GGF 17 - May, 11th 2006 FI-RG: Firewall Issues Overview Document update and discussion The “Firewall Issues Overview” document.

Slides:

Advertisements

Similar presentations

Click to continue Network Protocols. Click to continue Networking Protocols A protocol defines the rules of procedures, which computers must obey when.

Advertisements

Network Security Essentials Chapter 11

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

OSI MODEL Maninder Kaur

Data and Computer Communications Eighth Edition by William Stallings Lecture slides by Lawrie Brown Chapter 2 – Protocol Architecture, TCP/IP, and Internet-Based.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 OSI Transport Layer Network Fundamentals – Chapter 4.

Data and Computer Communications Eighth Edition by William Stallings Lecture slides by Lawrie Brown Chapter 2 – Protocol Architecture, TCP/IP, and Internet-Based.

Lecture 2 Protocol Layers CPE 401 / 601 Computer Network Systems slides are modified from Dave Hollinger.

William Stallings Data and Computer Communications 7 th Edition (Selected slides used for lectures at Bina Nusantara University) Internetworking.

PROTOCOLS AND ARCHITECTURE Lesson 2 NETS2150/2850.

COS 420 Day 18. Agenda Assignment 4 Posted Chap Due April 6 Group project program requirements Submitted but Needs lots of work Individual Project.

Chapter 10 Firewalls. Introduction seen evolution of information systems now everyone want to be on the Internet and to interconnect networks has persistent.

Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.

1 ITC242 – Introduction to Data Communications Week 12 Topic 18 Chapter 19 Network Management.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

COS 420 Day 20. Agenda Group Project Discussion Protocol Definition Due April 12 Paperwork Due April 29 Assignment 3 Due Assignment 4 is posted Last Assignment.

Data Communications Architecture Models. What is a Protocol? For two entities to communicate successfully, they must “speak the same language”. What is.

CS335 Networking & Network Administration Tuesday, April 20, 2010.

1 LAN switching and Bridges Relates to Lab 6. Covers interconnection devices (at different layers) and the difference between LAN switching (bridging)

TCP/IP Reference Model Host To Network Layer Transport Layer Application Layer Internet Layer.

Firewalls and VPNS Team 9 Keith Elliot David Snyder Matthew While.

Computer Networks IGCSE ICT Section 4.

Firewalls and the Campus Grid: an Overview Bruce Beckles University of Cambridge Computing Service.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

15-1 More Chapter 15 Goals Compare and contrast various technologies for home Internet connections Explain packet switching Describe the basic roles of.

Chapter 15 Networks. Chapter Goals Types of networks Topologies Open Systems Home Internet connections 15-2.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

Network Security Essentials Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Chapter 2 The Infrastructure. Copyright © 2003, Addison Wesley Understand the structure & elements As a business student, it is important that you understand.

IP Ports and Protocols used by H.323 Devices Liane Tarouco.

Data and Computer Communications Eighth Edition by William Stallings Lecture slides by Lawrie Brown Chapter 2 – Protocol Architecture, TCP/IP, and Internet-Based.

Virtual LAN Design Switches also have enabled the creation of Virtual LANs (VLANs). VLANs provide greater opportunities to manage the flow of traffic on.

Presentation on Osi & TCP/IP MODEL

Chapter 4. After completion of this chapter, you should be able to: Explain “what is the Internet? And how we connect to the Internet using an ISP. Explain.

ACM 511 Chapter 2. Communication Communicating the Messages The best approach is to divide the data into smaller, more manageable pieces to send over.

Dynamic Firewalls and Service Deployment Models for Grid Environments Gian Luca Volpato, Christian Grimm RRZN – Leibniz Universität Hannover Cracow Grid.

Internet Addresses. Universal Identifiers Universal Communication Service - Communication system which allows any host to communicate with any other host.

P RESENTED B Y - Subhomita Gupta Roll no: 10 T OPICS TO BE DISCUSS ARE : Introduction to Firewalls  History Working of Firewalls Needs Advantages and.

1 Chapter 20: Firewalls Fourth Edition by William Stallings Lecture slides by Lawrie Brown(modified by Prof. M. Singhal, U of Kentucky)

11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.

Crossing firewalls Liane Tarouco Leandro Bertholdo RNP POP/RS.

Firewall Technologies Prepared by: Dalia Al Dabbagh Manar Abd Al- Rhman University of Palestine

TELE202 Lecture 5 Packet switching in WAN 1 Lecturer Dr Z. Huang Overview ¥Last Lectures »C programming »Source: ¥This Lecture »Packet switching in Wide.

