1 / 12

Firewall Virtualization for Grid Applications - Status update

Firewall Virtualization for Grid Applications - Status update. r.niederberger@fz-juelich.de tmetsch@platform.com imonga@es.net. Group Background. Firewall Issues Research Group (fi-rg) Clearly documented need GFD.83: Grid apps and their issues with Firewall

amable
Download Presentation

Firewall Virtualization for Grid Applications - Status update

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Firewall Virtualization for Grid Applications -Status update r.niederberger@fz-juelich.de tmetsch@platform.com imonga@es.net

  2. Group Background • Firewall Issues Research Group (fi-rg) • Clearly documented need • GFD.83: Grid apps and their issues with Firewall • GFD.142: Requirements and possible solns. Gap Analysis • FVGA WG • Use the FI-RG requirements to create a standard • Standardize a set of service definitions for virtualized control of firewalls allowing grid applications to securely and dynamically execute workflows 2

  3. Proposed Solution • Make middleware and network resources aware of each other • Grid middleware should know about network in the workflow, but not know details on communication path • network resources should be opened dynamically • End-to-end applicability • Local authorization/authentication • Independence of the FW vendor/implementation • Capabilities may be different 3

  4. 1 3 9 8 7 6 5 2 4 principle design for FW opening Request firewall to open port CLI, SNMP, special protocol, whatever 5 and 6 are needed only if intermediate firewall cannot read control connection on the fly. FW Authentication (2) Check certificate of A done I want a connection from C(1174) to D(7711) and here is my host A certificate Auth server B Client at A Control connection OK service and certificate checked, go on Message includes server certificate of B There is A and it wants a connection from C to your port 7711. Data Connection ended. Close conn. request C(1174) to D(7711). Close control connection OK, go on, I am waiting Authorization (3 & 4) Data connection Client at C Apps Server D Communication starts After end of data transmission signal A to close opened ports 4

  5. Group Milestones OGF23: Charter discussion and group volunteers OGF24: Discussion on requirements to define the standardized service interface for virtualized Firewalls OGF25: Draft on Firewall-Virtualization-Service Discussion on Security, AAA and Grid-Security aspects OGF26: Firewall Virtualization-Service draft version 2 First draft on Security recommendations (v1) for FVGA OGF27: Finalized Firewall Virtualization-Service draft Security Recommendations v2 Two implementations and demonstration Discussion on Best Practices draft OGF28: WG-Last-Call for Firewall Virtualization-Service Final version of Security Recommendations First draft on Best Practices OGF 29: WG-Last-Call Security Recommendations Finalize Best Practices draft OGF 30: WG-Last-Call Best Practices Draft. We are still here 5

  6. Status of working group • A Firewall Traversal Protocol (FiTP) has been defined which allows opening of ports on intermediate firewalls. • In principle this protocol defines the control connection discussed in the previous slides. • Protocol draft is still under discussion (first discussion in OGF 25, second time in OGF 26) • Protocol has been forwarded to IETF members for feedback. • No IETF group is looking into it • Problem not solved according to them • Go forward Possibilities • Further discussion on draft • Including feedback from IETF into protocol draft (no feedback yet) • Providing two independent implementations (client and server) • After refinements: standardization at OGF and IETF • Timeline: one – two more years of effort 6

  7. Feedback: Going back to basics • Is Firewall still an issue with Grid VOs? • Is the pain threshold low? • Is this the right approach? Who should implement this? • Anyone interested in implementing the protocol? • Are firewall issues relevant for use of private/public clouds? • use Web Services on port 80? 7

  8. backup 8

  9. Goals/Deliverables • Produce a standardized protocol for an authorized grid application to specify its data-path traversal requirements: • Port opening/closing service • Requests from within and outside the security domain • A set of security recommendations surrounding the application interacting with the Firewall service at the control and data plane including AAA of the service requests • A best practices document for the network-administrator and a grid-administrator to understand the architecture and security implications of this deployment including: • Deployment scenarios and use-cases • Interactions between various Grid components • Examples of successful prototype deployments • The resulting standard, the security recommendations and the best practices document developed by the working-group will enable Grid-Middleware services developers to include a dynamic firewall service into their Grid applications. 9

  10. 7 9 6 1 3 2 5 8 3 4 WebServices based FW openingMultiple local, remote and external FWs FW FW Client at A FW Auth server B Client at C Apps Server D This part can be solved only, if control connection is unencrypted, i.e. intermediate firewalls can read datastream of control connection. 10

  11. Program flow chart Start Programm End Programm TCP/IP Three way handshake Close Ctrl Conn. Authentication Yes No Go on Close Conn. Stop Wait for Close of Data Conn(s). Data exchange out of scope of protocol definition Authorization Yes No Go on Close Conn. Stop Trigger Data Conn(s). Start Ctrl-Connection with Port Assignment 11

  12. ! ? ? ? ? ? Questions and discussion ? ? ? ?

More Related