Presentation is loading. Please wait.

Presentation is loading. Please wait.

Firewall Issues BoF 5:00 Agenda bashing, find note-taker, sign-up sheets, IPR. 5:05 Introduction - Leon Gommans UvA 5:20 SOAP Routing Issues - Frank Siebenlist.

Published byClemence Morrison Modified over 7 years ago

Similar presentations

Presentation on theme: "Firewall Issues BoF 5:00 Agenda bashing, find note-taker, sign-up sheets, IPR. 5:05 Introduction - Leon Gommans UvA 5:20 SOAP Routing Issues - Frank Siebenlist."— Presentation transcript:

1 Firewall Issues BoF 5:00 Agenda bashing, find note-taker, sign-up sheets, IPR. 5:05 Introduction - Leon Gommans UvA 5:20 SOAP Routing Issues - Frank Siebenlist ANL 5:35 Securing Grid Services, Thijs Metsch Deutsche Aerospace 5:50 ESNET, PNNL and Fusion Grid, Michael Helm ESNet. 6:05 Grid-VPN RG BoF, Chan-Hyon Youn, co-chair Grid VPN RG BoF. 6:10 Charter discussion. Co-Chairs: Leon Gommans - lgommans@science.uva.nllgommans@science.uva.nl Inder Monga - imonga@nortel.comimonga@nortel.com

2 Expressed Interest GGF-12 Brussels: Sec Area meeting identified the need to start to work on “issues related to firewalls”. Grid application level control is desired at both ends of a public network in case resources needs sharing. Follow-up was done on Sec. Area mailing list and interest was shown. A charter discussion started. Items brought up on list – Make guide for firewall administrators – This is a re-affirmation of a need – Need well described requirement and market need – Vendor participation is important – Good for more rigorous IETF engagement – Grid-Projects require special firewall configurations – Pointers to relevant work in particular within HEP community

3 Examples of pointers to relevant work GGF: Document GFD-37. Chapter 8 lists types of issues (performance, dynamic configuration, reliability, etc.) It points at IETF. CERN: lcgdeploy.cvs.cern.ch/cgi-bin/lcgdeploy.cgi/lcg2/docs/lcg-port-table.pdf Giving character of the problem by listing ports for LCG applications. GLOBUS: http://www.globus.org/security/firewalls/http://www.globus.org/security/firewalls/ Von Welch: Globus Toolkit Firewall Requirements EGEE: EGEE-JRA3-TEC-501422-Grid-Security-Incident-v-1.2 listing various types of grid security issues. Research: Theo Dimitrakos, Dave Chadwick: Policy-driven management of firewalls UvA: Multi-domain network traversal based on wire speed security token handling in IP packets. Uses Generic AAA mechanisms to provision the token based switches equipment. Other relevant area’s: Universal Plug and Play (UPnP), Skype P2P VoIP using Midcom (e.g. STUN RFC 3489) to recognize a VoIP client is sitting behind firewall / nat.

4 Work done at IETF Authenticated Firewall Traversal Working Group: http://www.ietf.org/html.charters/aft-charter.html Finished in 1996 with SOCKS RFCs 1928,1929 & 1961 GFD37 notes weak acceptance. Middlebox Communication Working Group: http://www.ietf.org/html.charters/midcom-charter.html Nearly finished - RFCs 3303,3304,3489,3989 and 2 IDs. Next Steps in Signaling (NSIS) Working Group: http://www.ietf.org/html.charters/nsis-charter.html Ongoing - june 05 present draft on FW/NAT signaling

5 Middlebox work Are intermediate devices requiring application intelligence, in the area of: 1)Application specific policy based functions such as packet filtering, VPN tunneling, IDS etc. 2)NAT services providing routing transparency across IP address realms 3)Application level gateways examining/modifying content. Definition Middlebox from RFC3303: A Middlebox is a network intermediate device that implements one or more of the middlebox services. A Firewall middlebox is a middlebox implementing firewall service. Traditional middleboxes embed application intelligence within the device to support specific application traversal. Middleboxes supporting the MIDCOM protocol will be able to externalize application intelligence into MIDCOM agents.

6 RFC 3303 RFC 3303 Middlebox communication architecture and framework. Terminology: firewall, end-host, midcom agent, midcom pdp, midcom protocol, midcom session etc. Architecture: identifies variety of midcom agents can interface with middlebox function

7 NSIS Signaling WG Generalizes RSVP, a protocol for QoS style signaling. RFC’s on requirements and drafts on framework, security and NSIS Signaling and Transport Protocols (NTLP/NSLP). Work clearly recognizes that dynamic applications have issues when traversing Firewalls & NAT’s. NSIS work however defers consideration of authorization.

