Embed Size (px)
Citation preview
Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec 2003 1
Secure Generic Connection Brokering SGCB
enhancing secure submission of grid jobs across firewalls
David Front, Lorne Levinson, Morton Taragin Weizmann Institute of Science, RehovotMiron Livny, Se-Chang Son, University of Wisconsin, Madison
Itzhak Ben-Akiva, Tel Aviv University, Tel Aviv
Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec 2003 2
Agenda
• The problem
• Requirements
• Architecture
• Performance, evaluation
• References
Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec 2003 3
The problem
• In order to use (Grid) servers, incoming connections should be created
• Organization security policies restrict connections to prevent malicious acts
• Incoming connections are more threatening than outgoing connections
• Hence, organization security managers object to allow incoming connections to grid domain firewalls
Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec 2003 4
The problem: 2 use cases
server
Server firewall
client
(Grid) network applications fail to create incoming connections, because of organization security policy, enforced by firewall/s
In addition, client’s firewall prevents Connections to client.No direct connection is possible
Client firewall
2
Server’s firewall prevents Connections to server.Server may connect client.
1
Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec 2003 5
Requirements
A solution to securely submit jobs across firewalls should:
1. Satisfy security managers: allow incoming connections, yet not violate security policies
2. Not require dynamic firewall changes3. Support communication with standard sockets4. Not require changes at communicating applications5. Not require kernel changes6. Support various security schemes 7. Not require root privilege to install/run
Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec 2003 6
SGCB architecture
Generic Connection Brokering (GCB) by Sechang Son and Miron Livny
+ Bypass by Douglas Thain and Miron Livny
+ Security layer for management messages:– Trivial security– GSI security
Generic Connection Brokering (GCB)
Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec 2003 7
GCB use case 1: reversed TCP connection
brokerserver
Server firewall
client
1 Register me
2 I want to connect server
3 Connect client
connect)(
A GCB management message
data
Time
Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec 2003 8
GCB use case 2: relayed TCP connection
server
Server firewall
client
Client firewall
1 Register me2 I want to connect server
A GCB management message
Connect)(
3 Connect me
4 Connect me
Connect)(
Data is relayed
broker
Time
Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec 2003 9
Firewalls holes without GCB
Serverincoming
Server firewall
Clientoutgoing
Client firewall
Holes forServer-clientconnections
Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec 2003 10
Firewalls holes with GCB
Brokerincoming
Serveroutgoing
Server firewall
Clientoutgoing
Client firewall
Holes formanagement messages
Holes forServer-clientconnections
Broker firewall
Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec 2003 11
GCB socket SW layer
GCB socket callsGCB_bind(), GCB_connect(), GCB_accept... )(
GCB calls do whatever is needed to connect, such as:
communicate with other entities reverse connection direction initiate standard socket calls:
GCB calls
replace standard socket calls at server and client applications
bind(), connect(), accept() … Standard socket calls
call
Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec 2003 12
GCB_bind
GCB_listen
GCB_accept
Time
GCB_connect
GCB layer: reversed TCP connection
GCB_socket
client machine broker machine server machine
Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec 2003 13
GCB layer: relayed TCP connection
Time
GCB_bind
GCB_listen
GCB_accept
GCB_connect
GCB_socket
Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec 2003 14
SGCB architecture - Bypass
Applications must call GCB socket functions in order to use GCB
Using Bypass avoids this need
Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec 2003 15
Bypass
accept()2 Application issues a
system call
GCB_accept()3 Agent intercepts,
and runs agent code
4 For example:call connect()
connect()
1Agent squeezes inbetween applicationand system calls
call
Bypass is a code generator software, for making C++ interposition agents.
Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec 2003 16
Bypassing GCB
Client Server
Application Application
connectaccept
socket
bind
listen
broker
GCB_socket
GCB_bind
GCB_listen
GCB_acceptGCB_connect
Agent Agent
GCB Bypass agent implements GCB seamlessly to applications
Time
Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec 2003 17
SGCB architecture - security
GCB management messages are not secure:
SGCB Security layer adds security
Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec 2003 18
GCB: No management message security
Server/Client Broker
Accept
Data
Connect
Data
Time
Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec 2003 19
SGCB security scheme 1: trivial security
Server/Client Broker
Data
Accept
Data
Connect
Applicable for management messages
AUTH_assert userid@hostname AUTH_accept
userid@hostname
Time
Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec 2003 20
SGCB security scheme 2: GSI security
Server/Client Broker
Data
Accept
Data
Connect
Applicable for GCB management messages
AUTH_assertcertificate AUTH_accept
certificate
encrypt decrypt
encryptdecrypt
Time
Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec 2003 21
Broker location
Brokerincoming
Serveroutgoing
Clientoutgoing
Broker DMZ
• A brokers has relaxed security policy, allowing incoming connections
• It is recommended to locate a broker at a DMZ with no other computers
Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec 2003 22
GCB TCP performancepassing across a private network
Time [msec] ofReversed connectionRelayed connection
Connection avg. time 3010
Data (echo) avg. time 20110
GCB does not cause a big time penalty
Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec 2003 23
Evaluation
SGCB does satisfy its requirements, however:Scalability:
The broker is a potential traffic bottleneck. Brokering of up to thousands machines, yet to be tested
Robustness: The broker is a single point of failure
Complexity: Adding SGCB and Bypass SW layers to a grid application adds complexity and causes a debugging challenge
Experimental: Globus problems with GCB and bypass
Applicability: SGCB is relevant for GT2 more than for GT3
Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec 2003 24
Status
SGCB works with test applications:creates Bypass’ed connections across firewalls
with trivial or GSI security.
SGCB support for Globus is under development
Secure Generic Connection Brokering – SGCB JPDPS Tel-Aviv Dec 2003 25
References
• Globus Toolkit Firewall Requirements:Von Welch http://www-fp.globus.org/security/firewalls/Globus%20Firewall%20Requirements-5.pdf
• GCB: Recovering Internet Symmetry in Distributed Computing,Sechang Son and Miron Livny, Computer Science Department, University of Wisconsin http://www.cs.wisc.edu/condor/doc/CCGRID2003.pdf
• Bypass: Douglas Thain and Miron Livny http://www.cs.wisc.edu/condor/bypass/
• SGCB user guide:David Front www.weizmann.ac.il/~dfront/sgcb.htm
• SSH tunnels and Globus (alternative attitude to connect across firewalls):Globus Grid and Firewalls: Issues and Solutions in a Utility Data Center Environment1, Sven Graupner, Carsten Reimann, HP Laboratories Palo Alto, HPL-2002-278, October 2nd , 2002 http://www.hpl.hp.com/techreports/2002/HPL-2002-278.pdf
