Dynamic Firewalls and Service Deployment Models for Grid Environments

Gian Luca Volpato, Christian Grimm

RRZN – Leibniz Universität Hannover

Cracow Grid Workshop 2006 (CGW2006)15th-18th October 2006

Gian Luca Volpato | 16-10-2006 | Slide 2

Regional Computing Centre for Lower Saxony

Overview

Dynamic FirewallGeneral conceptsDyna-FireCooperative On-Demand Opening (CODO)Limitations

Globus Toolkit deployment modelServices at the Resource ProviderUse of existing computing infrastructureMinimal number of connections through the site firewall

Gian Luca Volpato | 16-10-2006 | Slide 3

Regional Computing Centre for Lower Saxony

A Firewall is a piece of hardware and/or software which functions in a network environment to prevent some communications forbidden by the security policy. *

Good: it blocks unwanted and malicious traffic.

Bad: it might be not flexible enough to allow seamless execution of Grid applications.

* Wikipedia

Firewall

Gian Luca Volpato | 16-10-2006 | Slide 4

Regional Computing Centre for Lower Saxony

Dynamic Firewall

Goal

Protect a network so that it appears completely inaccessible from external systems but still responds to trusted clients, i.e. allow external

connections on-demand.

Current solutions

Signaling protocol to add/remove filtering rules: “Off-path”: communication between applications and firewalls “In-path”: communication between application peers intercepted by

intermediate firewalls

Gian Luca Volpato | 16-10-2006 | Slide 5

Regional Computing Centre for Lower Saxony

Dyna-Fire &Cooperative On-Demand Opening

One daemon runs on the same host of the firewall to: monitor all connection requests add/remove filtering rules in the firewall

A connection is allowed when the client request is successfully authenticated and authorized.

Signaling protocol: Dyna-Fire ==> messages carried by Port Knocking CODO ==> messages carried over SSL channel

1

2

Intranet

Library

Client Application

Server Application

Daemon

Gian Luca Volpato | 16-10-2006 | Slide 6

Regional Computing Centre for Lower Saxony

Limitations of dynamic firewalls

No mechanism to discover automatically the firewalls along the pathSignaling before connection establishment?Static routing table configuration

Dyna-Fire and Port KnockingCPU overhead for monitoring of connection attemptsExclusive reservation of some portsUnidirectional protocol exposed to reply and man-in-the-middle attacks

CODOApplications (client and server!) must be recompiled/relinked with a special socket

libraryAuthorization policy is coarse-grained and not flexible

Gian Luca Volpato | 16-10-2006 | Slide 7

Regional Computing Centre for Lower Saxony

Deployment model for Globus Toolkit 4

DMZ

Local MDS-Index

GridFTP Server

RFT Server

GRAM Server

User Interface

Batch System Nodes

Intranet

Batch SystemMaster

Constraints Use existing batch computing resources GT4 services must be reachable from the Internet

Goals Avoid any connection between:

hosts in the Intranet and hosts in the external Internet

Identify, analyze and reduce the connections between:hosts in the Intranet and GT services in the DMZ

Gian Luca Volpato | 16-10-2006 | Slide 8

Regional Computing Centre for Lower Saxony

Batch system

Batch System Nodes

Intranet

Batch SystemMaster

DMZ

GRAM Server

Batch Sys. Login Node

Install Globus GRAM on a host that can submit jobs to the Batch System

Either: Enable shared file system between this node and the Batch

System Modify GRAM scripts in order to use Batch System functions

for file stage-in and file stage-out

Gian Luca Volpato | 16-10-2006 | Slide 9

Regional Computing Centre for Lower Saxony

GridFTP option 1

Batch System Nodes

Intranet

Batch SystemMaster

DMZ

GridFTP Server

GridFTP server and Batch System have a shared file system

Input files are transferred to the local GridFTP server before jobs are submitted to the local GRAM server

Output files are stored in the local GridFTP server

Gian Luca Volpato | 16-10-2006 | Slide 10

Regional Computing Centre for Lower Saxony

GridFTP option 2

Batch System Nodes

Intranet

DMZ

GridFTP Server

Batch SystemMaster

System nodes have direct access to the local GridFTP server

Input files are transferred to the local GridFTP server before jobs are submitted to the local GRAM server

Output files are uploaded to the local GridFTP server

Gian Luca Volpato | 16-10-2006 | Slide 11

Regional Computing Centre for Lower Saxony

Reliable File Transfer

DMZ

Batch System Nodes

Intranet

Batch SystemMaster

GRAM Server

Batch Sys. Login Node

RFT Server

GridFTP Server

RFT server is installed on the same host where the GRAM server runs

Connections are established: within the DMZ between the DMZ and the external Internet

Gian Luca Volpato | 16-10-2006 | Slide 12

Regional Computing Centre for Lower Saxony

MDS

Batch System Nodes

Intranet

Batch SystemMaster

DMZ

GRAM Server

Batch Sys. Login Node

RFT Server

GridFTP Server

Local MDS-Index

Deploy one MDS-Index that collects monitoring information from all local GRAM and RFT servers (in future also GridFTP servers)

Connections are established: within the DMZ between the DMZ and the external Internet Batch System Master and GRAM server (Ganglia, Nagios, etc.)

Gian Luca Volpato | 16-10-2006 | Slide 13

Regional Computing Centre for Lower Saxony

User Interface

Batch System Nodes

Intranet

Batch SystemMaster

DMZ

GRAM Server

Batch Sys. Login Node

RFT Server

GridFTP Server

Local MDS-Index

User Interface

The User Interface is used to submit/monitor/manage Grid jobs

Connections are established: within the DMZ between the DMZ and the external Internet

Gian Luca Volpato | 16-10-2006 | Slide 14

Regional Computing Centre for Lower Saxony

Full model

User Interface

Batch System Nodes

Intranet

Batch SystemMaster

DMZ

GRAM Server

Batch Sys. Login Node

RFT Server

GridFTP Server

Local MDS-Index

GRAM

RFT

Batch System

User InterfaceMDS

GridFTP

Shared File System

Gian Luca Volpato | 16-10-2006 | Slide 15

Regional Computing Centre for Lower Saxony

Summary

Dynamic FirewallGeneral conceptsDyna-FireCooperative on Demand Opening (CODO)Limitations

Globus Toolkit deployment modelGT4 services in DMZUse of existing computing infrastructureMinimal number of connections through the firewall

Gian Luca Volpato | 16-10-2006 | Slide 16

Regional Computing Centre for Lower Saxony

Thank you!

Questions?