120 likes | 198 Views
Globus Perspective on “Network Hurdles” Panel: Firewall and high-performance networking needs Workshop on Operational Security for the Grid GGF12 - Brussels - Sept. 20, 2004. Frank Siebenlist Globus Alliance, Argonne National Lab. franks@mcs.anl.gov. Outline.
E N D
Globus Perspective on “Network Hurdles”Panel: Firewall and high-performance networking needsWorkshop on Operational Security for the Grid GGF12 - Brussels - Sept. 20, 2004 Frank Siebenlist Globus Alliance, Argonne National Lab.franks@mcs.anl.gov GGF12 - Firewall Panel: Globus Perspective on Network Hurdles
Outline • What is the purpose of firewalls…? • End-to-end Security • Firewalls should be filters… • Application-level routers • The need to blow real holes… • Futures & Conclusions GGF12 - Firewall Panel: Globus Perspective on Network Hurdles
So, why do we have firewalls? • Because site/corporate policy dictates… • Because we can’t provide end-to-end policy enforcement • Because we mistakenly believe that all the bad guys/bots are “outside” • Because it makes some sleep better at night… GGF12 - Firewall Panel: Globus Perspective on Network Hurdles
End-to-End Security Requester Domain Requester Service Provider Domain policy enforcement Service Provider policy enforcement Enforce requester’s domain policy as close to requester as possible Enforce service provider’s domain policy as close to resource as possible GGF12 - Firewall Panel: Globus Perspective on Network Hurdles
Holy Grail: End-to End Security on Application Level • Policy commonly expressed on semantic level of the application (or higher) • Mismatch of semantic level results in less optimal security enforcement • ip-level firewalls only provide course-grained policy enforcement GGF12 - Firewall Panel: Globus Perspective on Network Hurdles
Multiple Policy Enforcement Points • Use firewall as course grained filter • Front door of apartment building analogy • Prevents some bad guys/bots to come through • Still need for end-to-end policy enforcement • Requester maintains a separate security context with each PEP • Requester-ServiceProvider context “tunneled” thru intermediates • Need for security protocol support, describing allowed routes and ability to express policy per PEP GGF12 - Firewall Panel: Globus Perspective on Network Hurdles
Multiple Policy Enforcement Points Requester Domain Service Provider Domain policy enforcement policy enforcement Requester policy enforcement Firewall Firewall policy enforcement Service Provider Firewalls “filter” often on lower protocol-level Application level enforcement GGF12 - Firewall Panel: Globus Perspective on Network Hurdles
Requirements to blow real holes • WS-SOAP may not be the “best” and most “efficient” protocol for all applications… • …hopefully this sounds cynically enough… • Bulk data transfers have their own optimized low-level protocols • GridFtp, Lambda, SRB, etc. GGF12 - Firewall Panel: Globus Perspective on Network Hurdles
Multiple Protocol StackPolicy Enforcement Points Requester Domain Control channel on ws-protocol level Service Provider Domain policy enforcement Firewall App level policy enforcement Requester policy enforcement Firewall App level policy enforcement policy enforcement Firewall Ip-level Service Provider policy enforcement Firewall Ip-level Bulk data transfer Dynamically manage lower-level protocol access policy GGF12 - Firewall Panel: Globus Perspective on Network Hurdles
NATs and protocol domains • NATs are nasty hurdles screwing up network resolution and reachability • Request can move through different protocol domains • http/soap=>MQ/soap, inet=>unix-sockets • Need ability to describe the route through the gateways GGF12 - Firewall Panel: Globus Perspective on Network Hurdles
NATs and Protocol Domains Requester Domain Requester cannot reach and resolve service provider’s EPR Need series of EPRs that describe a “ws-route” Different policy for each route-point pair Service Provider Domain Requester NAT Gateway NAT Gateway Service Provider Protocol gateway Private networks Unreachable and unresolvable Resource interprocess communication over loopback or unix-sockets GGF12 - Firewall Panel: Globus Perspective on Network Hurdles
Future & Conclusions • Need application-level firewall/routers/(reverse-)proxies • Need Web-Service firewalls/routers • Also for NATs… • Need ability to specify the route • EPRs for separate legs • Security context has to be tunneled thru intermediates • Need controlled ways to blow holes in firewall thru dynamic policy management • No emerging standards in sight yet… • … but “they” must be working on this… • Unclear whether we/GGF should try to solve this… GGF12 - Firewall Panel: Globus Perspective on Network Hurdles