Sonny (Sechang) Son Computer Sciences Department University of Wisconsin-Madison Dealing with Internet Connectivity in Distributed.

Slides:



Advertisements
Similar presentations
Todd Tannenbaum Condor Team GCB Tutorial OGF 2007.
Advertisements

Jaime Frey Computer Sciences Department University of Wisconsin-Madison OGF 19 Condor Software Forum Routing.
Current methods for negotiating firewalls for the Condor ® system Bruce Beckles (University of Cambridge Computing Service) Se-Chang Son (University of.
Dan Bradley Computer Sciences Department University of Wisconsin-Madison Schedd On The Side.
CSE 222a Final Project - UCSD Spring 2007 p2p DNS addressing Presented By- Anup Tapadia Alexander Loukissas Justin Wu.
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
An Example of IPv6 Necessity in the Greek School Network Athanassios Liakopoulos Greek Research & Technology Network.
Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec Secure Generic Connection Brokering SGCB enhancing secure submission of grid jobs.
Sechang Son Computer Sciences Department University of Wisconsin-Madison Network Bandwidth Regulation.
Improving Customer Satisfaction Through Advances in Remote Management Technology Greg Michel Product Manager Quintum Technologies Inc.
WSV404 DirectAccess Server (Server 2008 R2) DirectAccess Client (Windows 7) Internet Native IPv6 6to4 Teredo IP-HTTPS Tunnel over IPv4 UDP, HTTPS,
Support Protocols and Technologies. Topics Filling in the gaps we need to make for IP forwarding work in practice – Getting IP addresses (DHCP) – Mapping.
CS 5565 Network Architecture and Protocols
SOCKS Group: Challenger Member: Lichun Zhan. Agenda Introduction SOCKS v4 SOCKS v5 Summary Conclusion References Questions.
Introduction to Networking Concepts. Introducing TCP/IP Addressing Network address – common portion of the IP address shared by all hosts on a subnet/network.
 Introduction  VoIP  P2P Systems  Skype  SIP  Skype - SIP Similarities and Differences  Conclusion.
CS 3214 Computer Systems Godmar Back Lecture 24 Supplementary Material.
1 Chapter Client-Server Interaction. 2 Functionality  Transport layer and layers below  Basic communication  Reliability  Application layer.
Sonny (Sechang) Son Computer Sciences Department University of Wisconsin-Madison Dealing with Internet Connectivity in Distributed.
1 Chapter 6: Proxy Server in Internet and Intranet Designs Designs That Include Proxy Server Essential Proxy Server Design Concepts Data Protection in.
Vulnerabilities in peer to peer communications Web Security Sravan Kunnuri.
BaBar MC production BaBar MC production software VU (Amsterdam University) A lot of computers EDG testbed (NIKHEF) Jobs Results The simple question:
Configuring Network Services and Protocols Lecture 2.
Hao Wang Computer Sciences Department University of Wisconsin-Madison Authentication and Authorization.
IP Security IP sec IPsec is short for Internet Protocol Security. It was originally created as a part of IPv6, but has been retrofitted into IPv4. It.
Todd Tannenbaum Computer Sciences Department University of Wisconsin-Madison Condor RoadMap.
Firewall Configurations Responses from the ETF (the names have been changed to protect the innocent..)
Making SIP NAT Friendly Jonathan Rosenberg dynamicsoft.
Paul Graham Software Architect, EPCC PCP – The P robes C oordination P rotocol A secure, robust framework.
Office of Science U.S. Department of Energy Grid Security at NERSC/LBL Presented by Steve Chan Network, Security and Servers
Joe Meehean Computer Sciences Department University of Wisconsin-Madison Problems of Dynamic Service.
AUTHOR DETAILS: CHANDRASEKHAR NAIDU MUTTINENI Mail: Blog:
Dan Bradley Condor Project CS and Physics Departments University of Wisconsin-Madison CCB The Condor Connection Broker.
DHCP Vrushali sonar. Outline DHCP DHCPv6 Comparison Security issues Summary.
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY IT375 Window Enterprise Administration Course Name – IT Introduction to Network Security Instructor.
HIP-Based NAT Traversal in P2P-Environments
Software Defined Networking BY RAVI NAMBOORI. Overview  Origins of SDN.  What is SDN ?  Original Definition of SDN.  What = Why We need SDN ?  Conclusion.
Advanced Network Labs & Remote Network Agent
Virtual Private Networks
Virtual Private Networks
Barracuda SSL VPN 2012.
CudaLaunch for Barracuda NG Firewall.
Gijeong Kim ,Junho Kim ,Sungwon Lee Kyunghee University
Supplementary Material
HTCondor Networking Concepts
Supplementary Material
HTCondor Networking Concepts
Building Distributed Educational Applications using P2P
Dynamic Deployment of VO Specific Condor Scheduler using GT4
Distributed Computing
Easy4ip,briefly, it is a platform to help you connect your device and remote client more easier. Then, it can provide other service like cloud upgrade,
Network Address Translation
IP Security IP sec IPsec is short for Internet Protocol Security. It was originally created as a part of IPv6, but has been retrofitted into IPv4. It works.
Instructor Materials Chapter 9: NAT for IPv4
CS 3700 Networks and Distributed Systems
Welcome! Thank you for joining us. We’ll get started in a few minutes.
SUBMITTED BY: NAIMISHYA ATRI(7TH SEM) IT BRANCH
Routing and Switching Essentials v6.0
Mobility And IP Addressing
Introducing To Networking
Socket Programming in Java
PHP / MySQL Introduction
SECURITY IN DISTRIBUTED FILE SYSTEMS
Firewalls at UNM 11/8/2018 Chad VanPelt Sean Taylor.
Message Digest Cryptographic checksum One-way function Relevance
Instructor Materials Chapter 9: NAT for IPv4
Firewalls Jiang Long Spring 2002.
Chapter 17: Client/Server Computing
AbbottLink™ - IP Address Overview
Introduction to Network Security
Presentation transcript:

