Presentation is loading. Please wait.

Presentation is loading. Please wait.

Connecting across Firewalls on the Grid Jeff Tan, David Abramson and Colin Enticott (Monash University, Australia) nA nA nB nB cAcA AA cBcB BB Firewalls.

Published byDustin Quinn Modified over 7 years ago

Similar presentations

Presentation on theme: "Connecting across Firewalls on the Grid Jeff Tan, David Abramson and Colin Enticott (Monash University, Australia) nA nA nB nB cAcA AA cBcB BB Firewalls."— Presentation transcript:

1 Connecting across Firewalls on the Grid Jeff Tan, David Abramson and Colin Enticott (Monash University, Australia) nA nA nB nB cAcA AA cBcB BB Firewalls restrict the level of collaboration possible on the Grid, while middleware and applications are often not built to handle such restrictions. We present an architecture that facilitates communication across firewalls that is designed to neither compromise security nor require heavy customization of existing software. We call it REMUS.

2 Tan, Abramson & Enticott, “Connecting across Firewalls on the Grid.” (GGF-18) 2 What’s a Firewall? “a piece of hardware and/or software which functions in a networked environment to prevent some communications forbidden by the security policy.” (Wikipedia) Good for you. Bad for you.

3 Tan, Abramson & Enticott, “Connecting across Firewalls on the Grid.” (GGF-18) 3 Motivation: Grid Enabling Legacy Software (GriddLeS) Workflows Firewalls restrict non-local data transfers. read() write() seek() open() close() Local File Local File Remote File Remote File Remote Application Process GriddLeS FileMultiplexer Legacy Application Cache Late bound decision GRS replicas

4 Tan, Abramson & Enticott, “Connecting across Firewalls on the Grid.” (GGF-18) 4 Domain 1Domain 2 Exec node GriddLeS Redirected I/O via Web Services Execution nodes can only access the front node. Front node cannot access the Internet, but can access the local public web server. Public web servers are mutually accessible. Assumes that public web servers are available. Exec node Public Web Server GriddLeS buffer service Public Web Server GriddLeS buffer service Front node GriddLeS Redirection service Front node GriddLeS Redirection service WriterReader GG FIREWALL

5 Tan, Abramson & Enticott, “Connecting across Firewalls on the Grid.” (GGF-18) 5 Motivation: Nimrod Parameter Sweeps Nimrod manages the execution of parametric studies across distributed computers. A high-level environment for parameter sweep applications (PSAs). A push and pull model for experiment processing using agents. Grid-enabled with Nimrod/G.

6 Tan, Abramson & Enticott, “Connecting across Firewalls on the Grid.” (GGF-18) 6 SC2003

7 Tan, Abramson & Enticott, “Connecting across Firewalls on the Grid.” (GGF-18) 7 Nimrod Applications Air pollution studies Laser physics Ecology Discrete Optimization and Meta-Heuristics CAD Digital Simulation Etc.. And they all rely on the interconnection of Nimrod components over the network: access to more resources overall application performance

8 Tan, Abramson & Enticott, “Connecting across Firewalls on the Grid.” (GGF-18) 8 The Networked Components of Nimrod/G Nimrod server components: the file and database servers, and the actuator. computational resources resource management experiment management Nimrod running agent Agents process experiments on computational resources. Agents pull job inputs in and push results out. Firewalls can block agents communicating with FS and DBS. DBSFS Actuator

9 Tan, Abramson & Enticott, “Connecting across Firewalls on the Grid.” (GGF-18) 9 Abstract Model of Rerouting An authorized channel must be open. We can tunnel multiple connections through. We should avoid reprogramming. We can use off-the-shelf means nA nA cAcA nB nB cBcB AA BB LEGEND:  i : Remus rerouters C j : communicating components : some open port LEGEND:  i : Remus rerouters C j : communicating components : some open port

10 Tan, Abramson & Enticott, “Connecting across Firewalls on the Grid.” (GGF-18) 10 n A n B cAcA cBcB dBdB Accessible Ports Rerouters at unused and accessible ports. However, secure networks will usually open useful ports only, i.e., running services like HTTP. Vacant Port AA BB =D Non-Vacant Port LEGEND:  i : Remus rerouters C j : communicating components : some open port : blocked port : rerouted local port LEGEND:  i : Remus rerouters C j : communicating components : some open port : blocked port : rerouted local port nA nA nBnB cAcA AA cBcB BB Use daemon to run rerouters as servlets, web services, etc. But daemons have different capabilities.

