Dynamic Firewalls and Service Deployment Models for Grid Environments Gian Luca Volpato, Christian Grimm RRZN – Leibniz Universität Hannover Cracow Grid.

Slides:

Advertisements

Similar presentations

1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.

Advertisements

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

Module 5: Configuring Access for Remote Clients and Networks.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

Chapter 7 HARDENING SERVERS.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.

Slides for Grid Computing: Techniques and Applications by Barry Wilkinson, Chapman & Hall/CRC press, © Chapter 1, pp For educational use only.

INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World

1-2.1 Grid computing infrastructure software Brief introduction to Globus © 2010 B. Wilkinson/Clayton Ferner. Spring 2010 Grid computing course. Modification.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

4b.1 Grid Computing Software Components of Globus 4.0 ITCS 4010 Grid Computing, 2005, UNC-Charlotte, B. Wilkinson, slides 4b.

Lesson 19: Configuring Windows Firewall

Globus Computing Infrustructure Software Globus Toolkit 11-2.

Beyond Security Ltd. Port Knocking Beyond Security Noam Rathaus CTO Sunday, July 11, 2004 Presentation on.

Firewall and Proxy Server Director: Dr. Mort Anvari Name: Anan Chen Date: Summer 2000.

Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.

Network Topology. Cisco 2921 Integrated Services Router Security Embedded hardware-accelerated VPN encryption Secure collaborative communications with.

TCP/IP Addressing Design. Objectives Choose an appropriate IP addressing scheme based on business and technical requirements Identify IP addressing problems.

Firewalls Marin Stamov. Introduction Technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.

Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.

BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.

The SAM-Grid Fabric Services Gabriele Garzoglio (for the SAM-Grid team) Computing Division Fermilab.

Active Security Infrastructure Stuart Kenny Trinity College Dublin.

Csci5233 Computer Security1 Bishop: Chapter 27 System Security.

 Computer Networking Computer Networking  Networking terminology Networking terminology  Client Server Model Client Server Model  Types of Networks.

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

1 Chapter 6: Proxy Server in Internet and Intranet Designs Designs That Include Proxy Server Essential Proxy Server Design Concepts Data Protection in.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Identifying Application Impacts on Network Design Designing and Supporting Computer.

GT Components. Globus Toolkit A “toolkit” of services and packages for creating the basic grid computing infrastructure Higher level tools added to this.

Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.

October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.

Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.

11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.

Grid Resource Allocation and Management (GRAM) Execution management Execution management –Deployment, scheduling and monitoring Community Scheduler Framework.

COMP3019 Coursework: Introduction to GridSAM Steve Crouch School of Electronics and Computer Science.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Evaluation of Agent Teamwork High Performance Distributed Computing Middleware. Solomon Lane Agent Teamwork Research Assistant October 2006 – March 2007.

Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.

Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.

Resource Brokering in the PROGRESS Project Juliusz Pukacki Grid Resource Management Workshop, October 2003.

CE Operating Systems Lecture 3 Overview of OS functions and structure.

Grid Execution Management for Legacy Code Applications Grid Enabling Legacy Code Applications Tamas Kiss Centre for Parallel.

Firewall Security.

Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.

Lesson 11: Configuring and Maintaining Network Security

Internet Security and Firewall Design Chapter 32.

Automatic verification of SLA for Firewall Configuration in Grid Environments Gian Luca Volpato – Cracow Grid Workshop 08 – 15 October 2008 Gian Luca Volpato.

Introduction to Grids By: Fetahi Z. Wuhib [CSD2004-Team19]

Network Components David Blakeley LTEC HUB A common connection point for devices in a network. Hubs are commonly used to connect segments of a LAN.

ITGS Network Architecture. ITGS Network architecture –The way computers are logically organized on a network, and the role each takes. Client/server network.

Overview of Firewalls. Outline Objective Background Firewalls Software Firewall Hardware Firewall Demilitarized Zone (DMZ) Firewall Types Firewall Configuration.

Module 10: Windows Firewall and Caching Fundamentals.

LSF Universus By Robert Stober Systems Engineer Platform Computing, Inc.

Grid Execution Management for Legacy Code Architecture Exposing legacy applications as Grid services: the GEMLCA approach Centre.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

GGF 17 - May, 11th 2006 FI-RG: Firewall Issues Overview Document update and discussion The “Firewall Issues Overview” document.

25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.

Prepared By : Pina Chhatrala

Security Issues.

Welcome To : Group 1 VC Presentation

Chapter 27: System Security

Introduction to Network Security

Designing IIS Security (IIS – Internet Information Service)

Presentation transcript:

Dynamic Firewalls and Service Deployment Models for Grid Environments Gian Luca Volpato, Christian Grimm RRZN – Leibniz Universität Hannover Cracow Grid Workshop 2006 (CGW2006) 15 th -18 th October 2006

Regional Computing Centre for Lower Saxony Gian Luca Volpato | | Slide 2 Overview Dynamic Firewall General concepts Dyna-Fire Cooperative On-Demand Opening (CODO) Limitations Globus Toolkit deployment model Services at the Resource Provider Use of existing computing infrastructure Minimal number of connections through the site firewall