8 Tasks to be done by FIG As seen for example by Ralph Niederberger, Forchungs Zentrum Julich, Germany: – Checking which protocols, procedures, mechanisms are available already – Evaluating, which of these can be used to reach the defined goals – Definition of the new protocols, datastructures and security mechanisms – (Implementing a prototype) Strategic objectives will be to define a standardized authorization mechanism accepted and implemented by firewall vendors into their systems so that grid enabled firewalls will become reality

9 Interactions GGF Firewall/NAT Solution developers Solutions developers are lifted out of both GGF and IETF communities

10 Interactions GGF Firewall/NAT Solution developers Study interactions

11 Interactions GGF Grid Specific Requirements Definition Firewall/NAT Solution developers Requirements Document

12 Interactions GGF Solution (Protocol) Development Liaison functions Firewall/NAT Solution developers

13 Interactions GGF Offer Interoperable Grid Specific Solutions Firewall/NAT Solution developers Uses Solutions Yield Stakeholder Value

14 FIG Charter Description of Work: Grids increasingly require application driven transport privileges from the network. As such, the network is asked to make policy decisions on behalf of the various entities participating in an application's operation. A need has developed for Grid applications to communicate its requirements to the devices in the network that provide transport policy enforcement. Examples of such devices include firewalls, network address translators, and other gateway style devices. This working group will focus its attention to issues that Grid applications experience when the need arises to control NAT/firewall functions. Some examples are highlighted in GFD.37. The work will not preclude extensibility to other categories of what the IETF refers to as “middle-boxes”. This working group will concern itself with an environment that consists of: - one or more NAT/Firewalls in the data path. NAT/Firewalls may be external network devices or they may be integral to a host. There may also be application/xml-soap level firewalls involved. - a requesting Grid application - an optional policy decision point in which a firewall acts as enforcement point deploying models such as described in GFD.38. A requesting entity may be trusted or untrusted. In the case where it is trusted, the “middle box” will treat the request from the entity as authoritative. In the case where it is not trusted, the intermediate device will have to verify that it is authorized to complete the request. Authorization could originate from a separate, or a built in policy server. Policies can be created manually or automatically. The working group will evaluate existing IETF models, architectures and protocols for their applicability to the set of issues identified in the Grid and will deliver a document(s) that will recommend possible solutions and modifications to current protocols, if any, to the attention of the IETF. The output will be actively promoted within the firewall vendor community. The IETF work that will at least be considered is the output of the following groups: - midcom - "middlebox" communication: http://www.ietf.org/html.charters/midcom-charter.html - aft - Authenticated Firewall Traversal: http://www.ietf.org/html.charters/aft-charter.html - nsis – Next Steps in Signaling: http://www.ietf.org/html.charters/nsis-charter.html Input and participation from the vendor community is explicitly encouraged. Existing documents from the grid community will be used as starting point.

15 FIG Charter Goals and Milestones: Submit after GGF15 informational document(s) that will focus on 1) An inventory of the issues with use-cases when Grid jobs must deal with firewall functions. 2) Subsequently technically describe and classify the issues in document #1 3) Evaluating existing IETF protocols and firewall functions for their suitability. 4) Recognize possible limitations of an identified firewall function and/or protocol and produce a list of requirements towards the IETF and interested firewall vendors. 5) Discuss and capture recommended approaches and solutions addressing the grid-specific issues and distribute towards the IETF and interested firewall vendors and capture results of 3-5 in document #2 GGF13: Charter discussion and group volunteers GGF14: First draft and Group discussions GGF15: Second draft and Group discussions. First draft of recommended approaches and solutions December 2005: WG last-call and final submission of document #1. GGF 16: Second draft and group discussions May 2006: WG last-call and final submission of document #2.

Download ppt "Firewall Issues BoF 5:00 Agenda bashing, find note-taker, sign-up sheets, IPR. 5:05 Introduction - Leon Gommans UvA 5:20 SOAP Routing Issues - Frank Siebenlist."

Similar presentations

© 2006 Open Grid Forum Firewall Models Firewall Issues Research Group - OGF 19 Chapel Hill - Januari 30th 2007 Inder Monga, Leon Gommans.

