1 / 12

Frank Siebenlist Globus Alliance, Argonne National Lab. franks@mcs.anl

Globus Perspective on “Network Hurdles” Panel: Firewall and high-performance networking needs Workshop on Operational Security for the Grid GGF12 - Brussels - Sept. 20, 2004. Frank Siebenlist Globus Alliance, Argonne National Lab. franks@mcs.anl.gov. Outline.

kirby
Download Presentation

Frank Siebenlist Globus Alliance, Argonne National Lab. franks@mcs.anl

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Globus Perspective on “Network Hurdles”Panel: Firewall and high-performance networking needsWorkshop on Operational Security for the Grid GGF12 - Brussels - Sept. 20, 2004 Frank Siebenlist Globus Alliance, Argonne National Lab.franks@mcs.anl.gov GGF12 - Firewall Panel: Globus Perspective on Network Hurdles

  2. Outline • What is the purpose of firewalls…? • End-to-end Security • Firewalls should be filters… • Application-level routers • The need to blow real holes… • Futures & Conclusions GGF12 - Firewall Panel: Globus Perspective on Network Hurdles

  3. So, why do we have firewalls? • Because site/corporate policy dictates… • Because we can’t provide end-to-end policy enforcement • Because we mistakenly believe that all the bad guys/bots are “outside” • Because it makes some sleep better at night… GGF12 - Firewall Panel: Globus Perspective on Network Hurdles

  4. End-to-End Security         Requester Domain Requester Service Provider Domain policy enforcement Service Provider policy enforcement Enforce requester’s domain policy as close to requester as possible Enforce service provider’s domain policy as close to resource as possible GGF12 - Firewall Panel: Globus Perspective on Network Hurdles

  5. Holy Grail: End-to End Security on Application Level • Policy commonly expressed on semantic level of the application (or higher) • Mismatch of semantic level results in less optimal security enforcement • ip-level firewalls only provide course-grained policy enforcement GGF12 - Firewall Panel: Globus Perspective on Network Hurdles

  6. Multiple Policy Enforcement Points • Use firewall as course grained filter • Front door of apartment building analogy • Prevents some bad guys/bots to come through • Still need for end-to-end policy enforcement • Requester maintains a separate security context with each PEP • Requester-ServiceProvider context “tunneled” thru intermediates • Need for security protocol support, describing allowed routes and ability to express policy per PEP GGF12 - Firewall Panel: Globus Perspective on Network Hurdles

  7. Multiple Policy Enforcement Points Requester Domain Service Provider Domain policy enforcement policy enforcement Requester policy enforcement Firewall Firewall policy enforcement Service Provider Firewalls “filter” often on lower protocol-level Application level enforcement GGF12 - Firewall Panel: Globus Perspective on Network Hurdles

  8. Requirements to blow real holes • WS-SOAP may not be the “best” and most “efficient” protocol for all applications… • …hopefully this sounds cynically enough… • Bulk data transfers have their own optimized low-level protocols • GridFtp, Lambda, SRB, etc. GGF12 - Firewall Panel: Globus Perspective on Network Hurdles

  9. Multiple Protocol StackPolicy Enforcement Points Requester Domain Control channel on ws-protocol level Service Provider Domain policy enforcement Firewall App level policy enforcement Requester policy enforcement Firewall App level policy enforcement policy enforcement Firewall Ip-level Service Provider policy enforcement Firewall Ip-level Bulk data transfer Dynamically manage lower-level protocol access policy GGF12 - Firewall Panel: Globus Perspective on Network Hurdles

  10. NATs and protocol domains • NATs are nasty hurdles screwing up network resolution and reachability • Request can move through different protocol domains • http/soap=>MQ/soap, inet=>unix-sockets • Need ability to describe the route through the gateways GGF12 - Firewall Panel: Globus Perspective on Network Hurdles

  11. NATs and Protocol Domains Requester Domain Requester cannot reach and resolve service provider’s EPR Need series of EPRs that describe a “ws-route” Different policy for each route-point pair Service Provider Domain Requester NAT Gateway NAT Gateway Service Provider Protocol gateway Private networks Unreachable and unresolvable Resource interprocess communication over loopback or unix-sockets GGF12 - Firewall Panel: Globus Perspective on Network Hurdles

  12. Future & Conclusions • Need application-level firewall/routers/(reverse-)proxies • Need Web-Service firewalls/routers • Also for NATs… • Need ability to specify the route • EPRs for separate legs • Security context has to be tunneled thru intermediates • Need controlled ways to blow holes in firewall thru dynamic policy management • No emerging standards in sight yet… • … but “they” must be working on this… • Unclear whether we/GGF should try to solve this… GGF12 - Firewall Panel: Globus Perspective on Network Hurdles

More Related