1. A “Dynamic” Firewall Jon Hillier Oxford University/ eScience Centre

2. Why? Globus Port Usage Site-wide Firewall too lax Static firewall with fixed list of rules too unwieldy in large Grid Certificate only method of authentication

3. How? Single gatekeeper (2119/tcp) port open to all on gatekeeper machine Daemon watches standard Globus log file Success of an incoming Globus “ping” is shown in the log file Originators IP address also shown in the log file

4. How? 2 If “ping” successful then daemon adds relevant rules to firewall (IPTables or IPchains) “ping” success depends on the validity of the certificate and the ability of the user to actually access the gatekeeper After a sys-admin specified time the firewall rules time out and access is once again denied

5. Pro’s Easy to install – requires no modification of Globus Uses certificates as a method of authentication Allows access from any IP address Times out so that IP addresses aren’t permanently allowed access Permits any changes to the firewall, on top of current firewall settings

6. Con’s Software firewall needs to run on the gatekeeper – slowing the system Remote changes to any firewall are not popular Ideally would use a program such as IPFilter which has better table controls Firewall at remote institution must be amenable to Globus connections (this may be part of the demonstration!)

7. Conclusions Good proof of concept Dynamic control of ports in a Globus 2- based environment is useful Slow network bandwidth and root changes to security-critical services are not desirable Possibly viable on an emergency “backup” gatekeeper for unforeseen remote access