11 Tan, Abramson & Enticott, “Connecting across Firewalls on the Grid.” (GGF-18) 11 No Direct Access, Use Proxies Use mutually accessible proxy host, or several in a chain. Proxy host is usually a low-risk host that does not run critical applications. Proxy host can be hardened and with full logging. ff nA nA nB nB cAcA AA cBcB BB 11 22

12 Tan, Abramson & Enticott, “Connecting across Firewalls on the Grid.” (GGF-18) 12 Globus (GT2) Open ports may be too few, or impossible, in secure environments. Designated ephemeral ports must be open, even in GT4. Nexus Proxy involves rebuild. Proxy router is specific to Globus. Client site GridFTP server Gatekeeper Globus Client Gatekeeper Site Job manager FTP server process create job-run status url-copy ftp-data

13 Tan, Abramson & Enticott, “Connecting across Firewalls on the Grid.” (GGF-18) 13 Test Case 1: Globus Use SSH port forwarding and SOCKS. Use a SOCKS wrapper. Transparent, no rebuild. globus client host SITE 2 DMZ SITE 1 SSH tunnel ssh, SOCKS proxy X1X1 socks wrapper  A globusrun DMZ host sshd s rX 2 protected network socks wrapper  B gatekeeper jobmgr local SOCKS proxy X2X2 accepts SOCKS Forwards back to X 2 SSH port gatekeeper open, unrestricted port local port open, unrestricted port local port

14 Tan, Abramson & Enticott, “Connecting across Firewalls on the Grid.” (GGF-18) 14 SSH tunnel Test Case 2: Nimrod/G + Globus Nimrod/G using Globus resources. Same setup as Case 1. Transparent, no rebuilding Nimrod/G. Nimrod/G Host SITE 2 DMZ SITE 1 socks wrapper  A globusrun DMZ host protected network socks wrapper  B gatekeeper Forwards back to X 2 open, unrestricted port local port open, unrestricted port local port Nimrod Agent local SOCKS proxy X2X2 sshd s SSH port rX 2 Nimrod/G FS DBS gatekeeper jobmgr ssh, SOCKS proxy X1X1 accepts SOCKS

15 Tan, Abramson & Enticott, “Connecting across Firewalls on the Grid.” (GGF-18) 15 Issues Performance: slower -- but connected. Reliability: requires further work, but relies on mature technology, e.g., SSH, SOCKS. Security: relies on proven technology, trusted, and certain features mitigate risks, e.g., firewall-like configurability and logging. Portability: applies to Grid applications in general.

16 Tan, Abramson & Enticott, “Connecting across Firewalls on the Grid.” (GGF-18) 16 Performance Impact FTP file size (MB) FTP Throughput (MB/sec)

17 Tan, Abramson & Enticott, “Connecting across Firewalls on the Grid.” (GGF-18) 17 Tunneling Impact FTP file size (MB) FTP Throughput (MB/sec) (raw IP):

18 Tan, Abramson & Enticott, “Connecting across Firewalls on the Grid.” (GGF-18) 18 Future Directions Work on installation (package). Work on multiple mechanisms. Work on fault tolerance. Load balancing. SOCKS wrapper globusrun SOCKS wrapper r B gatekeeper jobmgr tunnel 1 tunnel 2 Px GR GK JM GR GK JM

19 Tan, Abramson & Enticott, “Connecting across Firewalls on the Grid.” (GGF-18) 19 Conclusions Security and resource sharing are inherently at odds with each other. Grid applications can work with firewalls with a reasonable degree of accessibility. Grid applications and firewalls can leave accessibility mechanisms to middleware. Acknowledgment Australian Partnership for Advanced Computing:

20 Tan, Abramson & Enticott, “Connecting across Firewalls on the Grid.” (GGF-18) 20 References 1.Sudholt, W., Baldridge, K., Abramson, D., Enticott, C. and Garic, S. “Parameter Scan of an Effective Group Difference Pseudopotential Using Grid Computing”, New Generation Computing 22 (2004) 125-135. (http://www.csse.monash.edu.au/~davida/papers/gamess.pdf) 2.Tan, J, Abramson, D. and Enticott, C. “Bridging Organizational Network Boundaries on the Grid”, IEEE Grid 2005, Seattle, Nov 2005. (http://www.csse.monash.edu.au/~davida/papers/Grid2005.pdf) 3.Kommineni, J and Abramson, D. “Building Virtual Applications for the GRID with Legacy Components”, in “Advances in Grid Computing - EGC 2005, European Grid Conference”, Springer Lecture Notes in Computer Science (LNCS 3470), Amsterdam, The Netherlands, February 14-16, 2005. pp 961 – 971. Edited by P.M.A. Sloot, A.G. Hoekstra, T. Priol, A. Reinefeld, M. Bubak. Websites: http://www.csse.monash.edu.au/~davida/griddles/index.htm http://www.csse.monash.edu.au/~davida/nimrod/ http://www.csse.monash.edu.au/~davida/publications.html

