Presentation is loading. Please wait.

Presentation is loading. Please wait.

INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Dynamic Connectivity Service Oscar Koeroo JRA3.

Published byGary Craig Modified over 8 years ago

Similar presentations

Presentation on theme: "INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Dynamic Connectivity Service Oscar Koeroo JRA3."— Presentation transcript:

1 INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Dynamic Connectivity Service Oscar Koeroo JRA3

2 Enabling Grids for E-sciencE INFSO-RI-508833 Dynamic Connectivity Service 2 Content What’s the problem? What do we need? How do we want to solve it Our prototype –and how does it work

3 Enabling Grids for E-sciencE INFSO-RI-508833 Dynamic Connectivity Service 3 What’s the problem? Most to all WNs (in LCG-2) can make outbound connection to almost any machine on the Internet –No Firewalls that limits a user  A few possibilities are: WN publicly addressable Inbound is prohibited and outbound is still free to use oNAT box oFirewall rules WNs are locked up for any Internet traffic –VOs request ability for their users to connect to there own servers  Pulling VO specific data on a WN Packages Data  Push result on to VO specific machines  Interactive Database access This means that every (rogue) user can do harmful things like: –Launch DDoS - Grid Jobs can aid or start a DDoS on a (web-)server –Share Warez - Each machine can serve as Warez servers –Make a pass-through for Worms & Viruses

4 Enabling Grids for E-sciencE INFSO-RI-508833 Dynamic Connectivity Service 4 What we need… Network containment –We need to keep a user primarily contained inside the fabric –If users have a connectivity wish they can request it at the (concerning) resource centers –RCs need to be in full control of their (network) domain

5 Enabling Grids for E-sciencE INFSO-RI-508833 Dynamic Connectivity Service 5 How do we want to solve it Lockup a site tight –From a WN’s perspective and the running job:  No (direct) inbound connectivity Achieved by setting up a router, NAT box or Firewall (or some combination) prohibiting these connections  No outbound connectivity The router, NAT box or firewall (or a combi.) prohibit these connections –Narrow the static firewall rules for all Grid Services as much as possible  Grid services mutual authenticate themselves to other services with some kind of access control so they can be regarded as safe(r) connections Only when needed open-up a port to make a (controlled) connection available

6 Enabling Grids for E-sciencE INFSO-RI-508833 Dynamic Connectivity Service 6 AuthN user to service AuthZ user & request Open port on a Firewall Keeping track of opened ports How does it work: Use Case #1 WN running a Job Firewall Site / Fabric Internet Request connectivity to WS Portnumber IP TCP / UDP Inbound / Outbound Service WS 1 2 3 Outbound connectivity possible

7 Enabling Grids for E-sciencE INFSO-RI-508833 Dynamic Connectivity Service 7 How does it work: Use Case #2 Firewalled machine Firewall Site / Fabric User from some Internet location Request connectivity to WS Portnumber IP TCP / UDP Inbound / Outbound Service WS 1 AuthN user to service AuthZ user & request Open port on a Firewall Keeping track of opened ports 2 3 Inbound connectivity possible

8 Enabling Grids for E-sciencE INFSO-RI-508833 Dynamic Connectivity Service 8 How to Deploy? – with NAT WN Private ip-addresses ip-address: 10.1.x.x Std gateway: 10.1.0.1 Dynamic Connectivity Service NAT box On NAT box eth0: 10.1.0.1 (private ip) eth1: 192.16.186.x (public ip) On req. of user to DCS: Req. dest. ip-addr A portNo X Source is ip-addr WN On behalf of user’s proxy Core Router

9 Enabling Grids for E-sciencE INFSO-RI-508833 Dynamic Connectivity Service 9 How to Deploy? – with routers #1 On req. of user to DCS: Req. dest. ip-addr A portNo X Source is ip-addr WN On behalf of user’s proxy Core Router WN Public ip-address ip-address: 192.16.186.x Std gateway: 192.16.186.102 Dynamic Connectivity Service Level3 Bridge On Level3 Bridge eth0: 192.16.186.102 eth1: 192.16.187.101