Virtual Private Ad Hoc Networking Jeroen Hoebeke, Gerry Holderbeke, Ingrid Moerman, Bard Dhoedt and Piet Demeester 2006 July 15, 2009.

Networking Components Daniel Rosser LTEC Network Hub It is very difficult to find Hubs anymore Hubs sends data from one computer to all other computers.

Computer Security Workshops Networking 101. Reasons To Know Networking In Regard to Computer Security To understand the flow of information on the Internet.

OS Services And Networking Support Juan Wang Qi Pan Department of Computer Science Southeastern University August 1999.

9 Systems Analysis and Design in a Changing World, Fourth Edition.

Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.

William Stallings Data and Computer Communications

Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.

Dataplane and Content Security on Optical Networks panel.

Unleashing the Power of IP Communications™ Calling Across The Boundaries Mike Burkett, VP Products September 2002.

1 ECEN “Internet Protocols and Modeling”, Spring 2011 Slide 5.

PART1: NETWORK COMPONENTS AND TRANSMISSION MEDIUM Wired and Wireless network management 1.

© ExplorNet’s Centers for Quality Teaching and Learning 1 Select appropriate hardware for building networks. Objective Course Weight 2%

Cryptography and Network Security

Mar, 8th 2005 Arguments creating a FIG WG within GGF 1 Arguments creating a Firewalls Issues Group within GGF Ralph Niederberger.

Firewall Issues Research Group First meeting yesterday, GGF 14 Mailing list: Projects page:

Network Processing Systems Design

Data and Computer Communications Chapter 2 – Protocol Architecture, TCP/IP, and Internet-Based Applications.

CompTIA Security+ Study Guide (SY0-401)

NET 536 Network Security Firewalls and VPN

Networking Devices.

CompTIA Security+ Study Guide (SY0-401)

Lecture 2: Overview of TCP/IP protocol

Network Architecture Johan Lukkien

Presentation transcript:

GGF 17 - May, 11th 2006 FI-RG: Firewall Issues Overview Document update and discussion The “Firewall Issues Overview” document - Document update V1.7 and discussion GGF 17 - FI-RG

GGF 17 - May, 11th 2006 FI-RG: Firewall Issues Overview Document update and discussion Overview Structure of current document Firewall Issues Overview - Vers.1.7 Next steps Questions and discussion

GGF 17 - May, 11th 2006 FI-RG: Firewall Issues Overview Document update and discussion Structure of the document Introduction Definitions Grid applications and their issues with firewalls Classification of firewall issues Summary Appendix: Classification of firewall issues seen from the use cases side

GGF 17 - May, 11th 2006 FI-RG: Firewall Issues Overview Document update and discussion Structure of the document (2) Definitions –Firewall –Classification of firewalls personal firewalls network layer firewalls application layer firewalls application firewalls stateful/stateless firewalls –Firewall (global definition) –Network Address translators –Application level gateways –VPN gateways

GGF 17 - May, 11th 2006 FI-RG: Firewall Issues Overview Document update and discussion Structure of the document (3) GRID APPLICATIONS AND THEIR ISSUES WITH FIREWALLS Grid Middleware and Protocols –UNICORE - The Seamless GRID Solution –Globus –Webservices Firewall Issues Data Storage and data transfer –GridFTP versus the Firewall –Impact of dCache deployment –Issues in enabling GPFS Grid Network Architectures and Protocols –The Issue with “Net of Trust” or the “bastion hosts” solution –Firewalls and high bandwidth, long distance networks –The workflow management system TENT

GGF 17 - May, 11th 2006 FI-RG: Firewall Issues Overview Document update and discussion Selection of applications Selection of some commonly deployed grid applications Description of issues applications face dealing with firewalls. No intention to include all possible application used in grid environments just to identify and describe a set of representative examples. Classification according to their communication behavior Leads to good description of the problems arising because of the existence of firewalls within the communication paths.

GGF 17 - May, 11th 2006 FI-RG: Firewall Issues Overview Document update and discussion Structure of the document (4) CLASSIFICATION OF FIREWALL ISSUES

GGF 17 - May, 11th 2006 FI-RG: Firewall Issues Overview Document update and discussion Use Cases seen so far applications which use special single well known ports applications which use control streams to signalize the communication behavior applications with control stream for exchanging of control information. But not all info available Applications with unknown behavior (e.g. dynamic ports, multiple streams) applications which need high throughput data pipes

GGF 17 - May, 11th 2006 FI-RG: Firewall Issues Overview Document update and discussion Firewall issues on applications seen from software perspective Software: Port numbers and amount of ports are unknown until the application starts Consequence: big holes (many ports) are required if amount and/or port numbers are unknown, single hole case (e.g. HTTP port 80) causes referral problems. Only specific, predetermined applications that use a low number of ports only very well defined ports (well known ports) can be supported adequately.

