Presentation is loading. Please wait.

Presentation is loading. Please wait.

GGF 17 - May, 11th 2006 FI-RG: Firewall Issues Overview Document update and discussion The “Firewall Issues Overview” document.

Published byScot Perkins Modified over 8 years ago

Similar presentations

Presentation on theme: "GGF 17 - May, 11th 2006 FI-RG: Firewall Issues Overview Document update and discussion The “Firewall Issues Overview” document."— Presentation transcript:

1 r.niederberger@fz-juelich.de GGF 17 - May, 11th 2006 FI-RG: Firewall Issues Overview Document update and discussion The “Firewall Issues Overview” document - Document update V1.7 and discussion R.Niederberger@fz-juelich.de GGF 17 - FI-RG - 11.05.2006

2 r.niederberger@fz-juelich.de GGF 17 - May, 11th 2006 FI-RG: Firewall Issues Overview Document update and discussion Overview Structure of current document Firewall Issues Overview - Vers.1.7 Next steps Questions and discussion

3 r.niederberger@fz-juelich.de GGF 17 - May, 11th 2006 FI-RG: Firewall Issues Overview Document update and discussion Structure of the document Introduction Definitions Grid applications and their issues with firewalls Classification of firewall issues Summary Appendix: Classification of firewall issues seen from the use cases side

4 r.niederberger@fz-juelich.de GGF 17 - May, 11th 2006 FI-RG: Firewall Issues Overview Document update and discussion Structure of the document (2) Definitions –Firewall –Classification of firewalls personal firewalls network layer firewalls application layer firewalls application firewalls stateful/stateless firewalls –Firewall (global definition) –Network Address translators –Application level gateways –VPN gateways

5 r.niederberger@fz-juelich.de GGF 17 - May, 11th 2006 FI-RG: Firewall Issues Overview Document update and discussion Structure of the document (3) GRID APPLICATIONS AND THEIR ISSUES WITH FIREWALLS Grid Middleware and Protocols –UNICORE - The Seamless GRID Solution –Globus –Webservices Firewall Issues Data Storage and data transfer –GridFTP versus the Firewall –Impact of dCache deployment –Issues in enabling GPFS Grid Network Architectures and Protocols –The Issue with “Net of Trust” or the “bastion hosts” solution –Firewalls and high bandwidth, long distance networks –The workflow management system TENT

6 r.niederberger@fz-juelich.de GGF 17 - May, 11th 2006 FI-RG: Firewall Issues Overview Document update and discussion Selection of applications Selection of some commonly deployed grid applications Description of issues applications face dealing with firewalls. No intention to include all possible application used in grid environments just to identify and describe a set of representative examples. Classification according to their communication behavior Leads to good description of the problems arising because of the existence of firewalls within the communication paths.

7 r.niederberger@fz-juelich.de GGF 17 - May, 11th 2006 FI-RG: Firewall Issues Overview Document update and discussion Structure of the document (4) CLASSIFICATION OF FIREWALL ISSUES

8 r.niederberger@fz-juelich.de GGF 17 - May, 11th 2006 FI-RG: Firewall Issues Overview Document update and discussion Use Cases seen so far applications which use special single well known ports applications which use control streams to signalize the communication behavior applications with control stream for exchanging of control information. But not all info available Applications with unknown behavior (e.g. dynamic ports, multiple streams) applications which need high throughput data pipes

9 r.niederberger@fz-juelich.de GGF 17 - May, 11th 2006 FI-RG: Firewall Issues Overview Document update and discussion Firewall issues on applications seen from software perspective Software: Port numbers and amount of ports are unknown until the application starts Consequence: big holes (many ports) are required if amount and/or port numbers are unknown, single hole case (e.g. HTTP port 80) causes referral problems. Only specific, predetermined applications that use a low number of ports only very well defined ports (well known ports) can be supported adequately.

