firewall virtualization for grid applications - status update
DESCRIPTION
Firewall Virtualization for Grid Applications - Status update. [email protected] [email protected] [email protected]. Group Background. Firewall Issues Research Group (fi-rg) Clearly documented need GFD.83: Grid apps and their issues with Firewall - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Firewall Virtualization for Grid Applications - Status update](https://reader035.vdocument.in/reader035/viewer/2022062309/5681457e550346895db25770/html5/thumbnails/1.jpg)
Oct, 26th, 2010OGF 29, FVGA-WG: Firewall Virtualization for Grid Applications
Firewall Virtualization for Grid Applications
-Status update
![Page 2: Firewall Virtualization for Grid Applications - Status update](https://reader035.vdocument.in/reader035/viewer/2022062309/5681457e550346895db25770/html5/thumbnails/2.jpg)
OGF 29, FVGA-WG: Firewall Virtualization for Grid Applications
Group Background• Firewall Issues Research Group (fi-rg)
• Clearly documented need• GFD.83: Grid apps and their issues with Firewall• GFD.142: Requirements and possible solns. Gap Analysis
• FVGA WG• Use the FI-RG requirements to create a standard• Standardize a set of service definitions for virtualized control
of firewalls allowing grid applications to securely and dynamically execute workflows
2
![Page 3: Firewall Virtualization for Grid Applications - Status update](https://reader035.vdocument.in/reader035/viewer/2022062309/5681457e550346895db25770/html5/thumbnails/3.jpg)
OGF 29, FVGA-WG: Firewall Virtualization for Grid Applications 3
Proposed Solution
• Make middleware and network resources aware of each otherGrid middleware should know about network in the
workflow, but not know details on communication pathnetwork resources should be opened dynamically
• End-to-end applicability• Local authorization/authentication• Independence of the FW vendor/implementation
Capabilities may be different
![Page 4: Firewall Virtualization for Grid Applications - Status update](https://reader035.vdocument.in/reader035/viewer/2022062309/5681457e550346895db25770/html5/thumbnails/4.jpg)
OGF 29, FVGA-WG: Firewall Virtualization for Grid Applications 4
principle design for FW opening
Client at A
Auth server B
Apps Server D
FW
I want a connection from C(1174) to D(7711) and here is my host A certificate
There is A and it wants a connection from C to your port 7711.
OK service and certificate checked, go onMessage includes server certificate of B
Authentication (2)
Check certificate of A
Request firewall to open port
CLI, SNMP, special protocol, whatever
done
Communication startsAfter end of data transmission signal A to close opened ports
1
3
4
2
5
6
7
8Authorization
(3 & 4)
Data Connection ended. Close conn. request C(1174) to D(7711). Close control connection
9
Control connection
Data connectionClient at C
OK, go on, I am waiting
5 and 6 are needed only if intermediate firewall cannot read control connection on the fly.
![Page 5: Firewall Virtualization for Grid Applications - Status update](https://reader035.vdocument.in/reader035/viewer/2022062309/5681457e550346895db25770/html5/thumbnails/5.jpg)
OGF 29, FVGA-WG: Firewall Virtualization for Grid Applications 5
Group Milestones
OGF23: Charter discussion and group volunteersOGF24: Discussion on requirements to define the standardized
service interface for virtualized FirewallsOGF25: Draft on Firewall-Virtualization-Service
Discussion on Security, AAA and Grid-Security aspectsOGF26: Firewall Virtualization-Service draft version 2
First draft on Security recommendations (v1) for FVGAOGF27: Finalized Firewall Virtualization-Service draft Security Recommendations v2
Two implementations and demonstrationDiscussion on Best Practices draft
OGF28: WG-Last-Call for Firewall Virtualization-Service Final version of Security Recommendations First draft on Best Practices
OGF 29: WG-Last-Call Security Recommendations Finalize Best Practices draft
OGF 30: WG-Last-Call Best Practices Draft.