Sonny (Sechang) Son Computer Sciences Department University of Wisconsin-Madison Dealing with Internet Connectivity in Distributed Computing

2 Firewalls & Private Networks › Firewalls  provide cheap and good way to protect networks  becoming headquarters of integrated security systems › Private networks  A solution to IPv4 address shortage problem  Easy network management and easy address planning › We have many firewalls and private networks deployed and will continue to have them in the future

3 Problems › Non-universal connectivity › Asymmetric connectivity › Collaboration becomes difficult or impossible › Resources are wasted

4 Agenda › Introduction › DPF (Dynamic Port Forwarding) › GCB (Generic Connection Brokering) › eGCB (extended GCB) › Conclusion

5 Dynamic Port Forwarding B DPF lib DPF agent A Client Server app NAT X A  XA  B B = socket(); bind(B, ANY); getsockname(B, X ); BIND (B) X X  B X A = socket(); connect(A, X);

6 DPF › Basic Idea: On-demand open/close › Supporting Environments  Headnode: Linux NAT box  DPFnized private application  Regular public application

7 DPF › DPF can be used with any firewall that allows you to control opening/closing through the following APIs:  open (local, remote, sec)  timeout (sec), where sec may be 0 to close the opening  list › Confirms MIDCOM specification at semantics level

8 GCB: socket registration BGCB lib Broker X Server AGCB lib Client B = socket(); bind(B, ANY); getsockname(B, X ) BIND (B) X X

9 GCB: passive connection B GCB lib Broker X Server AGCB lib Client connect(A, X ) CONNECT (X) PASSIVE CONTACT (A)

10 GCB: relay connection B GCB lib Broker X Server AGCB lib Client connect(A, X ) CONNECT (X) ACTIVE (X) CONTACT (Y) Y

11 GCB › Basic Idea: reversing the direction underneath the application › Supporting Environments  No requirement to firewalls  Outbound connections are allowed  Broker is placed either on the edge or outside of the private network

12 eGCB (extended GCB) › Support for multiple connection mechanisms  Integration of DPF & GCB › Security to protect the Broker › Extension to DPF  On-demand open/close for outbound connections

13 Support for Multiple Methods submit site execution site … … direct connection communication via a punched hole reversed connection communication via relay execution site execution site execution site

14 Connection Setup inagent outagentlistenerconnector F/W 1) registration 2) open for outbound 3) negotiation 4) connection setup

15 Conclusions › DPF requires administrative and technical control on headnodes but it is fast and scalable › GCB is a little slower than DPF but requires no control on headnodes › The combination of DPF and GCB supports wider range of network setting than any other system › GCB and eGCB are generic mechanisms and can be used any application

16 Thank you! Sonny (Sechang) Son Rm# 3387

17 Ways to handle › Manual opening  Same effect as not having firewall for the range of addresses  Impossible for administrator to know how many and how long addresses must be opened › Deceiving firewalls  War between firewalls and ‘firewall-friendly’ software › We need a cooperative way!

18 Security Enforcement inagent outagentlistenerconnector F/W Sec. Req. Security Enforcement