Regional Computing Centre for Lower Saxony Gian Luca Volpato | | Slide 3 A Firewall is a piece of hardware and/or software which functions in a network environment to prevent some communications forbidden by the security policy. * Good: it blocks unwanted and malicious traffic. Bad: it might be not flexible enough to allow seamless execution of Grid applications. * Wikipedia Firewall

Regional Computing Centre for Lower Saxony Gian Luca Volpato | | Slide 4 Dynamic Firewall Goal Protect a network so that it appears completely inaccessible from external systems but still responds to trusted clients, i.e. allow external connections on-demand. Current solutions Signaling protocol to add/remove filtering rules:  “Off-path”: communication between applications and firewalls  “In-path”: communication between application peers intercepted by intermediate firewalls

Regional Computing Centre for Lower Saxony Gian Luca Volpato | | Slide 5 Dyna-Fire & Cooperative On-Demand Opening One daemon runs on the same host of the firewall to: monitor all connection requests add/remove filtering rules in the firewall A connection is allowed when the client request is successfully authenticated and authorized. Signaling protocol: Dyna-Fire ==> messages carried by Port Knocking CODO ==> messages carried over SSL channel 1 2 Intranet Library Client Application Server Application Daemon

Regional Computing Centre for Lower Saxony Gian Luca Volpato | | Slide 6 Limitations of dynamic firewalls No mechanism to discover automatically the firewalls along the path Signaling before connection establishment? Static routing table configuration Dyna-Fire and Port Knocking CPU overhead for monitoring of connection attempts Exclusive reservation of some ports Unidirectional protocol exposed to reply and man-in-the-middle attacks CODO Applications (client and server!) must be recompiled/relinked with a special socket library Authorization policy is coarse-grained and not flexible

Regional Computing Centre for Lower Saxony Gian Luca Volpato | | Slide 7 Deployment model for Globus Toolkit 4 DMZ Local MDS-Index GridFTP Server RFT Server GRAM Server User Interface Batch System Nodes Intranet Batch System Master Constraints Use existing batch computing resources GT4 services must be reachable from the Internet Goals Avoid any connection between:  hosts in the Intranet and hosts in the external Internet Identify, analyze and reduce the connections between:  hosts in the Intranet and GT services in the DMZ

Regional Computing Centre for Lower Saxony Gian Luca Volpato | | Slide 8 Batch system Batch System Nodes Intranet Batch System Master DMZ GRAM Server Batch Sys. Login Node Install Globus GRAM on a host that can submit jobs to the Batch System Either: Enable shared file system between this node and the Batch System Modify GRAM scripts in order to use Batch System functions for file stage-in and file stage-out

Regional Computing Centre for Lower Saxony Gian Luca Volpato | | Slide 9 GridFTP option 1 Batch System Nodes Intranet Batch System Master DMZ GridFTP Server GridFTP server and Batch System have a shared file system Input files are transferred to the local GridFTP server before jobs are submitted to the local GRAM server Output files are stored in the local GridFTP server

Regional Computing Centre for Lower Saxony Gian Luca Volpato | | Slide 10 GridFTP option 2 Batch System Nodes Intranet DMZ GridFTP Server Batch System Master System nodes have direct access to the local GridFTP server Input files are transferred to the local GridFTP server before jobs are submitted to the local GRAM server Output files are uploaded to the local GridFTP server

Regional Computing Centre for Lower Saxony Gian Luca Volpato | | Slide 11 Reliable File Transfer DMZ Batch System Nodes Intranet Batch System Master GRAM Server Batch Sys. Login Node RFT Server GridFTP Server RFT server is installed on the same host where the GRAM server runs Connections are established: within the DMZ between the DMZ and the external Internet

Regional Computing Centre for Lower Saxony Gian Luca Volpato | | Slide 12 MDS Batch System Nodes Intranet Batch System Master DMZ GRAM Server Batch Sys. Login Node RFT Server GridFTP Server Local MDS-Index Deploy one MDS-Index that collects monitoring information from all local GRAM and RFT servers (in future also GridFTP servers) Connections are established: within the DMZ between the DMZ and the external Internet Batch System Master and GRAM server (Ganglia, Nagios, etc.)

Regional Computing Centre for Lower Saxony Gian Luca Volpato | | Slide 13 User Interface Batch System Nodes Intranet Batch System Master DMZ GRAM Server Batch Sys. Login Node RFT Server GridFTP Server Local MDS-Index User Interface The User Interface is used to submit/monitor/manage Grid jobs Connections are established: within the DMZ between the DMZ and the external Internet

Regional Computing Centre for Lower Saxony Gian Luca Volpato | | Slide 14 Full model User Interface Batch System Nodes Intranet Batch System Master DMZ GRAM Server Batch Sys. Login Node RFT Server GridFTP Server Local MDS-Index GRAM RFT Batch System User Interface MDS GridFTP Shared File System

Regional Computing Centre for Lower Saxony Gian Luca Volpato | | Slide 15 Summary Dynamic Firewall General concepts Dyna-Fire Cooperative on Demand Opening (CODO) Limitations Globus Toolkit deployment model GT4 services in DMZ Use of existing computing infrastructure Minimal number of connections through the firewall

Regional Computing Centre for Lower Saxony Gian Luca Volpato | | Slide 16 Thank you! Questions?