1 / 11

Automatic verification of SLA for Firewall Configuration in Grid Environments

Automatic verification of SLA for Firewall Configuration in Grid Environments. Gian Luca Volpato Christian Grimm Martin Janitschke. Gian Luca Volpato – Cracow Grid Workshop 08 – 15 October 2008. Motivation. Facilitate the integration of new resources into a Grid:

tanisha-dickerson
Download Presentation

Automatic verification of SLA for Firewall Configuration in Grid Environments

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Automatic verification of SLA for Firewall Configuration in Grid Environments Gian Luca Volpato Christian Grimm Martin Janitschke Gian Luca Volpato – Cracow Grid Workshop 08 – 15 October 2008

  2. Motivation Facilitate the integration of new resources into a Grid: • Definition of security profiles • Certification of firewall setup • Monitoring firewall configuration as part of the Service Level Agreements Gian Luca Volpato - Cracow Grid Workshop '08 - 15 October 2008

  3. Summary • Firewall configuration issues • Classification of middleware components • Definition of security profiles • SLA extension • Tool for automatic verification of firewall configuration • Q&A Gian Luca Volpato - Cracow Grid Workshop '08 - 15 October 2008

  4. Integration of new partners • Installation of Grid middleware(s) • Creation of local user accounts • Registration to the information services • … • ... • Configuration of firewall rules • If too restrictive  prevent legitimate communications • If too loose  allow unauthorized communications Gian Luca Volpato - Cracow Grid Workshop '08 - 15 October 2008

  5. Classification of middleware components Worker Node Globus GRAM Four categories of middleware components: • Computing frontends • Data frontends • Interactive nodes • Worker nodes Worker Node Worker Node LCG/gLite CE Batch system Worker Node Worker Node Worker Node UNICORE NJS Worker Node Interactive node dCache SE OGSA-DAI Gian Luca Volpato - Cracow Grid Workshop '08 - 15 October 2008

  6. Communication paths Identification of network ports used by each component for incoming connections Gian Luca Volpato - Cracow Grid Workshop '08 - 15 October 2008

  7. Security profiles Minimize the number of connections traversing firewalls Range from basic services to complete set of functionality Gian Luca Volpato - Cracow Grid Workshop '08 - 15 October 2008

  8. SLA extension Each site declares which security profile will be implemented Provide guarantee that communications to/from certain Grid services is allowed, i.e. firewall is correctly configured Verification: • before accepting a site in production • periodically for all the duration of the collaboration Gian Luca Volpato - Cracow Grid Workshop '08 - 15 October 2008

  9. Verification of firewall configuration Central service performing periodic verifications: • requested ports are accessible • all other ports are blocked In a further evolution • allow peer-to-peer verification of selected sites • triggered on-demand Gian Luca Volpato - Cracow Grid Workshop '08 - 15 October 2008

  10. Gian Luca Volpato - Cracow Grid Workshop '08 - 15 October 2008

  11. Summary • Firewall configuration issues • Classification of middleware components • Definition of security profiles • SLA extension • Tool for automatic verification of firewall configuration Q&A Gian Luca Volpato - Cracow Grid Workshop '08 - 15 October 2008

More Related