A “Dynamic” Firewall Jon Hillier Oxford University/ eScience Centre Why? • Globus Port Usage • Site-wide Firewall too lax • Static firewall with fixed list of rules too unwieldy in large Grid • Certificate only method of authentication How? • Single gatekeeper (2119/tcp) port open to all on gatekeeper machine • Daemon watches standard Globus log file • Success of an incoming Globus “ping” is shown in the log file • Originators IP address also shown in the log file How? 2 • If “ping” successful then daemon adds relevant rules to firewall (IPTables or IPchains) • “ping” success depends on the validity of the certificate and the ability of the user to actually access the gatekeeper • After a sys-admin specified time the firewall rules time out and access is once again denied Pro’s • Easy to install – requires no modification of Globus • Uses certificates as a method of authentication • Allows access from any IP address • Times out so that IP addresses aren’t permanently allowed access • Permits any changes to the firewall, on top of current firewall settings Con’s • Software firewall needs to run on the gatekeeper – slowing the system • Remote changes to any firewall are not popular • Ideally would use a program such as IPFilter which has better table controls • Firewall at remote institution must be amenable to Globus connections (this may be part of the demonstration!) Conclusions • Good proof of concept • Dynamic control of ports in a Globus 2based environment is useful • Slow network bandwidth and root changes to security-critical services are not desirable • Possibly viable on an emergency “backup” gatekeeper for unforeseen remote access