21 Tan, Abramson & Enticott, “Connecting across Firewalls on the Grid.” (GGF-18) 21 Throttling? FTP file size (MB) FTP Throughput (MB/sec)

Download ppt "Connecting across Firewalls on the Grid Jeff Tan, David Abramson and Colin Enticott (Monash University, Australia) nA nA nB nB cAcA AA cBcB BB Firewalls."

Similar presentations

1 Flexible IO Services in the Kepler Grid Workflow System David Abramson Jagan Kommineni Ilkay Altintas www.csse.monash.edu.au/~davida/griddles.

1 Flexible IO Services in the Kepler Grid Workflow System David Abramson Jagan Kommineni Ilkay Altintas
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)

1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)
Lesson 20 – OTHER WINDOWS 2000 SERVER SERVICES. DHCP server DNS RAS and RRAS Internet Information Server Cluster services Windows terminal services OVERVIEW.

Lesson 20 – OTHER WINDOWS 2000 SERVER SERVICES. DHCP server DNS RAS and RRAS Internet Information Server Cluster services Windows terminal services OVERVIEW.
ArcGIS for Server Reference Implementations An ArcGIS Server’s architecture tour.

ArcGIS for Server Reference Implementations An ArcGIS Server’s architecture tour.
Lesson 1: Configuring Network Load Balancing

Lesson 1: Configuring Network Load Balancing
1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)

1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)
Firewalls and VPNS Team 9 Keith Elliot David Snyder Matthew While.

Firewalls and VPNS Team 9 Keith Elliot David Snyder Matthew While.
Firewall and Proxy Server Director: Dr. Mort Anvari Name: Anan Chen Date: Summer 2000.

Firewall and Proxy Server Director: Dr. Mort Anvari Name: Anan Chen Date: Summer 2000.
CLIENT A client is an application or system that accesses a service made available by a server. applicationserver.

CLIENT A client is an application or system that accesses a service made available by a server. applicationserver.
1 Networks, advantages & types of What is a network? Two or more computers that are interconnected so they can exchange data, information & resources.

1 Networks, advantages & types of What is a network? Two or more computers that are interconnected so they can exchange data, information & resources.
AIS, 20141 Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)

AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 12 Slide 1 Distributed Systems Architectures.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 12 Slide 1 Distributed Systems Architectures.
INSTALLING MICROSOFT EXCHANGE SERVER 2003 CLUSTERS AND FRONT-END AND BACK ‑ END SERVERS Chapter 4.

INSTALLING MICROSOFT EXCHANGE SERVER 2003 CLUSTERS AND FRONT-END AND BACK ‑ END SERVERS Chapter 4.
1 Chapter 6: Proxy Server in Internet and Intranet Designs Designs That Include Proxy Server Essential Proxy Server Design Concepts Data Protection in.

1 Chapter 6: Proxy Server in Internet and Intranet Designs Designs That Include Proxy Server Essential Proxy Server Design Concepts Data Protection in.
Chapter 6 Operating System Support. This chapter describes how middleware is supported by the operating system facilities at the nodes of a distributed.

Chapter 6 Operating System Support. This chapter describes how middleware is supported by the operating system facilities at the nodes of a distributed.
Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.

Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.

Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
Dynamic Firewalls and Service Deployment Models for Grid Environments Gian Luca Volpato, Christian Grimm RRZN – Leibniz Universität Hannover Cracow Grid.

Dynamic Firewalls and Service Deployment Models for Grid Environments Gian Luca Volpato, Christian Grimm RRZN – Leibniz Universität Hannover Cracow Grid.
Nimrod/G GRID Resource Broker and Computational Economy David Abramson, Rajkumar Buyya, Jon Giddy School of Computer Science and Software Engineering Monash.

Nimrod/G GRID Resource Broker and Computational Economy David Abramson, Rajkumar Buyya, Jon Giddy School of Computer Science and Software Engineering Monash.

Similar presentations

Ads by Google