_ENV = GCB_RELAY_SERVER=$(GCB_RELAY) # Tell GCB to write all log files into the # Condor log directory GCB_BROKER_ENV=$(GCB_BROKER_ENV);GCB_LOG_DIR=$(LOG) # Set public IP address for GCB broker GCB_BROKER_ARGS = -i Note: more configuration options are available. See manual for details # Tell GCB it can connect to private network GCB_BROKER_ENV = $(GCB_BROKER_ENV);GCB_ACTIVE_TO_CLIENT=yes

Configure Condor to Use GCB In condor_config: Turn on GCB: NET_REMAP_ENABLE = true NET_REMAP_SERVICE = GCB # Point to GCB NET_REMAP_INAGENT = # Routing Table NET_REMAP_ROUTE = /full/path/gcbroutes

Set Up Routing Table Private Network * Public Network * GCB Broker Routing Table /32 GCB */0 direct

Set Up Routing Table Private Network * Public Network * GCB Broker Routing Table /32 GCB /32 GCB */0 direct Private Network * GCB Broker

Security Implications Hosts in private network look like they share a single IP Address (the address of the GCB broker) If you use host-based security, you cant distinguish hosts in the private network GCB does not authenticate who it is providing its proxy service for.

More Information Section 3.8 of the Condor manual Networking Thank You!!!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.