9/20/04 [email protected] ggf12 - firewall panel: globus perspective on network hurdles1 globus...
TRANSCRIPT
9/20/04 [email protected] GGF12 - Firewall Panel: Globus Perspective on Network Hurdles 1
Globus Perspective on
“Network Hurdles”
Panel: Firewall and high-performance networking needs
Workshop on Operational Security for the Grid GGF12 - Brussels - Sept. 20, 2004
Frank Siebenlist
Globus Alliance, Argonne National Lab.
9/20/04 [email protected] GGF12 - Firewall Panel: Globus Perspective on Network Hurdles 2
Outline
• What is the purpose of firewalls…?
• End-to-end Security
• Firewalls should be filters…
• Application-level routers
• The need to blow real holes…
• Futures & Conclusions
9/20/04 [email protected] GGF12 - Firewall Panel: Globus Perspective on Network Hurdles 3
So, why do we have firewalls?
• Because site/corporate policy dictates…
• Because we can’t provide end-to-end policy enforcement
• Because we mistakenly believe that all the bad guys/bots are “outside”
• Because it makes some sleep better at night…
9/20/04 [email protected] GGF12 - Firewall Panel: Globus Perspective on Network Hurdles 4
RequesterDomain
Service ProviderDomain
End-to-End Security
Requester
ServiceProvider
polic
y
en
forc
em
en
t
polic
y
en
forc
em
en
t
Enforce service provider’s domain policy as close to resource as possible
Enforce requester’s domain policy as close to requester as possible
9/20/04 [email protected] GGF12 - Firewall Panel: Globus Perspective on Network Hurdles 5
Holy Grail: End-to End Security on Application Level
• Policy commonly expressed on semantic level of the application (or higher)
• Mismatch of semantic level results in less optimal security enforcement
• ip-level firewalls only provide course-grained policy enforcement
9/20/04 [email protected] GGF12 - Firewall Panel: Globus Perspective on Network Hurdles 6
Multiple Policy Enforcement Points
• Use firewall as course grained filter– Front door of apartment building analogy
• Prevents some bad guys/bots to come through• Still need for end-to-end policy enforcement• Requester maintains a separate security context
with each PEP• Requester-ServiceProvider context “tunneled”
thru intermediates• Need for security protocol support, describing
allowed routes and ability to express policy per PEP
9/20/04 [email protected] GGF12 - Firewall Panel: Globus Perspective on Network Hurdles 7
RequesterDomain
Service ProviderDomain
Multiple Policy Enforcement Points
Fire
wall
polic
y e
nfo
rcem
en
t
Req
ueste
r
polic
y
en
forc
em
en
t
Serv
ice P
rovid
er
polic
y
en
forc
em
en
t
Application level enforcement
Firewalls “filter”often on lower protocol-level
Fire
wall
polic
y e
nfo
rcem
en
t
9/20/04 [email protected] GGF12 - Firewall Panel: Globus Perspective on Network Hurdles 8
Requirements to blow real holes
• WS-SOAP may not be the “best” and most “efficient” protocol for all applications…– …hopefully this sounds cynically enough…
• Bulk data transfers have their own optimized low-level protocols– GridFtp, Lambda, SRB, etc.
9/20/04 [email protected] GGF12 - Firewall Panel: Globus Perspective on Network Hurdles 9
RequesterDomain
Service ProviderDomain
Multiple Protocol StackPolicy Enforcement Points
Fire
wall
Ap
p le
vel
polic
y
en
forc
em
en
tFire
wall
Ip-le
vel
polic
y
en
forc
em
en
t
Fire
wall
Ap
p le
vel
polic
y
en
forc
em
en
tFire
wall
Ip-le
vel
polic
y
en
forc
em
en
t
Req
ueste
r
polic
y
en
forc
em
en
t
Serv
ice P
rovid
er
polic
y
en
forc
em
en
t
Control channel on ws-protocol level
Dynamically manage lower-level protocol access policy
Bulk data transfer
9/20/04 [email protected] GGF12 - Firewall Panel: Globus Perspective on Network Hurdles 10
NATs and protocol domains
• NATs are nasty hurdles screwing up network resolution and reachability
• Request can move through different protocol domains– http/soap=>MQ/soap, inet=>unix-sockets
• Need ability to describe the route through the gateways
9/20/04 [email protected] GGF12 - Firewall Panel: Globus Perspective on Network Hurdles 11
RequesterDomain
Service ProviderDomain
NATs and Protocol DomainsR
eq
ueste
r S
erv
ice P
rovid
er
Resource interprocess communicationover loopback or unix-sockets
Private networksUnreachable and unresolvable
NA
TG
ate
way
NA
TG
ate
way
Pro
tocol g
ate
way
Requester cannot reach and resolve service provider’s EPRNeed series of EPRs that describe a “ws-route”
Different policy for each route-point pair
9/20/04 [email protected] GGF12 - Firewall Panel: Globus Perspective on Network Hurdles 12
Future & Conclusions• Need application-level
firewall/routers/(reverse-)proxies• Need Web-Service firewalls/routers
– Also for NATs…
• Need ability to specify the route– EPRs for separate legs– Security context has to be tunneled thru intermediates
• Need controlled ways to blow holes in firewall thru dynamic policy management
• No emerging standards in sight yet…– … but “they” must be working on this…
• Unclear whether we/GGF should try to solve this…