Presentation is loading. Please wait.

Presentation is loading. Please wait.

Www.infotech.monash.edu.au Presented by Xiaoyu Qin 21637881 Virtualized Access Control & Firewall Virtualization.

Similar presentations


Presentation on theme: "Www.infotech.monash.edu.au Presented by Xiaoyu Qin 21637881 Virtualized Access Control & Firewall Virtualization."— Presentation transcript:

1 www.infotech.monash.edu.au Presented by Xiaoyu Qin 21637881 Virtualized Access Control & Firewall Virtualization

2 www.infotech.monash.edu.au 2 Outline Background Project Aims & Previous Research Research Problem Research Approach & Method Analysis Demo Implementation Design Review Future Work Conclusion

3 www.infotech.monash.edu.au 3 Background – Grid Network & Security Application Solutions –Globus Security Infrastructure –Security of Open Grid Services Architecture –Security as Services –Public Key Infrastructure Virtual Organization & Virtual Connectivity Gateway Solutions –Common Solutions –Grid Firewall & Firewall Traversal

4 www.infotech.monash.edu.au 4 Background – Understanding Virtualization Pooling & Reallocating –Resource: Pooling –Infrastructure: Multiplying, Clustering Simulation –Simulators: VMs –Application Virtualization: Sandbox –Network: Tunnelling –Grid: Virtual Organization * Firewall Virtualization –Dynamic Firewall –Zone Based Virtual Firewall –Virtual Access Control

5 www.infotech.monash.edu.au 5 Project Aims & Previous Research – Security Gateway for Grid Grid Security Scenario –Unpredictable application & users –Dynamic –Large quantity of devices Security Gateway –Packet Filtering –Access Control –Intrusion Detection/Prevention

6 www.infotech.monash.edu.au 6 Project Aims & Previous Research – Firewall Traversal & Firewall Virtualization Firewall Proxy Model Firewall Control Model

7 www.infotech.monash.edu.au 7 Research Problem – NAT Problem Server IP + Port == A TCP Service Source IP + Port != Client User Identity

8 www.infotech.monash.edu.au 8 Research Approach & Method Research Approach –A grid firewall solution –Without NAT problem –Easy to implement & deploy Research Method –Problem Oriented Research

9 www.infotech.monash.edu.au 9 Analysis – Problem Breaking Down Grid Security Gateway Access Control on Demand Permit/Filter (Non)- Authorized Communication By ACL Determine (Non)- Authorized Communication By ACL f: (Communication, ACL) -> Permit/Filter g: Communication -> Identity (*Session Key) h: (Identity, ACL) -> Permit/Filter f = h(g(Communication), ACL)

10 www.infotech.monash.edu.au 10 Analysis – Research Questions Central Question : –How do we determine the identity information? Q1: What can a firewall determine? How? –What can a pure network firewall determine? –Is there any other choice (IPTables) which can do more? Q2: How to generate and carry the information which can be determined? –Can the program change some existing properties of the communication? How? –Can the program add new properties? How?

11 www.infotech.monash.edu.au 11 Analysis – Research Hypotheses Capability of Network Firewall –IP: Source and target IP address –TCP: Source and target port –Protocol Special Capability of IPTables –Owner: uid, pid, gid...... (IPFW has also ‘out uid’) Change existing properties of communication –Packet based: >Changing Address: Authentication based NAT/PAT >Changing protocol: Tunnel/Proxy (useless) –Connection based: >Extra handshake (hard to implement) Can the program add new properties? How? –Application specific Tunnel/Proxy

12 www.infotech.monash.edu.au 12 Analysis – Possible Solution: NAT/PAT Cons –Customize IP assigning mechanism >Not supported by most of current VPN solutions >Hard to program –Check after tunnel created >Complex control signal –Delay caused –Hard to program but possible* Pro –Existing firewall can be used, but extra component to run the program is still needed.

13 www.infotech.monash.edu.au 13 Analysis – Possible Solution: Tunnel/Proxy Few Firewall Choice: IPTables, IPFW… Tunnel Proxy Choice –Does it create process for each session? –Can the process owner one-to-one map to the client identity? –SSH Port Forwarding >Pros: –Commonly used –Gateway-to-Gateway –Only tunnel the request (Comparing with VPN) >Cons: Client command & settings Other methods can be examined

14 www.infotech.monash.edu.au 14 Demo Implementation VAC> show use whitelist service 0 10.1.1.2:80 TCP //Http AppServer ACCEPT User xyqin1 Client>ssh -N -f -L 80:10.1.1.2:80 xyqin1@VFW

15 www.infotech.monash.edu.au 15 Design Review NAT Problem –NAT between the gateways does not harm Efficiency Cost –Pre-defined tunnel and filtering rules –One time encapsulating –Only tunnel the request –Non-Cipher SSH is a choice & SSH is not the only choice Capability & Reliability –Clustering –Load Balance

16 www.infotech.monash.edu.au 16 Future Work Virtualization –Scalable (Zones, Multiple Instances) –Dynamic Access Control –Clustering Usability –Client side program –Remote Administration Distributable –Authentication Server Extendable –Extensions? API?

17 www.infotech.monash.edu.au 17 Conclusion It is possible and necessary to implement authentication based access control on grid gateway, which is secure, extensible and interoperable with grid. Pure network filtering firewall is very weak solution for grid security purpose. Grid security needs application level methods because of virtualization.

18 www.infotech.monash.edu.au 18 Q & A


Download ppt "Www.infotech.monash.edu.au Presented by Xiaoyu Qin 21637881 Virtualized Access Control & Firewall Virtualization."

Similar presentations


Ads by Google