10 Enabling Grids for E-sciencE INFSO-RI-508833 Dynamic Connectivity Service 10 How to Deploy? – with routers #2 On req. of user to DCS: Req. dest. ip-addr A portNo X Source is ip-addr WN On behalf of user’s proxy Core Router WN Public ip-address ip-address: 192.16.186.x Std gateway: 192.16.186.102 Dynamic Connectivity Service Level3 Bridge On Level3 Bridge eth0: 192.16.186.102 eth1: 192.16.187.101

11 Enabling Grids for E-sciencE INFSO-RI-508833 Dynamic Connectivity Service 11 Sandboxing the network When using Virtual Machines in your cluster as WNs: –Separate the WNs in two subnets, divide by real and virtual WNs  Creates the ability to separate the physical WN and its virtual self(s) on a network basis Example: use 10.x.x.x for the VMs and 192.168.x.x for the real hardware and never allow a VM to connect with the Physical hardware  Gains the ability to be very flexible within the virtual subnet without disturbing the physical hardware network even though they share the same wire –On the fly VLANs (or narrowed subnets) per job (by control of the Site Admin, not the user)  The ultimate sandboxing is to create a network sandbox Very narrow/small subnet, partitioning the VM subnet Use VLANs  If a job needs only one CPU, then setup the network for one VM  If a job needs multiple nodes (MPI) then broaden the VLAN to be include the requested amount of VMs (equal to CPU) When using a DCS between the core firewall it can realize firewall rulesets per On-the-Fly subnet instead of per node

12 Enabling Grids for E-sciencE INFSO-RI-508833 Dynamic Connectivity Service 12 The Virtual Idea… Physical WN VM CE Some kind of VM bootstrapping mechanism The Job Setting up the ”narrowed subnet” DCS and/or core router Setting up the narrow subnet on the VM before deployment or at bootstrap

13 Enabling Grids for E-sciencE INFSO-RI-508833 Dynamic Connectivity Service 13 Past, Present & Future Past (Current pre-prototype implementation Feb 2005): –No AuthN and AuthZ security elements –Only portnumber requests –Based on iptables Present –Currently no manpower to work on this Future –AuthN & AuthZ –Fine & coarse grained connectivity policy description –Implementation of all the Virtual Machine ideas concerning the network utilizations

Download ppt "INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Dynamic Connectivity Service Oscar Koeroo JRA3."

Similar presentations

IP Masquerading Homes and Businesses: When you only have one IP but you have LOTS of machines.

IP Masquerading Homes and Businesses: When you only have one IP but you have LOTS of machines.
Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University

Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University
Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.

Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.
How topology decisions affect speed/availability/security/cost/etc. Network Topology.

How topology decisions affect speed/availability/security/cost/etc. Network Topology.
Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.

Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
OpenContrail Quickstart

OpenContrail Quickstart
Firewalls CS591 Topics in Internet Security November 15 1999 Steve Miskovitz, Steve Peckham, Kan Hayashi.

Firewalls CS591 Topics in Internet Security November Steve Miskovitz, Steve Peckham, Kan Hayashi.
Firewall and Proxy Server Director: Dr. Mort Anvari Name: Anan Chen Date: Summer 2000.

Firewall and Proxy Server Director: Dr. Mort Anvari Name: Anan Chen Date: Summer 2000.
Firewall Slides by John Rouda

Firewall Slides by John Rouda
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Virtual IP Network Windows Server 2012 Windows 08 Dual Subnets.

Virtual IP Network Windows Server 2012 Windows 08 Dual Subnets.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
Networking Components

Networking Components
Data Center Network Redesign using SDN

Data Center Network Redesign using SDN
Using LISP for Secure Hybrid Cloud Extension draft-freitasbellagamba-lisp-hybrid-cloud-use-case-00 Santiago Freitas Patrice Bellagamba Yves Hertoghs IETF.

Using LISP for Secure Hybrid Cloud Extension draft-freitasbellagamba-lisp-hybrid-cloud-use-case-00 Santiago Freitas Patrice Bellagamba Yves Hertoghs IETF.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Network Configuration Charles (Cal) Loomis & Mohammed Airaj LAL, Univ. Paris-Sud, CNRS/IN2P3 24-25 October 2013.

Network Configuration Charles (Cal) Loomis & Mohammed Airaj LAL, Univ. Paris-Sud, CNRS/IN2P October 2013.

Similar presentations

Ads by Google