10 r.niederberger@fz-juelich.de GGF 17 - May, 11th 2006 FI-RG: Firewall Issues Overview Document update and discussion Firewall issues on hardware Hardware: unknown number and kind of firewalls are located within the routing path High performance data streams across long connections need enough buffer space and switching capacity Firewalls which are able to deal with multiple wavelengths on a single fiber not developed until now. If these wavelengths have been divided into individual fibers by DWDM equipment, firewalls are not able to deal with 16, 32 or 64 links of 10 Gb/s each currently

11 r.niederberger@fz-juelich.de GGF 17 - May, 11th 2006 FI-RG: Firewall Issues Overview Document update and discussion Firewall issues on the network Network: Grid hardware resources running certain applications can not be placed inside the DMZ. Sometimes applications must pass through more than 2 DMZs. But putting Grid applications inside the DMZ may not be avoidable sometimes. Firewalls, when involved in bypass connections, must perform elaborate routing functions

12 r.niederberger@fz-juelich.de GGF 17 - May, 11th 2006 FI-RG: Firewall Issues Overview Document update and discussion Firewall issues on Security Policies Security Policy: Firewalls may not be aware how many different applications may use the same port. Firewalls may not be aware of the amount of ports that are actually required v.s. configured. Firewalls may need to open up to 10.000 ports for certain applications Firewalls may not have enough information to authorize complex grid applications. Firewalls must not only protect from evil from the public network, but also prevent the public network from being abused. Firewalls may not be able to extend the security context between two applications. Firewalls may not be aware if a host connecting is actually trusted.

13 r.niederberger@fz-juelich.de GGF 17 - May, 11th 2006 FI-RG: Firewall Issues Overview Document update and discussion Structure of the document (5) APPENDIX: CLASSIFICATION OF FIREWALL ISSUES SEEN FROM THE USE CASES SIDE

14 r.niederberger@fz-juelich.de GGF 17 - May, 11th 2006 FI-RG: Firewall Issues Overview Document update and discussion Classification of GPFS NameGPFS DescriptionThe General Parallel File System is a high-performance shared-disk file system. It provides fast, reliable data from all nodes in a homogenous or heterogeneous cluster running an AIX or LINUX operating system. GPFS allows parallel applications simultaneous access to one file or a set of files from any node that has the GPFS file system mounted using parallel streams for a single file transfer. Elements in communication path SoftwareHardwareNetworkSecurity Policy SeverityLow Middle Any kind of firewalls between the communicating entities. Own Software No. Software developed by IBM. No hardware restrictions. Communication is done via normal communication paths. (Site network – provider network – site network). Protocol uses fixed configurable TCP port. Disadvantage: Communication including data is unencrypted. Ports used GPFS TCP 1191. Port is configurable Protocol used TCP

15 r.niederberger@fz-juelich.de GGF 17 - May, 11th 2006 FI-RG: Firewall Issues Overview Document update and discussion Classification of high bandwidth, long distance interconnects NameFirewalls and high bandwidth, long distance networks DescriptionThis use-case describes a setup that allows the creation of (optical) by-pass connections that span long distances which need to be connected via a FW Elements in comm path SoftwareHardwareNetworkSecurity Policy SeverityLowHighMiddleHigh Enterprise and public firewalls at both ends of a connection. Enterprise firewall both connects to the DMZ and to an optical by-pass connection. Own SW Yes and No GridFTP or any other data mover may be used – requirements are independent Switching performance and buffer space is critical for the enterprise side of the firewall. Buffers should be able to contain the bandwidth / delay product of a long haul connection. Performance should be in the multi-Gb/s range. Enterprise firewall may be involved in driving the request of a by-pass connection when detecting private address space ARP requests or handling application specific signals using some protocol 1. Requests from an application to access the optical by-pass should be authorized. The firewall should call out to obtain such authorizations or be provisioned with information that recognises an access request. 2. Security policies should prevent hi-bandwidth / non TCP transmission protocol conformant traffic to be leaked into the regular Internet. Ports used Globus port range or others Proto- col used TCP and UDP in various flavours

16 r.niederberger@fz-juelich.de GGF 17 - May, 11th 2006 FI-RG: Firewall Issues Overview Document update and discussion Next steps Improve current draft document → any longer Add missing parts → Are their any? Get document public → Time horizon: GGF18 Start a new document dealing with solutions → Already started !! Get involved !!

