Connecting across Firewalls on the Grid Jeff Tan, David Abramson and Colin Enticott (Monash University, Australia) nA nA nB nB cAcA AA cBcB BB Firewalls restrict the level of collaboration possible on the Grid, while middleware and applications are often not built to handle such restrictions. We present an architecture that facilitates communication across firewalls that is designed to neither compromise security nor require heavy customization of existing software. We call it REMUS.
Tan, Abramson & Enticott, “Connecting across Firewalls on the Grid.” (GGF-18) 2 What’s a Firewall? “a piece of hardware and/or software which functions in a networked environment to prevent some communications forbidden by the security policy.” (Wikipedia) Good for you. Bad for you.
Tan, Abramson & Enticott, “Connecting across Firewalls on the Grid.” (GGF-18) 3 Motivation: Grid Enabling Legacy Software (GriddLeS) Workflows Firewalls restrict non-local data transfers. read() write() seek() open() close() Local File Local File Remote File Remote File Remote Application Process GriddLeS FileMultiplexer Legacy Application Cache Late bound decision GRS replicas
Tan, Abramson & Enticott, “Connecting across Firewalls on the Grid.” (GGF-18) 4 Domain 1Domain 2 Exec node GriddLeS Redirected I/O via Web Services Execution nodes can only access the front node. Front node cannot access the Internet, but can access the local public web server. Public web servers are mutually accessible. Assumes that public web servers are available. Exec node Public Web Server GriddLeS buffer service Public Web Server GriddLeS buffer service Front node GriddLeS Redirection service Front node GriddLeS Redirection service WriterReader GG FIREWALL
Tan, Abramson & Enticott, “Connecting across Firewalls on the Grid.” (GGF-18) 5 Motivation: Nimrod Parameter Sweeps Nimrod manages the execution of parametric studies across distributed computers. A high-level environment for parameter sweep applications (PSAs). A push and pull model for experiment processing using agents. Grid-enabled with Nimrod/G.
Tan, Abramson & Enticott, “Connecting across Firewalls on the Grid.” (GGF-18) 6 SC2003
Tan, Abramson & Enticott, “Connecting across Firewalls on the Grid.” (GGF-18) 7 Nimrod Applications Air pollution studies Laser physics Ecology Discrete Optimization and Meta-Heuristics CAD Digital Simulation Etc.. And they all rely on the interconnection of Nimrod components over the network: access to more resources overall application performance
Tan, Abramson & Enticott, “Connecting across Firewalls on the Grid.” (GGF-18) 8 The Networked Components of Nimrod/G Nimrod server components: the file and database servers, and the actuator. computational resources resource management experiment management Nimrod running agent Agents process experiments on computational resources. Agents pull job inputs in and push results out. Firewalls can block agents communicating with FS and DBS. DBSFS Actuator
Tan, Abramson & Enticott, “Connecting across Firewalls on the Grid.” (GGF-18) 9 Abstract Model of Rerouting An authorized channel must be open. We can tunnel multiple connections through. We should avoid reprogramming. We can use off-the-shelf means nA nA cAcA nB nB cBcB AA BB LEGEND: i : Remus rerouters C j : communicating components : some open port LEGEND: i : Remus rerouters C j : communicating components : some open port
Tan, Abramson & Enticott, “Connecting across Firewalls on the Grid.” (GGF-18) 10 n A n B cAcA cBcB dBdB Accessible Ports Rerouters at unused and accessible ports. However, secure networks will usually open useful ports only, i.e., running services like HTTP. Vacant Port AA BB =D Non-Vacant Port LEGEND: i : Remus rerouters C j : communicating components : some open port : blocked port : rerouted local port LEGEND: i : Remus rerouters C j : communicating components : some open port : blocked port : rerouted local port nA nA nBnB cAcA AA cBcB BB Use daemon to run rerouters as servlets, web services, etc. But daemons have different capabilities.
