Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec 2003 1 Secure Generic Connection Brokering SGCB enhancing secure submission of grid jobs.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec 2003 1 Secure Generic Connection Brokering SGCB enhancing secure submission of grid jobs."— Presentation transcript:

1 Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec 2003 1 Secure Generic Connection Brokering SGCB enhancing secure submission of grid jobs across firewalls David Front, Lorne Levinson, Morton Taragin Weizmann Institute of Science, Rehovot Miron Livny, Se-Chang Son, University of Wisconsin, Madison Itzhak Ben-Akiva, Tel Aviv University, Tel Aviv

2 Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec 2003 2 Agenda The problem Requirements Architecture Performance, evaluation References

3 Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec 2003 3 The problem In order to use (Grid) servers, incoming connections should be created Organization security policies restrict connections to prevent malicious acts Incoming connections are more threatening than outgoing connections Hence, organization security managers object to allow incoming connections to grid domain firewalls

4 Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec 2003 4 The problem: 2 use cases server Server firewall client (Grid) network applications fail to create incoming connections, because of organization security policy, enforced by firewall/s In addition, client ’ s firewall prevents Connections to client. No direct connection is possible Client firewall 2 Server ’ s firewall prevents Connections to server. Server may connect client. 1

5 Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec 2003 5 Requirements A solution to securely submit jobs across firewalls should: 1.Satisfy security managers: allow incoming connections, yet not violate security policies 2.Not require dynamic firewall changes 3.Support communication with standard sockets 4.Not require changes at communicating applications 5.Not require kernel changes 6.Support various security schemes 7.Not require root privilege to install/run

6 Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec 2003 6 SGCB architecture Generic Connection Brokering (GCB) by Sechang Son and Miron Livny +Bypass by Douglas Thain and Miron Livny + Security layer for management messages: –Trivial security –GSI security Generic Connection Brokering (GCB)

7 Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec 2003 7 GCB use case 1: reversed TCP connection broker server Server firewall client 1 Register me 2 I want to connect server 3 Connect client connect() A GCB management message data Time

8 Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec 2003 8 GCB use case 2: relayed TCP connection server Server firewall client Client firewall 1 Register me 2 I want to connect server A GCB management message Connect() 3 Connect me 4 Connect me Connect() Data is relayed broker Time

9 Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec 2003 9 Firewalls holes without GCB Server incoming Server firewall Client outgoing Client firewall Holes for Server-client connections

10 Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec 2003 10 Firewalls holes with GCB Broker incoming Server outgoing Server firewall Client outgoing Client firewall Holes for management messages Holes for Server-client connections Broker firewall

11 Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec 2003 11 GCB socket SW layer GCB socket calls GCB_bind(), GCB_connect(), GCB_accept()... GCB calls do whatever is needed to connect, such as: communicate with other entities reverse connection direction initiate standard socket calls: GCB calls replace standard socket calls at server and client applications bind(), connect(), accept() … Standard socket calls call

12 Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec 2003 12 GCB_bind GCB_listen GCB_accept Time GCB_connect GCB layer: reversed TCP connection GCB_socket client machine broker machine server machine

13 Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec 2003 13 GCB layer: relayed TCP connection Time GCB_bind GCB_listen GCB_accept GCB_connect GCB_socket

14 Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec 2003 14 SGCB architecture - Bypass Applications must call GCB socket functions in order to use GCB Using Bypass avoids this need

15 Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec 2003 15 Bypass accept() 2 Application issues a system call GCB_accept() 3 Agent intercepts, and runs agent code 4 For example: call connect() connect() 1Agent squeezes in between application and system calls call Bypass is a code generator software, for making C++ interposition agents.

16 Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec 2003 16 Bypassing GCB Client Server Application connect accept socket bind listen broker GCB_socket GCB_bind GCB_listen GCB_accept GCB_connect Agent GCB Bypass agent implements GCB seamlessly to applications Time

17 Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec 2003 17 SGCB architecture - security GCB management messages are not secure: SGCB Security layer adds security

18 Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec 2003 18 GCB: No management message security Server/Client Broker Accept Data Connect Data Time

19 Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec 2003 19 SGCB security scheme 1: trivial security Server/Client Broker Data Accept Data Connect Applicable for management messages AUTH_assert userid@hostname AUTH_accept userid@hostname Time

20 Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec 2003 20 SGCB security scheme 2: GSI security Server/Client Broker Data Accept Data Connect Applicable for GCB management messages AUTH_assert certificate AUTH_accept certificate encrypt decrypt encryptdecrypt Time

21 Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec 2003 21 Broker location Broker incoming Server outgoing Client outgoing Broker DMZ A brokers has relaxed security policy, allowing incoming connections It is recommended to locate a broker at a DMZ with no other computers

22 Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec 2003 22 GCB TCP performance passing across a private network Relayed connection Reversed connection Time [msec] of 1030 Connection avg. time 11020 Data (echo) avg. time GCB does not cause a big time penalty

23 Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec 2003 23 Evaluation SGCB does satisfy its requirements, however: Scalability: The broker is a potential traffic bottleneck. Brokering of up to thousands machines, yet to be tested Robustness: The broker is a single point of failure Complexity: Adding SGCB and Bypass SW layers to a grid application adds complexity and causes a debugging challenge Experimental: Globus problems with GCB and bypass Applicability: SGCB is relevant for GT2 more than for GT3

