Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Firewalls and the Campus Grid: an Overview Bruce Beckles

advertisement 
Firewalls and
the Campus Grid:
an Overview
Bruce Beckles
University of Cambridge Computing Service
Overview
• Understanding firewalls:
– Purpose of firewalls
– Dealing with firewall administrators
– Firewall issues (for grids)
• Firewalls and the Campus Grid:
–
–
–
–
Designing Campus Grid appropriately
Typical firewall deployments
Effects on the Campus Grid
Mitigating these effects
Understanding firewalls (1)
• Why does my institution, division, etc. have
one or more firewalls?
– Understanding the reasons for your institution /
divisions are crucial to making your Campus Grid
work
– It is not there just to make your life difficult!
– If you think it is: adjust your attitude or the whole
project is probably doomed, and will certainly be
very painful for all concerned
– Talk to your firewall administrator(s), IT security
team and network administrator(s) and ask them:
• They may have forgotten, in which case it is probably
time for it to be reviewed anyway…
Understanding firewalls (2)
• Purpose of firewalls:
– To protect networked machines (“assets”)
…from particular kinds of danger (“threats”)
– Prevent unwanted traffic (e.g. stopping
users accessing prohibited sites)
– Monitor network traffic
– Control network flows:
• Ensure Quality of Service (QoS)
• Provide network “choke points”
• Segregate the network
Dealing with firewall
administrators
• Determine your firewall administrator’s threatasset model:
– How does the Campus Grid relate to this model?
– Will the Campus Grid “break” this model? (Probably!)
– If so, adopt a collaborative approach: what can we do to
address this? How should I design my Campus Grid to satisfy
your (entirely legitimate) security and network concerns?
• Consider the firewall to be part of your
infrastructure:
– …So it is in your interest that it is properly maintained
– Is it adequate for the job? Perhaps it need upgrading…?
– Consider spending some of your infrastructure budget for the
Campus Grid on it
Firewall issues
• Problems firewalls cause for grids:
– Communication problems – may prevent:
• Bi-directional traffic (e.g. outgoing connections only)
• Particular network protocols (e.g. UDP)
• Traffic from particular places (e.g. from outside the
institution; from the DMZ, particular divisions, etc.)
• Traffic to particular places (e.g. to machines in the
institution deemed particularly vulnerable)
• Use of certain port ranges (e.g. blocking all ports except
those used by certain applications)
– Restrict network bandwidth:
• By design to ensure other users of the network have
adequate bandwidth (QoS, etc)
• As a consequence of being unable to cope with the
volumes of traffic generated by grids
Designing for firewalls
• Basic rule of thumb:
“Work with the firewall, not against it”
• Andrew will talk more about this in
the next talk
Typical Firewall Deployments
• Institutional firewall:
– Around perimeter of institution
– May have a de-militarised zone (DMZ)
– Protect the institution from the world, but not from
itself
• Divisional firewalls:
– Around the perimeter of divisions (departments,
research groups, etc.) within the institution
– Protect the divisions from each other as well as from
the rest of the world
– (May also have their own DMZs)
• No firewall:
– IT security staff use other methods to protect the
institution (e.g. enforced security policies)
Effects on Campus Grid
• Institutional firewall:
– No problem on the Campus Grid itself
– May be problems with external access
• Divisional firewalls:
– Major problems for the Campus Grid unless no part of
it crosses a divisional firewall boundary
– …but even then there still may be problems with access
across the divisional firewalls
• No firewall:
– No problem but take extra care to ensure security of
Campus Grid
– Do not deploy a firewall just to secure the Campus Grid
if local IT staff do not have firewall experience!
Institutional firewalls
• Design your Campus Grid to be contained by
the firewall
• Provide external access, if any, via a small
number of “gateway” machines (ideally one)
using as restrictive a range of ports and
protocols as possible
– Consider tunnelling external grid jobs through the
firewall to the gateway
• Secure these gateways:
–
–
–
–
Make them as secure as you possibly can
Use strong authentication for external users
…and their machines as well (if you can)
Audit regularly!
Divisional firewalls
• Design your Campus Grid to be cross as few
divisional firewall boundaries as possible
• Where it crosses divisional firewalls, consider:
– Tunnelling internal Campus Grid traffic through
these firewalls
– Using Virtual LANs (VLANs)
– Centralising job submission: then only have to get
traffic from a small number of machines (perhaps
only one) across the firewall boundaries
– Use a gateway strategy between divisions analogous
to that described for institutional firewalls
• Review security implications with all the firewall
administrators and with IT security staff
No firewall
• No protection available from any firewalls
so must make absolutely certain that
individual nodes of the Campus Grid are
as secure as possible:
– Individual nodes must be able to identify both
where grid traffic actually originates and the
user to which the traffic is related and be
assured that such identification is correct
– See my later talk on local security issues
• But don’t deploy a firewall to “protect”
the Campus Grid unless your IT staff can
support it!
Questions?
Related documents
Guide to Firewalls and Network Security
Guide to Firewalls and Network Security
How Do I Look Up Room Capacity & Details
How Do I Look Up Room Capacity & Details
Palo Alto Networks offers a full line of purpose
Palo Alto Networks offers a full line of purpose
WS#5solution - WordPress.com
WS#5solution - WordPress.com
Download
advertisement