We are still here
![Page 6: Firewall Virtualization for Grid Applications - Status update](https://reader035.vdocument.in/reader035/viewer/2022062309/5681457e550346895db25770/html5/thumbnails/6.jpg)
OGF 29, FVGA-WG: Firewall Virtualization for Grid Applications 6
Status of working group
• A Firewall Traversal Protocol (FiTP) has been defined which allows opening of ports on intermediate firewalls.
• In principle this protocol defines the control connection discussed in the previous slides.
• Protocol draft is still under discussion (first discussion in OGF 25, second time in OGF 26)
• Protocol has been forwarded to IETF members for feedback. • No IETF group is looking into it• Problem not solved according to them
• Go forward Possibilities• Further discussion on draft• Including feedback from IETF into protocol draft (no feedback yet)• Providing two independent implementations (client and server)• After refinements: standardization at OGF and IETF
• Timeline: one – two more years of effort
![Page 7: Firewall Virtualization for Grid Applications - Status update](https://reader035.vdocument.in/reader035/viewer/2022062309/5681457e550346895db25770/html5/thumbnails/7.jpg)
OGF 29, FVGA-WG: Firewall Virtualization for Grid Applications
Feedback: Going back to basics
• Is Firewall still an issue with Grid VOs?• Is the pain threshold low?
• Is this the right approach? Who should implement this?
• Anyone interested in implementing the protocol?
• Are firewall issues relevant for use of private/public clouds?• use Web Services on port 80?
7
![Page 8: Firewall Virtualization for Grid Applications - Status update](https://reader035.vdocument.in/reader035/viewer/2022062309/5681457e550346895db25770/html5/thumbnails/8.jpg)
OGF 29, FVGA-WG: Firewall Virtualization for Grid Applications
BACKUP
8
![Page 9: Firewall Virtualization for Grid Applications - Status update](https://reader035.vdocument.in/reader035/viewer/2022062309/5681457e550346895db25770/html5/thumbnails/9.jpg)
OGF 29, FVGA-WG: Firewall Virtualization for Grid Applications 9
Goals/Deliverables
• Produce a standardized protocol for an authorized grid application to specify its data-path traversal requirements:
Port opening/closing serviceRequests from within and outside the security domain
• A set of security recommendations surrounding the application interacting with the Firewall service at the control and data plane including AAA of the service requests
• A best practices document for the network-administrator and a grid-administrator to understand the architecture and security implications of this deployment including:
Deployment scenarios and use-cases Interactions between various Grid componentsExamples of successful prototype deployments
• The resulting standard, the security recommendations and the best practices document developed by the working-group will enable Grid-Middleware services developers to include a dynamic firewall service into their Grid applications.
![Page 10: Firewall Virtualization for Grid Applications - Status update](https://reader035.vdocument.in/reader035/viewer/2022062309/5681457e550346895db25770/html5/thumbnails/10.jpg)
OGF 29, FVGA-WG: Firewall Virtualization for Grid Applications 10
WebServices based FW openingMultiple local, remote and external FWs
Client at A Auth
server B
AppsServer D
FW31
FW
FW2
4
5
8
Client at C 3
6
7 9
This part can be solved only, if control connection is unencrypted, i.e. intermediate firewalls can read datastream of control connection.
![Page 11: Firewall Virtualization for Grid Applications - Status update](https://reader035.vdocument.in/reader035/viewer/2022062309/5681457e550346895db25770/html5/thumbnails/11.jpg)
OGF 29, FVGA-WG: Firewall Virtualization for Grid Applications 11
Program flow chart
TCP/IP Three way handshake
AuthenticationYes No
Go on Close Conn. Stop
AuthorizationYes No
Go on Close Conn. Stop
Start Ctrl-Connectionwith Port Assignment
Wait for Close of Data Conn(s).
Close Ctrl Conn.
Trigger Data Conn(s).
End ProgrammStart Programm
Data exchange out of scope of protocol
definition
![Page 12: Firewall Virtualization for Grid Applications - Status update](https://reader035.vdocument.in/reader035/viewer/2022062309/5681457e550346895db25770/html5/thumbnails/12.jpg)
Oct, 26th, 2010OGF 29, FVGA-WG: Firewall Virtualization for Grid Applications
Questions and
discussion
?? ?
??
?
?
!
??