© 2006 Open Grid Forum Firewall Models Firewall Issues Research Group - OGF 19 Chapel Hill - Januari 30th 2007 Inder Monga, Leon Gommans.
Oct, 26 th, 2010 OGF 29, FVGA-WG: Firewall Virtualization for Grid Applications Firewall Virtualization for Grid Applications - Status update

Oct, 26 th, 2010 OGF 29, FVGA-WG: Firewall Virtualization for Grid Applications Firewall Virtualization for Grid Applications - Status update
© 2006 Open Grid Forum Security Area OGF19 Standard All Hands.

© 2006 Open Grid Forum Security Area OGF19 Standard All Hands.
June 2 nd, 2008 OGF 23, FVGA-WG-BoF: Firewall Virtualization for Grid Applications Firewall Virtualization for Grid Applications BOF

June 2 nd, 2008 OGF 23, FVGA-WG-BoF: Firewall Virtualization for Grid Applications Firewall Virtualization for Grid Applications BOF
Oct 15 th, 2009 OGF 27, Infrastructure Area: Status of FVGA-WG Status of Firewall Virtualization for Grid Applications - Working Group

Oct 15 th, 2009 OGF 27, Infrastructure Area: Status of FVGA-WG Status of Firewall Virtualization for Grid Applications - Working Group
September 17 th, 2008 OGF 24, FVGA-WG: Firewall Virtualization for Grid Applications Firewall Virtualization for Grid Applications - Work Group

September 17 th, 2008 OGF 24, FVGA-WG: Firewall Virtualization for Grid Applications Firewall Virtualization for Grid Applications - Work Group
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
November 9 1999IPsec Remote Access BOF Washington D.C. November 9 1999.

November IPsec Remote Access BOF Washington D.C. November
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
SIP, NAT, Firewall SIP NAT Firewall How to Traversal NAT/Firewall for SIP.

SIP, NAT, Firewall SIP NAT Firewall How to Traversal NAT/Firewall for SIP.
Abstraction and Control of Transport Networks (ACTN) BoF

Abstraction and Control of Transport Networks (ACTN) BoF
Analysis of Existing Work for I2NSF draft-zhang-gap-analysis-00 H.Rafiee Dacheng Zhang Huawei IETF 91 I2NSF BoF.

Analysis of Existing Work for I2NSF draft-zhang-gap-analysis-00 H.Rafiee Dacheng Zhang Huawei IETF 91 I2NSF BoF.
BEHAVE BOF (Behavior Engineering for Hindrance AVoidancE) Cullen Jennings Jiri Kuthan.

BEHAVE BOF (Behavior Engineering for Hindrance AVoidancE) Cullen Jennings Jiri Kuthan.
DIME WG IETF 82 Dime WG Agenda & Status THURSDAY, November 17, 2011 Jouni Korhonen & Lionel Morand.

DIME WG IETF 82 Dime WG Agenda & Status THURSDAY, November 17, 2011 Jouni Korhonen & Lionel Morand.
1 DHCP Authentication Discussion INTAREA meeting, 70th IETF Vancouver, Canada Jari Arkko and Ralph Droms.

1 DHCP Authentication Discussion INTAREA meeting, 70th IETF Vancouver, Canada Jari Arkko and Ralph Droms.
AAA and Mobile IPv6 Franck Le AAA WG - IETF55. Why Diameter support for Mobile IPv6? Mobile IPv6 is a routing protocol and does not deal with issues related.

AAA and Mobile IPv6 Franck Le AAA WG - IETF55. Why Diameter support for Mobile IPv6? Mobile IPv6 is a routing protocol and does not deal with issues related.
OGF DMNR BoF Dynamic Management of Network Resources Documents available at: Guy Roberts, John Vollbrecht.

OGF DMNR BoF Dynamic Management of Network Resources Documents available at: Guy Roberts, John Vollbrecht.
Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.

Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.
Dataplane and Content Security on Optical Networks panel.

Dataplane and Content Security on Optical Networks panel.
Peer to Peer Streaming Protocol (PPSP) BOF Gonzalo Camarillo Ericsson Yunfei Zhang China Mobile IETF76, Hiroshima, Japan 13:00~15:00 THURSDAY, Nov 12,

Peer to Peer Streaming Protocol (PPSP) BOF Gonzalo Camarillo Ericsson Yunfei Zhang China Mobile IETF76, Hiroshima, Japan 13:00~15:00 THURSDAY, Nov 12,

Similar presentations

Ads by Google