UK GRID Firewall Workshop Matthew J. Dovey Technical Manager Oxford e-Science Centre.

Slides:

Advertisements

Similar presentations

Secure Internet Solutions Geoff Huston Chief Scientist, Internet Telstra.

Advertisements

Caltech Proprietary Videoconferencing Security in VRVS 3.0 and Future Videoconferencing Security in VRVS 3.0 and Future Kun Wei California Institute of.

Digital Certificate Operation in a Complex Environment Matthew J. Dovey Oxford University Computing Services.

Clique/Trust Solution Suitable for Level 2 Grid. Trusted Host Database Remote database of IP addresses, port ranges etc. Accessible by firewall administrators.

4 December 2002 Grid Resource Access Workshop, NeSC 1 Managing Access to Resources on the Grid David Boyd CLRC e-Science Centre

Module 13: Implementing ISA Server 2004 Enterprise Edition: Site-to-Site VPN Scenario.

A “Dynamic” Firewall Jon Hillier Oxford University/ eScience Centre.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

Module 5: Configuring Access for Remote Clients and Networks.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

The Aerospace Clinic 2002 Team Members Nick Hertl (Project Manager) Will Berriel Richard Fujiyama Chip Bradford Faculty Advisor Professor Michael Erlinger.

Hardware Firewalls: Advanced Feature © N. Ganesan, Ph.D.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Goal of The Paper  What exactly is a VPN?  Why do you need a VPN?  what are some of the technologies used in deploying a VPN?  How does a VPN work?

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Implementing Secure Converged Wide Area Networks (ISCW)

Network and Systems Security Security Awareness, Risk Management, Policies and Network Architecture.

Firewalls and VPNS Team 9 Keith Elliot David Snyder Matthew While.

1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.

Copyright Microsoft Corp Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

Website Hardening HUIT IT Security | Sep

Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.

Course 201 – Administration, Content Inspection and SSL VPN

Designing Active Directory Child Domain Sainath K.E.V Directory Services MVP 5/Aug/2015.

Incident Handling and Response Breakout Overview.

Day15 IP Space/Setup. IP Suite of protocols –TCP –UDP –ICMP –GRE… Gives us many benefits –Routing of packets over internet –Fragmentation/Reassembly of.

Module 9: Planning Network Access. Overview Introducing Network Access Selecting Network Access Connection Methods Selecting a Remote Access Policy Strategy.

Network Connectivity Options Currently offered by Wyless.

Selecting the Right Network Access Protection Architecture

70-411: Administering Windows Server 2012

Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.

Module 8 Configuring Mobile Computing and Remote Access in Windows® 7.

Presented by Xiaoyu Qin Virtualized Access Control & Firewall Virtualization.

Wireless Networks and the NetSentron By: Darren Critchley.

Towards a European network for digital preservation Ideas for a proposal Mariella Guercio, University of Urbino.

Windows Small Business Server 2003 Setting up and Connecting David Overton Partner Technical Specialist.

PowerLink Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions.

Module 11: Implementing ISA Server 2004 Enterprise Edition.

Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.

E-Science Projects and Security M. Angela Sasse & Mike Surridge.

1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.

WebServices, GridServices and Firewalls Matthew J. Dovey Technical Manager Oxford e-Science Centre

Campus Network Development Network Architecture, Universal Access & Security.

Terminal Services Technical Overview Olav Tvedt TVEDT.info Microsoft Speaker Community

Oxford University e-Science Centre 1 Managing Access 4 Dec Managing Access to Resources on the Grid 4 December 2002.

Module 5: Designing Security for Internal Networks.

Module 11: Designing Security for Network Perimeters.

Firewall Configurations Responses from the ETF (the names have been changed to protect the innocent..)

Virtual Private Network. ATHENA Main Function of VPN  Privacy  Authenticating  Data Integrity  Antireplay.

Defense in Depth. 1.A well-structured defense architecture treats security of the network like an onion. When you peel away the outermost layer, many.

Microsoft Windows 2008 Features and Functionality Guy Wilkin.

Purpose Present Drivers and Context for Firewalls Define Firewall Technology Present examples of Firewall Technology Discuss Design Issues Discuss Service.

Understand Network Isolation Part 2 LESSON 3.3_B Security Fundamentals.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

E-Science Security Roadmap Grid Security Task Force From original presentation by Howard Chivers, University of York Brief content:  Seek feedback on.

