9/20/04 franks@mcs.anl.gov GGF12 - Firewall Panel: Globus Perspective on Network Hurdles 1

Globus Perspective on

“Network Hurdles”

Panel: Firewall and high-performance networking needs

Workshop on Operational Security for the Grid GGF12 - Brussels - Sept. 20, 2004

Frank Siebenlist

Globus Alliance, Argonne National Lab.

franks@mcs.anl.gov

9/20/04 franks@mcs.anl.gov GGF12 - Firewall Panel: Globus Perspective on Network Hurdles 2

Outline

• What is the purpose of firewalls…?

• End-to-end Security

• Firewalls should be filters…

• Application-level routers

• The need to blow real holes…

• Futures & Conclusions

9/20/04 franks@mcs.anl.gov GGF12 - Firewall Panel: Globus Perspective on Network Hurdles 3

So, why do we have firewalls?

• Because site/corporate policy dictates…

• Because we can’t provide end-to-end policy enforcement

• Because we mistakenly believe that all the bad guys/bots are “outside”

• Because it makes some sleep better at night…

9/20/04 franks@mcs.anl.gov GGF12 - Firewall Panel: Globus Perspective on Network Hurdles 4

RequesterDomain

Service ProviderDomain

End-to-End Security        

Requester

ServiceProvider

polic

y

en

forc

em

en

t

polic

y

en

forc

em

en

t

Enforce service provider’s domain policy as close to resource as possible

Enforce requester’s domain policy as close to requester as possible

9/20/04 franks@mcs.anl.gov GGF12 - Firewall Panel: Globus Perspective on Network Hurdles 5

Holy Grail: End-to End Security on Application Level

• Policy commonly expressed on semantic level of the application (or higher)

• Mismatch of semantic level results in less optimal security enforcement

• ip-level firewalls only provide course-grained policy enforcement

9/20/04 franks@mcs.anl.gov GGF12 - Firewall Panel: Globus Perspective on Network Hurdles 6

Multiple Policy Enforcement Points

• Use firewall as course grained filter– Front door of apartment building analogy

• Prevents some bad guys/bots to come through• Still need for end-to-end policy enforcement• Requester maintains a separate security context

with each PEP• Requester-ServiceProvider context “tunneled”

thru intermediates• Need for security protocol support, describing

allowed routes and ability to express policy per PEP

9/20/04 franks@mcs.anl.gov GGF12 - Firewall Panel: Globus Perspective on Network Hurdles 7

RequesterDomain

Service ProviderDomain

Multiple Policy Enforcement Points

Fire

wall

polic

y e

nfo

rcem

en

t

Req

ueste

r

polic

y

en

forc

em

en

t

Serv

ice P

rovid

er

polic

y

en

forc

em

en

t

Application level enforcement

Firewalls “filter”often on lower protocol-level

Fire

wall

polic

y e

nfo

rcem

en

t

9/20/04 franks@mcs.anl.gov GGF12 - Firewall Panel: Globus Perspective on Network Hurdles 8

Requirements to blow real holes

• WS-SOAP may not be the “best” and most “efficient” protocol for all applications…– …hopefully this sounds cynically enough…

• Bulk data transfers have their own optimized low-level protocols– GridFtp, Lambda, SRB, etc.

9/20/04 franks@mcs.anl.gov GGF12 - Firewall Panel: Globus Perspective on Network Hurdles 9

RequesterDomain

Service ProviderDomain

Multiple Protocol StackPolicy Enforcement Points

Fire

wall

Ap

p le

vel

polic

y

en

forc

em

en

tFire

wall

Ip-le

vel

polic

y

en

forc

em

en

t

Fire

wall

Ap

p le

vel

polic

y

en

forc

em

en

tFire

wall

Ip-le

vel

polic

y

en

forc

em

en

t

Req

ueste

r

polic

y

en

forc

em

en

t

Serv

ice P

rovid

er

polic

y

en

forc

em

en

t

Control channel on ws-protocol level

Dynamically manage lower-level protocol access policy

Bulk data transfer

9/20/04 franks@mcs.anl.gov GGF12 - Firewall Panel: Globus Perspective on Network Hurdles 10

NATs and protocol domains

• NATs are nasty hurdles screwing up network resolution and reachability

• Request can move through different protocol domains– http/soap=>MQ/soap, inet=>unix-sockets

• Need ability to describe the route through the gateways

9/20/04 franks@mcs.anl.gov GGF12 - Firewall Panel: Globus Perspective on Network Hurdles 11

RequesterDomain

Service ProviderDomain

NATs and Protocol DomainsR

eq

ueste

r S

erv

ice P

rovid

er

Resource interprocess communicationover loopback or unix-sockets

Private networksUnreachable and unresolvable

NA

TG

ate

way

NA

TG

ate

way

Pro

tocol g

ate

way

Requester cannot reach and resolve service provider’s EPRNeed series of EPRs that describe a “ws-route”

Different policy for each route-point pair

9/20/04 franks@mcs.anl.gov GGF12 - Firewall Panel: Globus Perspective on Network Hurdles 12

Future & Conclusions• Need application-level

firewall/routers/(reverse-)proxies• Need Web-Service firewalls/routers

– Also for NATs…

• Need ability to specify the route– EPRs for separate legs– Security context has to be tunneled thru intermediates

• Need controlled ways to blow holes in firewall thru dynamic policy management

• No emerging standards in sight yet…– … but “they” must be working on this…

• Unclear whether we/GGF should try to solve this…