Automatic verification of SLA for Firewall Configuration in Grid Environments Gian Luca Volpato – Cracow Grid Workshop 08 – 15 October 2008 Gian Luca Volpato.

Slides:

Advertisements

Similar presentations

March 6 th, 2009 OGF 25 Unicore 6 and IPv6 readiness and IPv6 readiness

Advertisements

Current status of grids: the need for standards Mike Mineter TOE-NeSC, Edinburgh.

Polish Infrastructure for Supporting Computational Science in the European Research Space EUROPEAN UNION Services and Operations in Polish NGI M. Radecki,

Module 5: Configuring Access for Remote Clients and Networks.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Cracow Grid Workshop, November 5-6, 2001 Towards the CrossGrid Architecture Marian Bubak, Marek Garbacz, Maciej Malawski, and Katarzyna Zając.

S. Gadomski, "ATLAS computing in Geneva", journee de reflexion, 14 Sept ATLAS computing in Geneva Szymon Gadomski description of the hardware the.

1 GRID Workshop – Toulouse IAS – October 20th Ground segment & products Department Globus TK4 experiment for image data processing : security architecture,

Massimo Cafaro GridLab Review GridLab WP10 Information Services Massimo Cafaro CACT/ISUFI University of Lecce, Italy.

Tunis, Tunisia, June 2012 Cloud Research Activities Pr. Mohamed JEMNI Computing Center Al Khawarizmi (CCK) Research Laboratory LaTICE

Firewalls and the Campus Grid: an Overview Bruce Beckles University of Cambridge Computing Service.

1 Deployment of an LCG Infrastructure in Australia How-To Setup the LCG Grid Middleware – A beginner's perspective Marco La Rosa

Network Configuration Charles (Cal) Loomis & Mohammed Airaj LAL, Univ. Paris-Sud, CNRS/IN2P October 2013.

Using Windows Firewall and Windows Defender

Version 4.0. Objectives Describe how networks impact our daily lives. Describe the role of data networking in the human network. Identify the key components.

EMI SA2: Quality Assurance (EMI-SA2 Work Package) Alberto Aimar (CERN) WP Leader.

Dynamic Firewalls and Service Deployment Models for Grid Environments Gian Luca Volpato, Christian Grimm RRZN – Leibniz Universität Hannover Cracow Grid.

SOS EGEE ‘06 GGF Security Auditing Service: Draft Architecture Brian Tierney Dan Gunter Lawrence Berkeley National Laboratory Marty Humphrey University.

EMI INFSO-RI EMI Quality Assurance Processes (PS ) Alberto Aimar (CERN) CERN IT-GT-SL Section Leader EMI SA2 QA Activity Leader.

Chapter 1 Introduction to the Help Desk Introduction to Help Desk Concepts & Skills Mike Meyers’ Computer Skills.

Daniel Vanderster University of Victoria National Research Council and the University of Victoria 1 GridX1 Services Project A. Agarwal, A. Berman, A. Charbonneau,

TeraPaths TeraPaths: establishing end-to-end QoS paths - the user perspective Presented by Presented by Dimitrios Katramatos, BNL Dimitrios Katramatos,

Vulnerabilities in peer to peer communications Web Security Sravan Kunnuri.

CN1176 Computer Support Kemtis Kunanuraksapong MSIS with Distinction MCT, MCTS, MCDST, MCP, A+

INFSO-RI Enabling Grids for E-sciencE SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.

Peter Chochula ALICE DCS Workshop, October 6,2005 DCS Computing policies and rules.

CHEP 2003Stefan Stonjek1 Physics with SAM-Grid Stefan Stonjek University of Oxford CHEP th March 2003 San Diego.

G RID M IDDLEWARE AND S ECURITY Suchandra Thapa Computation Institute University of Chicago.

Advanced Techniques for Scheduling, Reservation, and Access Management for Remote Laboratories Wolfgang Ziegler, Oliver Wäldrich Fraunhofer Institute SCAI.

Interactive task invocation in the Virtual Laboratory M. Okoń, M. Lawenda, T. Rajtar, D. Stokłosa, D. Kaliszan, P. Mierzyński, N. Meyer, M. Stroiński 4.

Grid Execution Management for Legacy Code Applications Grid Enabling Legacy Code Applications Tamas Kiss Centre for Parallel.

Cracow Grid Workshop October 2009 Dipl.-Ing. (M.Sc.) Marcus Hilbrich Center for Information Services and High Performance.

GRID ARCHITECTURE Chintan O.Patel. CS 551 Fall 2002 Workshop 1 Software Architectures 2 What is Grid ? "...a flexible, secure, coordinated resource- sharing.

Cracow Grid Workshop ‘06 17 October 2006 Execution Management and SLA Enforcement in Akogrimo Antonios Litke Antonios Litke, Kleopatra Konstanteli, Vassiliki.

1October 9, 2001 Sun in Scientific & Engineering Computing Grid Computing with Sun Wolfgang Gentzsch Director Grid Computing Cracow Grid Workshop, November.

CEOS WGISS-21 CNES GRID related R&D activities Anne JEAN-ANTOINE PICCOLO CEOS WGISS-21 – Budapest – 2006, 8-12 May.

Terri Lahey Control System Cyber-Security Workshop October 14, SLAC Controls Security Overview Introduction SLAC has multiple.

Grid Execution Management for Legacy Code Applications Grid Enabling Legacy Applications.

Lesson 11: Configuring and Maintaining Network Security

US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.

DataGRID Testbed Enlargement EDG Retreat Chavannes, august 2002 Fabio HERNANDEZ

GLIDEINWMS - PARAG MHASHILKAR Department Meeting, August 07, 2013.

