Oxford University
e-Science Centre
UK Grid Firewall Workshop
David Boyd, Matthew Dovey, Jon Hillier, Paul Jeffreys
http://e-science.ox.ac.uk/
paul.jeffreys@oucs.ox.ac.uk
1
PWJ/ DB Fireworks,
5 Nov. 2002
Workshop Agenda
Oxford University
e-Science Centre
•
•
•
•
10.00
10.30
10.40
11.00
• 11.30
• 12.00
• 12.20
Coffee
Welcome - Malcolm Atkinson
Background and meeting context - Paul Jeffreys
Introduction to part of GLOBUS relating to use of firewalls
- Andrew McNab
Introduction to Web Services as they relate to use of
firewalls - Matthew Dovey
Review of answers to Firewall questionnaire - Jon Hillier
Overview of Possible Solutions - Jon Hillier, Matthew Dovey,
Andrew Richards
• 13.00
Lunch/Demonstration of possible firewall solutions Jon Hillier
•
•
•
•
Break-out discussions to plan implementation
Report back from break-out sessions
Conclusions and way ahead - David Boyd
Finish and tea
14.00
15.10
15.45
16.00
2
PWJ/ DB Fireworks,
5 Nov. 2002
Welcome!
Oxford University
e-Science Centre
• Thank you very much for making the time to come
• We hope this will be a useful forum
• Documentation circulated:
– The use of firewalls in the U.K. e-Science grid: ETF Level 2 and beyond
• Jon Hillier
– Rough Guide to Grid Security
• Mike Surridge
– Globus Toolkit Firewall Port Selection
• Andrew Richards, Rob Allan, Daniel Hanlon
– Question sheet for Break Out sessions this afternoon
3
PWJ/ DB Fireworks,
5 Nov. 2002
Background
Oxford University
e-Science Centre
•
Following the meeting held on 1 May 2002, ‘Making the Grid Work in a
Computing Services Environment’, series of workshops is planned to
address specific issues; http://www.nesc.ac.uk
1. Firewall
2. Managing Access to Resources on the Grid; December 4
•
“The aim of this workshop is to enable the technical support community
and e-Science/Grid community to exchange ideas and
networking/firewall information, with the intention of producing a
coherent set of recommendations for firewall configuration and
maintenance for the U.K. Level 2 Grid”
•
Like to thank many people who have been active in this area for some
time and made this workshop possible:
–
–
Baker, Ong, Smith, McNab, Booth, Pickles, Richards, Allan, Hanlon
Newhouse, …
4
PWJ/ DB Fireworks,
5 Nov. 2002
Aims for the Workshop
Oxford University
e-Science Centre
• “The aim is not towards a prescriptive firewall solution, but to appraise
a set of possible solutions, in order that attendees will be in a position
at the end of the workshop to leave with the best possible information
and understanding in order to deploy the Level 2 Grid in their own
academic environments.”
• We have attempted to:-
– Bring together experts from the Computer Service side and the e-Science
side
– Offer an educational forum for the community, which will
• Consider good and bad Firewall practice
– Do some homework to collect a set of options to present to w/s
– Collect documentation – identifying previous work
– Focus on Level 2 Grid and Globus 2, -- but recognising that some Centres are
already running web services –
– Consider also Firewalls to be used with Web Services and Globus 3 but not
straying too far into the future at this stage
• (Terms will be explained!)
5
PWJ/ DB Fireworks,
5 Nov. 2002
Output from Workshop
Oxford University
e-Science Centre
• Hope that everyone will go away better informed:– e-Science background
– Good and bad Firewall practices
– Challenges – particularly for Level 2 Grid implementation
– Possible Firewall solutions – focused on Level 2 and near future
• Result of Firewall questionnaire
– Demonstrations given
• Chance to discuss requirements in Break Out groups
– Consider and debate possibilities and best practices
– Decide whether there is a viable solution for your local installation
• For Level 2 and the relatively near term
– Learn from others, share expertise
• Collect findings:– Hope that everyone will be able to see a way to implement security
required for the L2 Grid
– Compromises needed!
– Different long term solutions …
6
PWJ/ DB Fireworks,
5 Nov. 2002
Deliverables from Workshop
Oxford University
e-Science Centre
• Report/input to Security Task Force, 5/6 December
• Definition of requests to be made to e-Science directorate
for central provision:
– Managed secure site database to store IP addresses for
‘clique Grid’?
