Dynamic Firewalls and Service Deployment Models for Grid 网格的动态防火墙和服务的部署模型.pptVIP

12.12.1234 anne itti Dynamic Firewalls and Service Deployment Models for Grid Environments Gian Luca Volpato, Christian Grimm RRZN – Leibniz Universit?t Hannover Overview Dynamic Firewall General concepts Dyna-Fire Cooperative On-Demand Opening (CODO) Limitations Globus Toolkit deployment model Services at the Resource Provider Use of existing computing infrastructure Minimal number of connections through the site firewall Firewall A Firewall is a piece of hardware and/or software which functions in a network environment to prevent some communications forbidden by the security policy. * Good: it blocks unwanted and malicious traffic. Bad: it might be not flexible enough to allow seamless execution of Grid applications. * Wikipedia Dynamic Firewall Goal Protect a network so that it appears completely inaccessible from external systems but still responds to trusted clients, i.e. allow external connections on-demand. Current solutions Signaling protocol to add/remove filtering rules: “Off-path”: communication between applications and firewalls “In-path”: communication between application peers intercepted by intermediate firewalls Dyna-Fire Cooperative On-Demand Opening One daemon runs on the same host of the firewall to: monitor all connection requests add/remove filtering rules in the firewall A connection is allowed when the client request is successfully authenticated and authorized. Signaling protocol: Dyna-Fire == messages carried by Port Knocking CODO == messages carried over SSL channel Limitations of dynamic firewalls No mechanism to discover automatically the firewalls along the path Signaling before connection establishment? Static routing table configuration Dyna-Fire and Port Knocking CPU overhead for monitoring of connection attempts Exclusive reservation of some ports Unidirectional protocol exposed to reply and man-in-the-middle attacks CODO Applications (client and server!) must be recompiled/relinked with a speci