Trusted Virtual Machine Images a step towards Cloud Computing for HEP? Tony Cass on behalf of the HEPiX Virtualisation Working Group October 19 th 2010.

Network Components David Blakeley LTEC HUB A common connection point for devices in a network. Hubs are commonly used to connect segments of a LAN.

ITGS Network Architecture. ITGS Network architecture –The way computers are logically organized on a network, and the role each takes. Client/server network.

Module 9 User Profiles and Social Networking. Module Overview Configuring User Profiles Implementing SharePoint 2010 Social Networking Features.

EUROPEAN UNION Polish Infrastructure for Supporting Computational Science in the European Research Space Operational Architecture of PL-Grid project M.Radecki,

CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Michał Jankowski, Paweł Wolniewicz, Jiří Denemark, Norbert Meyer,

Module 10: Windows Firewall and Caching Fundamentals.

Cracow Grid Workshop, October 15-17, 2007 Polish Grid Polish NGI Contribution to EGI Resource Provisioning Function Automatized Direct Communication Tomasz.

Module 8 Implementing Security Using Group Policy.

Grid Execution Management for Legacy Code Architecture Exposing legacy applications as Grid services: the GEMLCA approach Centre.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Mario Reale – GARR NetJobs: Network Monitoring Using Grid Jobs.

Regan Little. Definition Methods of Screening Types of Firewall Network-Level Firewalls Circuit-Level Firewalls Application-Level Firewalls Stateful Multi-Level.

ITMT Windows 7 Configuration Chapter 7 – Working with Applications.

Breaking the frontiers of the Grid R. Graciani EGI TF 2012.

EMI INFSO-RI Testbed for project continuous Integration Danilo Dongiovanni (INFN-CNAF) -SA2.6 Task Leader Jozef Cernak(UPJŠ, Kosice, Slovakia)

II EGEE conference Den Haag November, ROC-CIC status in Italy

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Grid is a Bazaar of Resource Providers and.

ACGT Architecture and Grid Infrastructure Juliusz Pukacki ‏ EGEE Conference Budapest, 4 October 2007.

Central Network Management in the University Environment alias Ballad on One University Network Administration Milan Šorm, Petr Dadák, Hana Netrefová.

Grid Deployment Technical Working Groups: Middleware selection AAA,security Resource scheduling Operations User Support GDB Grid Deployment Resource planning,

Windows Vista Configuration MCTS : Network Security.

IT Audit for non-IT auditors Cornell Dover Assistant Auditor General 31 March 2013.

GGF 17 - May, 11th 2006 FI-RG: Firewall Issues Overview Document update and discussion The “Firewall Issues Overview” document.

Grid Colombia Workshop with OSG Week 2 Startup Rob Gardner University of Chicago October 26, 2009.

25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.

European Middleware Initiative (EMI)

Brief overview on GridICE and Ticketing System

Presentation transcript:

Automatic verification of SLA for Firewall Configuration in Grid Environments Gian Luca Volpato – Cracow Grid Workshop 08 – 15 October 2008 Gian Luca Volpato Christian Grimm Martin Janitschke

Page 2Gian Luca Volpato - Cracow Grid Workshop ' October 2008 Motivation Facilitate the integration of new resources into a Grid: 1.Definition of security profiles 2.Certification of firewall setup 3.Monitoring firewall configuration as part of the Service Level Agreements

Page 3 Summary 1.Firewall configuration issues 2.Classification of middleware components 3.Definition of security profiles 4.SLA extension 5.Tool for automatic verification of firewall configuration 6.Q&A Gian Luca Volpato - Cracow Grid Workshop ' October 2008

Page 4 Integration of new partners  Installation of Grid middleware(s)  Creation of local user accounts  Registration to the information services  … ...  Configuration of firewall rules  If too restrictive  prevent legitimate communications  If too loose  allow unauthorized communications Gian Luca Volpato - Cracow Grid Workshop ' October 2008

Page 5 Classification of middleware components Four categories of middleware components: 1.Computing frontends 2.Data frontends 3.Interactive nodes 4.Worker nodes Gian Luca Volpato - Cracow Grid Workshop ' October 2008 Globus GRAM UNICORE NJS LCG/gLite CE OGSA-DAI dCache SE Interactive node Batch system Worker Node

Page 6 Communication paths Identification of network ports used by each component for incoming connections Gian Luca Volpato - Cracow Grid Workshop ' October 2008 GT 4.0 GRAM dCache SE OGSA-DAI 8443

Page 7 Security profiles Minimize the number of connections traversing firewalls Range from basic services to complete set of functionality Gian Luca Volpato - Cracow Grid Workshop ' October 2008 LevelComputingDataWorker node Interactive node

Page 8 SLA extension Each site declares which security profile will be implemented Provide guarantee that communications to/from certain Grid services is allowed, i.e. firewall is correctly configured Verification:  before accepting a site in production  periodically for all the duration of the collaboration Gian Luca Volpato - Cracow Grid Workshop ' October 2008

Page 9 Verification of firewall configuration Central service performing periodic verifications:  requested ports are accessible  all other ports are blocked In a further evolution  allow peer-to-peer verification of selected sites  triggered on-demand Gian Luca Volpato - Cracow Grid Workshop ' October 2008

Page 10Gian Luca Volpato - Cracow Grid Workshop ' October 2008

Page 11 Summary 1.Firewall configuration issues 2.Classification of middleware components 3.Definition of security profiles 4.SLA extension 5.Tool for automatic verification of firewall configuration Q&A Gian Luca Volpato - Cracow Grid Workshop ' October 2008