• Maintenance with Grid site web pages fed by GSI-based
web service
• Planned with future in mind ??
– UK-wide multi-institutional e-Science VPN host (until perinstitutional VPNs in place)?
– Other?
• Recommendation on best firewall practice and use of subnets/Grid domains?
• Formation of technical groups to pursue specific areas
7
PWJ/ DB Fireworks,
5 Nov. 2002
Moving Target…
Oxford University
e-Science Centre
• This workshop has an intended relatively close horizon:
– Primarily focused on how to provide security for Level 2 Grid
– … with half an eye on Web Services and Globus 3
• It may be that under certain test conditions we need to develop
relaxed procedures if Firewall products obstruct function or
performance
– Perhaps with more manual intervention?
– If we believe this will be the case we should report it…
• The longer term practices will almost certainly be different
– Stronger security policies built into the software
– Will certainly need to revisit this
• Road Map needs to be developed:- for long term proper security
without obstruction, which is scaleable and performant
– But have to arrive at a solution for Level 2 now…
8
PWJ/ DB Fireworks,
5 Nov. 2002
Firewall Questionnaire
Oxford University
e-Science Centre
• Set of questions sent out
– Problem outlines, and solutions presented, based in part upon
previous work performed by members of the Engineering Task Force
[Baker, Ong, Smith]
• References listed
– Focused on Level 2
• Questions about local implementation
• Questions about possible Firewall configuration
• Interpretation or replies
– Possible solutions in context of Level 2
– Recommendations for discussion
9
PWJ/ DB Fireworks,
5 Nov. 2002
Membership of Break Out Groups
Oxford University
e-Science Centre
• Split alphabetically, but should avoid more than one per
institution in each please
•
•
•
•
Malcolm Atkinson
Chris Cartledge
Chris Cooper
Robin Tasker
Surnames A-F
Surnames G-L
Surnames M-R
Surnames S-Z
Newhaven (ground floor)
Swanston
Cramond
‘Break out area’
• Each group should elect a secretary to report back to the final
session (5-10 minutes)
– Please submit this feedback to organisers electronically later
• David Boyd, Matthew Dovey, Jon Hillier and PWJ will rove!
10
PWJ/ DB Fireworks,
5 Nov. 2002
Break-out Session (1)
Oxford University
e-Science Centre
• The break out groups should discuss the suitability and applicability
of the various solutions discussed during the morning namely:
– “Clique Grid” – Trust based
– Dynamic Firewall
– VPN (IPSec) Tunnelling
– The groups may also consider alternative or hybrid solutions
• For each solution please address the following questions:
– Set of questions about the possible solution – ‘in principle’
• Does the solution offer the required security for the Grid
projects?
– General “open question” – meant to focus relatively near term
• Are there inherent security weaknesses of the solution which
would make it less suitable (relative statement) ?
• How effective would the solution be for a level 2 Grid?
• Is the solution scalable beyond a level 2 Grid?
– Probably need to limit this to - over the next year
11
PWJ/ DB Fireworks,
5 Nov. 2002
Break-out Session (2)
Oxford University
e-Science Centre
• Would the solution still be valid in protecting a Grid based on
GridServices or WebServices?
– Open question to encourage debate -- focus over next year
• Would the solution still be required for a Grid based on
GridServices or WebServices?
– Set of questions addressing “best Firewall practice” in your
institutions:
• Are there technical problems with the solution which would
affect its use in Grid projects?
• Are there technical problems with the solution which would
affect its adoption at an institution?
• Is the solution consistent with current security policies in place
at institutions or in Grid project?
• Will the solution remain consistent with future security policies?
• Additional question - if time:
– Discuss Grid domain/sub network best practice (Surridge)
12
PWJ/ DB Fireworks,
5 Nov. 2002
Final Thoughts
Oxford University
e-Science Centre
• David, Matthew, Jon and I have tried to get the balance of the
workshop as good as possible
• Encourage everyone to contribute and make it productive
exercise
• As we go through the day, you are very welcome to offer advice
on how we could improve matters, especially with respect to the
next workshop on December 4
13
PWJ/ DB Fireworks,
5 Nov. 2002