Tan, Abramson & Enticott, “Connecting across Firewalls on the Grid.” (GGF-18) 11 No Direct Access, Use Proxies Use mutually accessible proxy host, or several in a chain. Proxy host is usually a low-risk host that does not run critical applications. Proxy host can be hardened and with full logging. ff nA nA nB nB cAcA AA cBcB BB 11 22
Tan, Abramson & Enticott, “Connecting across Firewalls on the Grid.” (GGF-18) 12 Globus (GT2) Open ports may be too few, or impossible, in secure environments. Designated ephemeral ports must be open, even in GT4. Nexus Proxy involves rebuild. Proxy router is specific to Globus. Client site GridFTP server Gatekeeper Globus Client Gatekeeper Site Job manager FTP server process create job-run status url-copy ftp-data
Tan, Abramson & Enticott, “Connecting across Firewalls on the Grid.” (GGF-18) 13 Test Case 1: Globus Use SSH port forwarding and SOCKS. Use a SOCKS wrapper. Transparent, no rebuild. globus client host SITE 2 DMZ SITE 1 SSH tunnel ssh, SOCKS proxy X1X1 socks wrapper A globusrun DMZ host sshd s rX 2 protected network socks wrapper B gatekeeper jobmgr local SOCKS proxy X2X2 accepts SOCKS Forwards back to X 2 SSH port gatekeeper open, unrestricted port local port open, unrestricted port local port
Tan, Abramson & Enticott, “Connecting across Firewalls on the Grid.” (GGF-18) 14 SSH tunnel Test Case 2: Nimrod/G + Globus Nimrod/G using Globus resources. Same setup as Case 1. Transparent, no rebuilding Nimrod/G. Nimrod/G Host SITE 2 DMZ SITE 1 socks wrapper A globusrun DMZ host protected network socks wrapper B gatekeeper Forwards back to X 2 open, unrestricted port local port open, unrestricted port local port Nimrod Agent local SOCKS proxy X2X2 sshd s SSH port rX 2 Nimrod/G FS DBS gatekeeper jobmgr ssh, SOCKS proxy X1X1 accepts SOCKS
Tan, Abramson & Enticott, “Connecting across Firewalls on the Grid.” (GGF-18) 15 Issues Performance: slower -- but connected. Reliability: requires further work, but relies on mature technology, e.g., SSH, SOCKS. Security: relies on proven technology, trusted, and certain features mitigate risks, e.g., firewall-like configurability and logging. Portability: applies to Grid applications in general.
Tan, Abramson & Enticott, “Connecting across Firewalls on the Grid.” (GGF-18) 16 Performance Impact FTP file size (MB) FTP Throughput (MB/sec)
Tan, Abramson & Enticott, “Connecting across Firewalls on the Grid.” (GGF-18) 17 Tunneling Impact FTP file size (MB) FTP Throughput (MB/sec) (raw IP):
Tan, Abramson & Enticott, “Connecting across Firewalls on the Grid.” (GGF-18) 18 Future Directions Work on installation (package). Work on multiple mechanisms. Work on fault tolerance. Load balancing. SOCKS wrapper globusrun SOCKS wrapper r B gatekeeper jobmgr tunnel 1 tunnel 2 Px GR GK JM GR GK JM
Tan, Abramson & Enticott, “Connecting across Firewalls on the Grid.” (GGF-18) 19 Conclusions Security and resource sharing are inherently at odds with each other. Grid applications can work with firewalls with a reasonable degree of accessibility. Grid applications and firewalls can leave accessibility mechanisms to middleware. Acknowledgment Australian Partnership for Advanced Computing:
Tan, Abramson & Enticott, “Connecting across Firewalls on the Grid.” (GGF-18) 20 References 1.Sudholt, W., Baldridge, K., Abramson, D., Enticott, C. and Garic, S. “Parameter Scan of an Effective Group Difference Pseudopotential Using Grid Computing”, New Generation Computing 22 (2004) ( 2.Tan, J, Abramson, D. and Enticott, C. “Bridging Organizational Network Boundaries on the Grid”, IEEE Grid 2005, Seattle, Nov ( 3.Kommineni, J and Abramson, D. “Building Virtual Applications for the GRID with Legacy Components”, in “Advances in Grid Computing - EGC 2005, European Grid Conference”, Springer Lecture Notes in Computer Science (LNCS 3470), Amsterdam, The Netherlands, February 14-16, pp 961 – 971. Edited by P.M.A. Sloot, A.G. Hoekstra, T. Priol, A. Reinefeld, M. Bubak. Websites:
Tan, Abramson & Enticott, “Connecting across Firewalls on the Grid.” (GGF-18) 21 Throttling? FTP file size (MB) FTP Throughput (MB/sec)