Embed
Email

firewalls-frank

Document Sample

Shared by: ajizai
Categories
Tags
Stats
views:
0
posted:
12/19/2011
language:
pages:
12
Globus Perspective

on

“Network Hurdles”

Panel: Firewall and high-performance

networking needs



Workshop on Operational Security for the Grid

GGF12 - Brussels - Sept. 20, 2004





Frank Siebenlist

Globus Alliance, Argonne National Lab.

franks@mcs.anl.gov

9/20/04 franks@mcs.anl.gov

GGF12 - Firewall Panel: Globus Perspective on Network Hurdles 1

Outline



• What is the purpose of firewalls…?

• End-to-end Security

• Firewalls should be filters…

• Application-level routers

• The need to blow real holes…

• Futures & Conclusions





9/20/04 franks@mcs.anl.gov

GGF12 - Firewall Panel: Globus Perspective on Network Hurdles 2

So, why do we have firewalls?





• Because site/corporate policy dictates…

• Because we can’t provide end-to-end

policy enforcement

• Because we mistakenly believe that all

the bad guys/bots are “outside”

• Because it makes some sleep better at

night…

9/20/04 franks@mcs.anl.gov

GGF12 - Firewall Panel: Globus Perspective on Network Hurdles 3

End-to-End Security

Requester

Domain









policy enforcement

Requester

policy enforcement









Service

Provider









Enforce requester’s domain policy

Service Provider as close to requester as possible

Domain

Enforce service provider’s domain policy

as close to resource as possible

9/20/04 franks@mcs.anl.gov

GGF12 - Firewall Panel: Globus Perspective on Network Hurdles 4

Holy Grail: End-to End

Security on Application Level

• Policy commonly expressed on

semantic level of the application (or

higher)

• Mismatch of semantic level results in

less optimal security enforcement



• ip-level firewalls only provide course-

grained policy enforcement

9/20/04 franks@mcs.anl.gov

GGF12 - Firewall Panel: Globus Perspective on Network Hurdles 5

Multiple Policy Enforcement Points

• Use firewall as course grained filter

– Front door of apartment building analogy

• Prevents some bad guys/bots to come through

• Still need for end-to-end policy enforcement

• Requester maintains a separate security context

with each PEP

• Requester-ServiceProvider context “tunneled”

thru intermediates

• Need for security protocol support, describing

allowed routes and ability to express policy per

PEP

9/20/04 franks@mcs.anl.gov

GGF12 - Firewall Panel: Globus Perspective on Network Hurdles 6

Multiple Policy Enforcement Points

Requester

Domain









policy enforcement

policy enforcement









Requester

Firewall

policy enforcement

Service Provider









Firewall

policy enforcement









Firewalls “filter”

Service Provider often on lower protocol-level

Domain

Application level enforcement

9/20/04 franks@mcs.anl.gov

GGF12 - Firewall Panel: Globus Perspective on Network Hurdles 7

Requirements to blow real holes



• WS-SOAP may not be the “best” and

most “efficient” protocol for all

applications…

– …hopefully this sounds cynically enough…



• Bulk data transfers have their own

optimized low-level protocols

– GridFtp, Lambda, SRB, etc.





9/20/04 franks@mcs.anl.gov

GGF12 - Firewall Panel: Globus Perspective on Network Hurdles 8

Multiple Protocol Stack

Policy Enforcement Points

Control channel on ws-protocol level Requester

Domain









App level



enforcemen









policy enforcement

Firewall



policy









Requester

t

App level



enforcemen

Firewall



policy

t

Service Provider





policy enforcement









enforcemen

Ip-level

Firewall



policy

t

enforcemen

Ip-level

Firewall



policy

t









Bulk data transfer

Service Provider

Domain

Dynamically manage

lower-level protocol access policy

9/20/04 franks@mcs.anl.gov

GGF12 - Firewall Panel: Globus Perspective on Network Hurdles 9

NATs and protocol domains



• NATs are nasty hurdles screwing up network

resolution and reachability

• Request can move through different protocol

domains

– http/soap=>MQ/soap, inet=>unix-sockets

• Need ability to describe the route through the

gateways







9/20/04 franks@mcs.anl.gov

GGF12 - Firewall Panel: Globus Perspective on Network Hurdles 10

NATs and Protocol Domains

Requester cannot reach and resolve service provider’s EPR

Need series of EPRs that describe a “ws-route”

Requester

Different policy for each route-point pair Domain









Requester

Gateway

NAT

Gateway

Service Provider









NAT

Protocol gateway









Private networks

Service Provider Unreachable and unresolvable

Domain

Resource interprocess communication

over loopback or unix-sockets

9/20/04 franks@mcs.anl.gov

GGF12 - Firewall Panel: Globus Perspective on Network Hurdles 11

Future & Conclusions

• Need application-level firewall/routers/(reverse-

)proxies

• Need Web-Service firewalls/routers

– Also for NATs…

• Need ability to specify the route

– EPRs for separate legs

– Security context has to be tunneled thru intermediates

• Need controlled ways to blow holes in firewall thru

dynamic policy management

• No emerging standards in sight yet…

– … but “they” must be working on this…

• Unclear whether we/GGF should try to solve this…

9/20/04 franks@mcs.anl.gov

GGF12 - Firewall Panel: Globus Perspective on Network Hurdles 12



Other docs by ajizai
NH_Members
Views: 0  |  Downloads: 0
06 Mr. Wu Jun 16012009
Views: 0  |  Downloads: 0
9i CITY OF RAPID CITY
Views: 0  |  Downloads: 0
K Readiness Doc. July 2010
Views: 0  |  Downloads: 0
LookMaNoHands
Views: 0  |  Downloads: 0
1.0 RFP PURPOSE - New Opportunities for Agriculture
Views: 0  |  Downloads: 0
Regression output Muslims - Feel able to practice their
Views: 0  |  Downloads: 0
97605964
Views: 0  |  Downloads: 0
For Immediate Release Y-cam releases Power over Ethernet IP camera ...
Views: 1  |  Downloads: 0
NBA 2006-07 data
Views: 0  |  Downloads: 0
By registering with docstoc.com you agree to our
privacy policy
Close

You are almost ready to download!

close

You are almost ready to download!