17 r.niederberger@fz-juelich.de GGF 17 - May, 11th 2006 FI-RG: Firewall Issues Overview Document update and discussion Questions and discussion Questions and discussion

Download ppt "GGF 17 - May, 11th 2006 FI-RG: Firewall Issues Overview Document update and discussion The “Firewall Issues Overview” document."

Similar presentations

Click to continue Network Protocols. Click to continue Networking Protocols A protocol defines the rules of procedures, which computers must obey when.

Click to continue Network Protocols. Click to continue Networking Protocols A protocol defines the rules of procedures, which computers must obey when.
Network Security Essentials Chapter 11

Network Security Essentials Chapter 11
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
OSI MODEL Maninder Kaur www.eazynotes.com.

OSI MODEL Maninder Kaur
Data and Computer Communications Eighth Edition by William Stallings Lecture slides by Lawrie Brown Chapter 2 – Protocol Architecture, TCP/IP, and Internet-Based.

Data and Computer Communications Eighth Edition by William Stallings Lecture slides by Lawrie Brown Chapter 2 – Protocol Architecture, TCP/IP, and Internet-Based.
Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 OSI Transport Layer Network Fundamentals – Chapter 4.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 OSI Transport Layer Network Fundamentals – Chapter 4.
Data and Computer Communications Eighth Edition by William Stallings Lecture slides by Lawrie Brown Chapter 2 – Protocol Architecture, TCP/IP, and Internet-Based.

Data and Computer Communications Eighth Edition by William Stallings Lecture slides by Lawrie Brown Chapter 2 – Protocol Architecture, TCP/IP, and Internet-Based.
Lecture 2 Protocol Layers CPE 401 / 601 Computer Network Systems slides are modified from Dave Hollinger.

Lecture 2 Protocol Layers CPE 401 / 601 Computer Network Systems slides are modified from Dave Hollinger.
William Stallings Data and Computer Communications 7 th Edition (Selected slides used for lectures at Bina Nusantara University) Internetworking.

William Stallings Data and Computer Communications 7 th Edition (Selected slides used for lectures at Bina Nusantara University) Internetworking.
PROTOCOLS AND ARCHITECTURE Lesson 2 NETS2150/2850.

PROTOCOLS AND ARCHITECTURE Lesson 2 NETS2150/2850.
COS 420 Day 18. Agenda Assignment 4 Posted Chap 16-20 Due April 6 Group project program requirements Submitted but Needs lots of work Individual Project.

COS 420 Day 18. Agenda Assignment 4 Posted Chap Due April 6 Group project program requirements Submitted but Needs lots of work Individual Project.
Chapter 10 Firewalls. Introduction seen evolution of information systems now everyone want to be on the Internet and to interconnect networks has persistent.

Chapter 10 Firewalls. Introduction seen evolution of information systems now everyone want to be on the Internet and to interconnect networks has persistent.
Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.

Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.
1 ITC242 – Introduction to Data Communications Week 12 Topic 18 Chapter 19 Network Management.

1 ITC242 – Introduction to Data Communications Week 12 Topic 18 Chapter 19 Network Management.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
COS 420 Day 20. Agenda Group Project Discussion Protocol Definition Due April 12 Paperwork Due April 29 Assignment 3 Due Assignment 4 is posted Last Assignment.

COS 420 Day 20. Agenda Group Project Discussion Protocol Definition Due April 12 Paperwork Due April 29 Assignment 3 Due Assignment 4 is posted Last Assignment.
Data Communications Architecture Models. What is a Protocol? For two entities to communicate successfully, they must “speak the same language”. What is.

Data Communications Architecture Models. What is a Protocol? For two entities to communicate successfully, they must “speak the same language”. What is.

Similar presentations

Ads by Google