24 Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec 2003 24 Status SGCB works with test applications: creates Bypass’ed connections across firewalls with trivial or GSI security. SGCB support for Globus is under development

25 Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec 2003 25 References Globus Toolkit Firewall Requirements: Von Welch http://www-fp.globus.org/security/firewalls/Globus%20Firewall%20Requirements-5.pdf http://www-fp.globus.org/security/firewalls/Globus%20Firewall%20Requirements-5.pdf GCB: Recovering Internet Symmetry in Distributed Computing, Sechang Son and Miron Livny, Computer Science Department, University of Wisconsin http://www.cs.wisc.edu/condor/doc/CCGRID2003.pdfhttp://www.cs.wisc.edu/condor/doc/CCGRID2003.pdf Bypass: Douglas Thain and Miron Livny http://www.cs.wisc.edu/condor/bypass/http://www.cs.wisc.edu/condor/bypass/ SGCB user guide: David Front www.weizmann.ac.il/~dfront/sgcb.htmwww.weizmann.ac.il/~dfront/sgcb.htm SSH tunnels and Globus (alternative attitude to connect across firewalls): Globus Grid and Firewalls: Issues and Solutions in a Utility Data Center Environment1, Sven Graupner, Carsten Reimann, HP Laboratories Palo Alto, HPL-2002-278, October 2nd, 2002 http://www.hpl.hp.com/techreports/2002/HPL-2002-278.pdf http://www.hpl.hp.com/techreports/2002/HPL-2002-278.pdf

Download ppt "Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec 2003 1 Secure Generic Connection Brokering SGCB enhancing secure submission of grid jobs."

Similar presentations

Todd Tannenbaum Condor Team GCB Tutorial OGF 2007.

Todd Tannenbaum Condor Team GCB Tutorial OGF 2007.
Current methods for negotiating firewalls for the Condor ® system Bruce Beckles (University of Cambridge Computing Service) Se-Chang Son (University of.

Current methods for negotiating firewalls for the Condor ® system Bruce Beckles (University of Cambridge Computing Service) Se-Chang Son (University of.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206) 217-7048

Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
5 January 2003USA-Israel BSF Grid collaboration1 Submitting Grid jobs through firewalls TAU: Halina Abramowicz, Itzhak Ben Akiva, David Horn WI: Ehud Duchovni,

5 January 2003USA-Israel BSF Grid collaboration1 Submitting Grid jobs through firewalls TAU: Halina Abramowicz, Itzhak Ben Akiva, David Horn WI: Ehud Duchovni,
Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.

Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.
Job submission architectures in GRID environment Masamichi Ando M1 Student 26403 Taura Lab. Department of Information Science and Technology.

Job submission architectures in GRID environment Masamichi Ando M1 Student Taura Lab. Department of Information Science and Technology.
Condor-G: A Computation Management Agent for Multi-Institutional Grids James Frey, Todd Tannenbaum, Miron Livny, Ian Foster, Steven Tuecke Reporter: Fu-Jiun.

Condor-G: A Computation Management Agent for Multi-Institutional Grids James Frey, Todd Tannenbaum, Miron Livny, Ian Foster, Steven Tuecke Reporter: Fu-Jiun.
Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.

Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.
Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.

Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.
Negotiating Unsolicited Connections to a Service Listening Behind a Firewall Ben Stroud CS525 Spring 10.

Negotiating Unsolicited Connections to a Service Listening Behind a Firewall Ben Stroud CS525 Spring 10.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
1 PLuSH – Mesh Tree Fast and Robust Wide-Area Remote Execution Mikhail Afanasyev ‧ Jose Garcia ‧ Brian Lum.

1 PLuSH – Mesh Tree Fast and Robust Wide-Area Remote Execution Mikhail Afanasyev ‧ Jose Garcia ‧ Brian Lum.
JPDPS 2003 Grid computing SGCB1 Secure Generic Connection Brokering – SGCB enhancing secure submission of grid jobs across firewalls David Front, Lorne.

JPDPS 2003 Grid computing SGCB1 Secure Generic Connection Brokering – SGCB enhancing secure submission of grid jobs across firewalls David Front, Lorne.
Enhanced Secure Dynamic DNS Update with Indirect Route David Wilkinson, C. Edward Chow, Yu Cai 06/11/2004 University of Colorado at Colorado Springs IEEE.

Enhanced Secure Dynamic DNS Update with Indirect Route David Wilkinson, C. Edward Chow, Yu Cai 06/11/2004 University of Colorado at Colorado Springs IEEE.
Investigations into BIND Dynamic Update with OpenSSL by David Wilkinson.

Investigations into BIND Dynamic Update with OpenSSL by David Wilkinson.
Algorithms for Self-Organization and Adaptive Service Placement in Dynamic Distributed Systems Artur Andrzejak, Sven Graupner,Vadim Kotov, Holger Trinks.

Algorithms for Self-Organization and Adaptive Service Placement in Dynamic Distributed Systems Artur Andrzejak, Sven Graupner,Vadim Kotov, Holger Trinks.

Similar presentations

Ads by Google