Computer Networks & FirewallsUniversity IT Security Office - Tom Davis, CISSP University IT Security Officer Office of the Vice.

Janis Buikauskis Joe Kubena Kyle Nelson Chris Schrader.

Securing Access to Data Using IPsec Josh Jones Cosc352.

KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY IT375 Window Enterprise Administration Course Name – IT Introduction to Network Security Instructor.

Virtual Private Networks

Virtual Private Network Access for Remote Networks

SECURING NETWORK TRAFFIC WITH IPSEC

Firewall – Survey Purpose of a Firewall Characteristic of a firewall

Implementing TMG Server Publishing

Agenda Create certificates for the GlobalProtect Portal, internal gateway, and external gateway. Attach certificates to a SSL-TLS Service Profile. Configure.

Designing IIS Security (IIS – Internet Information Service)

Global One Communications

Presentation transcript:

UK GRID Firewall Workshop Matthew J. Dovey Technical Manager Oxford e-Science Centre

Background ‘Making the Grid Work in a Computing Services Environment’ (1 May 2002) proposed a series of workshops to address specific issues. First of these to considered use and maintenance of firewall within a GRID Environment Focus on implementations suitable for Globus within a Level 2 Grid (L2G) framework Focus on implementations suitable for Globus within a Level 2 Grid (L2G) framework Also consider WebServices/GRIDServices Also consider WebServices/GRIDServices Open invitation to the UK e-Science community, network administrators and firewall administrators Open invitation to the UK e-Science community, network administrators and firewall administrators More than 50 people attended. More than 50 people attended.

Purpose To bring together developers of the UK e- Science Grid and computing service providers To enable the technical support community and e-Science/Grid community to exchange ideas and networking/firewall information To produce a coherent set of recommendations for firewall configuration and maintenance for the U.K. Level 2 Grid To identify practical workable solutions for use with the Grid.

Agenda Morning - presentations Introduction to part of GLOBUS relating to use of firewalls - Andrew McNab Introduction to part of GLOBUS relating to use of firewalls - Andrew McNab Introduction to Web Services as they relate to use of firewalls - Matthew Dovey Introduction to Web Services as they relate to use of firewalls - Matthew Dovey A ‘Dynamic’ Firewall - Jon Hillier A ‘Dynamic’ Firewall - Jon Hillier A ‘Clique/Trust’ Firewall - Jon Hillier A ‘Clique/Trust’ Firewall - Jon Hillier Firewall Configurations - Jon Hillier Firewall Configurations - Jon Hillier GRID and VPNs – Matthew Dovey GRID and VPNs – Matthew DoveyAfternoon Break out and discussions Break out and discussions

Firewall Solutions Presented “Clique GRID” – Trust based Dynamic Firewall VPN (IPSec) Tunnelling

Break-out Discussion Issues - 1 Does the solution offer the required security for the GRID projects? Are there inherent security weaknesses of the solution which would make it less suitable? How effective would the solution be for a level 2 GRID? Is the solution scalable beyond a level 2 GRID? Would the solution still be valid in protecting a GRID based on GridServices or WebServices?

Break-out Discussion Issues - 2 Would the solution still be required for a GRID based on GridServices or WebServices? Are there technical problems with the solution which would affect its use in GRID projects? Are there technical problems with the solution which would affect its adoption at an institution? Is the solution consistent with current security policies in place at institutions or in GRID project? Will the solution remain consistent with future security policies?

Closing Discussion Clear responsibility of system administrators of Grid resources attached to the Grid and awareness of issues and risks associated with the Grid. Distinction between network firewalls protecting a site and host-based firewalls running on Grid resources Should each site aim to provide a dedicated gatekeeper system? A DNS based system should be examined for providing a trusted source of Grid IP addresses. Develop Clear guidelines for how a secure Grid IP address host operates Clients are seen as a weak link in the Grid security framework - sites may be unwilling to provide access for them without knowledge of their security credentials.

Recommendations Trusted host (clique) server is acceptable to most sites Short term – not scalable Short term – not scalable Needs to be securely managed and maintained Needs to be securely managed and maintained Initial step to provide all Level 2 GRID sites a list of IP address and port ranges Dynamic firewall may be more scalable and secure for host-based firewalls. Hybrid host - static IP addresses and dynamic firewall - provide an operational Level 2 GRID quickly. VPN is a longer term possibility using off-the-shelf technology, but interoperability issues between the current VPN solutions prevent this being a short term option