UK GRID Firewall UK GRID Firewall WorkshopWorkshop

Matthew J. DoveyMatthew J. Dovey

Technical ManagerTechnical Manager

Oxford e-Science CentreOxford e-Science Centre

BackgroundBackground

‘‘Making the Grid Work in a Computing Services Making the Grid Work in a Computing Services Environment’ (1 May 2002) proposed a series of Environment’ (1 May 2002) proposed a series of workshops to address specific issues.workshops to address specific issues.

First of these to considered use and First of these to considered use and maintenance of firewall within a GRID maintenance of firewall within a GRID EnvironmentEnvironment Focus on implementations suitable for Globus within a Focus on implementations suitable for Globus within a

Level 2 Grid (L2G) frameworkLevel 2 Grid (L2G) framework Also consider WebServices/GRIDServicesAlso consider WebServices/GRIDServices Open invitation to the UK e-Science community, Open invitation to the UK e-Science community,

network administrators and firewall administratorsnetwork administrators and firewall administrators More than 50 people attended. More than 50 people attended.

PurposePurpose

To bring together developers of the UK e-To bring together developers of the UK e-Science Grid and computing service providersScience Grid and computing service providersTo enable the technical support community and To enable the technical support community and e-Science/Grid community to exchange ideas e-Science/Grid community to exchange ideas and networking/firewall information and networking/firewall information To produce a coherent set of recommendations To produce a coherent set of recommendations for firewall configuration and maintenance for the for firewall configuration and maintenance for the U.K. Level 2 GridU.K. Level 2 GridTo identify practical workable solutions for use To identify practical workable solutions for use with the Grid.with the Grid.

AgendaAgenda

Morning - presentationsMorning - presentations Introduction to part of GLOBUS relating to use of Introduction to part of GLOBUS relating to use of

firewalls - firewalls - Andrew McNabAndrew McNab Introduction to Web Services as they relate to use of Introduction to Web Services as they relate to use of

firewalls - firewalls - Matthew DoveyMatthew Dovey A ‘Dynamic’ Firewall - A ‘Dynamic’ Firewall - Jon HillierJon Hillier A ‘Clique/Trust’ Firewall - A ‘Clique/Trust’ Firewall - Jon HillierJon Hillier Firewall Configurations - Firewall Configurations - Jon HillierJon Hillier GRID and VPNs – GRID and VPNs – Matthew DoveyMatthew Dovey

AfternoonAfternoon Break out and discussionsBreak out and discussions

Firewall Solutions PresentedFirewall Solutions Presented

““Clique GRID” – Trust basedClique GRID” – Trust based

Dynamic FirewallDynamic Firewall

VPN (IPSec) Tunnelling VPN (IPSec) Tunnelling

Break-out Discussion Issues - 1Break-out Discussion Issues - 1

Does the solution offer the required security for Does the solution offer the required security for the GRID projects?the GRID projects?Are there inherent security weaknesses of the Are there inherent security weaknesses of the solution which would make it less suitable?solution which would make it less suitable?How effective would the solution be for a level How effective would the solution be for a level 2 GRID?2 GRID?Is the solution scalable beyond a level 2 Is the solution scalable beyond a level 2 GRID?GRID?Would the solution still be valid in protecting a Would the solution still be valid in protecting a GRID based on GridServices or WebServices?GRID based on GridServices or WebServices?

Break-out Discussion Issues - 2Break-out Discussion Issues - 2

Would the solution still be required for a GRID Would the solution still be required for a GRID based on GridServices or WebServices?based on GridServices or WebServices?Are there technical problems with the solution Are there technical problems with the solution which would affect its use in GRID projects?which would affect its use in GRID projects?Are there technical problems with the solution Are there technical problems with the solution which would affect its adoption at an institution?which would affect its adoption at an institution?Is the solution consistent with current security Is the solution consistent with current security policies in place at institutions or in GRID policies in place at institutions or in GRID project?project?Will the solution remain consistent with future Will the solution remain consistent with future security policies? security policies?

Closing DiscussionClosing DiscussionClearClear responsibility of system administrators of Grid responsibility of system administrators of Grid resources attached to the Grid and awareness of resources attached to the Grid and awareness of issues and risks associated with the Grid.issues and risks associated with the Grid.Distinction between network firewalls protecting a site Distinction between network firewalls protecting a site and host-based firewalls running on Grid resourcesand host-based firewalls running on Grid resourcesShould each site aim to provide a dedicated Should each site aim to provide a dedicated gatekeeper system?gatekeeper system?A DNS based system should be examined for A DNS based system should be examined for providing a trusted source of Grid IP addresses. providing a trusted source of Grid IP addresses. Develop Clear guidelines for how a secure Grid IP Develop Clear guidelines for how a secure Grid IP address host operatesaddress host operatesClients are seen as a weak link in the Grid security Clients are seen as a weak link in the Grid security framework - sites may be unwilling to provide access framework - sites may be unwilling to provide access for them without knowledge of their security for them without knowledge of their security credentials.credentials.

RecommendationsRecommendations

Trusted host (clique) server is acceptable to most sitesTrusted host (clique) server is acceptable to most sites Short term – not scalableShort term – not scalable Needs to be securely managed and maintainedNeeds to be securely managed and maintained

Initial step to provide all Level 2 GRID sites a list of IP Initial step to provide all Level 2 GRID sites a list of IP address and port rangesaddress and port rangesDynamic firewall may be more scalable and secure for Dynamic firewall may be more scalable and secure for host-based firewalls.host-based firewalls.Hybrid host - static IP addresses and dynamic firewall - Hybrid host - static IP addresses and dynamic firewall - provide an operational Level 2 GRID quickly.provide an operational Level 2 GRID quickly.VPN is a longer term possibility using off-the-shelf VPN is a longer term possibility using off-the-shelf technology, but interoperability issues between the technology, but interoperability issues between the current VPN solutions prevent this being a short term current VPN solutions prevent this being a short term optionoption