Download presentation
Presentation is loading. Please wait.
Published byHelen Rose Modified over 9 years ago
1
UK GRID Firewall Workshop Matthew J. Dovey Technical Manager Oxford e-Science Centre
2
Background ‘Making the Grid Work in a Computing Services Environment’ (1 May 2002) proposed a series of workshops to address specific issues. First of these to considered use and maintenance of firewall within a GRID Environment Focus on implementations suitable for Globus within a Level 2 Grid (L2G) framework Focus on implementations suitable for Globus within a Level 2 Grid (L2G) framework Also consider WebServices/GRIDServices Also consider WebServices/GRIDServices Open invitation to the UK e-Science community, network administrators and firewall administrators Open invitation to the UK e-Science community, network administrators and firewall administrators More than 50 people attended. More than 50 people attended.
3
Purpose To bring together developers of the UK e- Science Grid and computing service providers To enable the technical support community and e-Science/Grid community to exchange ideas and networking/firewall information To produce a coherent set of recommendations for firewall configuration and maintenance for the U.K. Level 2 Grid To identify practical workable solutions for use with the Grid.
4
Agenda Morning - presentations Introduction to part of GLOBUS relating to use of firewalls - Andrew McNab Introduction to part of GLOBUS relating to use of firewalls - Andrew McNab Introduction to Web Services as they relate to use of firewalls - Matthew Dovey Introduction to Web Services as they relate to use of firewalls - Matthew Dovey A ‘Dynamic’ Firewall - Jon Hillier A ‘Dynamic’ Firewall - Jon Hillier A ‘Clique/Trust’ Firewall - Jon Hillier A ‘Clique/Trust’ Firewall - Jon Hillier Firewall Configurations - Jon Hillier Firewall Configurations - Jon Hillier GRID and VPNs – Matthew Dovey GRID and VPNs – Matthew DoveyAfternoon Break out and discussions Break out and discussions
5
Firewall Solutions Presented “Clique GRID” – Trust based Dynamic Firewall VPN (IPSec) Tunnelling
6
Break-out Discussion Issues - 1 Does the solution offer the required security for the GRID projects? Are there inherent security weaknesses of the solution which would make it less suitable? How effective would the solution be for a level 2 GRID? Is the solution scalable beyond a level 2 GRID? Would the solution still be valid in protecting a GRID based on GridServices or WebServices?
7
Break-out Discussion Issues - 2 Would the solution still be required for a GRID based on GridServices or WebServices? Are there technical problems with the solution which would affect its use in GRID projects? Are there technical problems with the solution which would affect its adoption at an institution? Is the solution consistent with current security policies in place at institutions or in GRID project? Will the solution remain consistent with future security policies?
8
Closing Discussion Clear responsibility of system administrators of Grid resources attached to the Grid and awareness of issues and risks associated with the Grid. Distinction between network firewalls protecting a site and host-based firewalls running on Grid resources Should each site aim to provide a dedicated gatekeeper system? A DNS based system should be examined for providing a trusted source of Grid IP addresses. Develop Clear guidelines for how a secure Grid IP address host operates Clients are seen as a weak link in the Grid security framework - sites may be unwilling to provide access for them without knowledge of their security credentials.
9
Recommendations Trusted host (clique) server is acceptable to most sites Short term – not scalable Short term – not scalable Needs to be securely managed and maintained Needs to be securely managed and maintained Initial step to provide all Level 2 GRID sites a list of IP address and port ranges Dynamic firewall may be more scalable and secure for host-based firewalls. Hybrid host - static IP addresses and dynamic firewall - provide an operational Level 2 GRID quickly. VPN is a longer term possibility using off-the-shelf technology, but interoperability issues between the current VPN solutions prevent this being a short term option
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.