GGF 17 - May, 11th 2006 FI-RG: Firewall Issues Overview Document update and discussion Firewall issues on hardware Hardware: unknown number and kind of firewalls are located within the routing path High performance data streams across long connections need enough buffer space and switching capacity Firewalls which are able to deal with multiple wavelengths on a single fiber not developed until now. If these wavelengths have been divided into individual fibers by DWDM equipment, firewalls are not able to deal with 16, 32 or 64 links of 10 Gb/s each currently

GGF 17 - May, 11th 2006 FI-RG: Firewall Issues Overview Document update and discussion Firewall issues on the network Network: Grid hardware resources running certain applications can not be placed inside the DMZ. Sometimes applications must pass through more than 2 DMZs. But putting Grid applications inside the DMZ may not be avoidable sometimes. Firewalls, when involved in bypass connections, must perform elaborate routing functions

GGF 17 - May, 11th 2006 FI-RG: Firewall Issues Overview Document update and discussion Firewall issues on Security Policies Security Policy: Firewalls may not be aware how many different applications may use the same port. Firewalls may not be aware of the amount of ports that are actually required v.s. configured. Firewalls may need to open up to ports for certain applications Firewalls may not have enough information to authorize complex grid applications. Firewalls must not only protect from evil from the public network, but also prevent the public network from being abused. Firewalls may not be able to extend the security context between two applications. Firewalls may not be aware if a host connecting is actually trusted.

GGF 17 - May, 11th 2006 FI-RG: Firewall Issues Overview Document update and discussion Structure of the document (5) APPENDIX: CLASSIFICATION OF FIREWALL ISSUES SEEN FROM THE USE CASES SIDE

GGF 17 - May, 11th 2006 FI-RG: Firewall Issues Overview Document update and discussion Classification of GPFS NameGPFS DescriptionThe General Parallel File System is a high-performance shared-disk file system. It provides fast, reliable data from all nodes in a homogenous or heterogeneous cluster running an AIX or LINUX operating system. GPFS allows parallel applications simultaneous access to one file or a set of files from any node that has the GPFS file system mounted using parallel streams for a single file transfer. Elements in communication path SoftwareHardwareNetworkSecurity Policy SeverityLow Middle Any kind of firewalls between the communicating entities. Own Software No. Software developed by IBM. No hardware restrictions. Communication is done via normal communication paths. (Site network – provider network – site network). Protocol uses fixed configurable TCP port. Disadvantage: Communication including data is unencrypted. Ports used GPFS TCP Port is configurable Protocol used TCP

GGF 17 - May, 11th 2006 FI-RG: Firewall Issues Overview Document update and discussion Classification of high bandwidth, long distance interconnects NameFirewalls and high bandwidth, long distance networks DescriptionThis use-case describes a setup that allows the creation of (optical) by-pass connections that span long distances which need to be connected via a FW Elements in comm path SoftwareHardwareNetworkSecurity Policy SeverityLowHighMiddleHigh Enterprise and public firewalls at both ends of a connection. Enterprise firewall both connects to the DMZ and to an optical by-pass connection. Own SW Yes and No GridFTP or any other data mover may be used – requirements are independent Switching performance and buffer space is critical for the enterprise side of the firewall. Buffers should be able to contain the bandwidth / delay product of a long haul connection. Performance should be in the multi-Gb/s range. Enterprise firewall may be involved in driving the request of a by-pass connection when detecting private address space ARP requests or handling application specific signals using some protocol 1. Requests from an application to access the optical by-pass should be authorized. The firewall should call out to obtain such authorizations or be provisioned with information that recognises an access request. 2. Security policies should prevent hi-bandwidth / non TCP transmission protocol conformant traffic to be leaked into the regular Internet. Ports used Globus port range or others Proto- col used TCP and UDP in various flavours

GGF 17 - May, 11th 2006 FI-RG: Firewall Issues Overview Document update and discussion Next steps Improve current draft document → any longer Add missing parts → Are their any? Get document public → Time horizon: GGF18 Start a new document dealing with solutions → Already started !! Get involved !!

GGF 17 - May, 11th 2006 FI-RG: Firewall Issues Overview Document update and discussion Questions and discussion Questions and discussion