A “Dynamic” Firewall Jon Hillier Oxford University/ eScience Centre

advertisement
A “Dynamic” Firewall
Jon Hillier
Oxford University/ eScience
Centre
Why?
• Globus Port Usage
• Site-wide Firewall too lax
• Static firewall with fixed list of rules too
unwieldy in large Grid
• Certificate only method of authentication
How?
• Single gatekeeper (2119/tcp) port open to
all on gatekeeper machine
• Daemon watches standard Globus log file
• Success of an incoming Globus “ping” is
shown in the log file
• Originators IP address also shown in the
log file
How? 2
• If “ping” successful then daemon adds
relevant rules to firewall (IPTables or
IPchains)
• “ping” success depends on the validity of
the certificate and the ability of the user to
actually access the gatekeeper
• After a sys-admin specified time the
firewall rules time out and access is once
again denied
Pro’s
• Easy to install – requires no modification
of Globus
• Uses certificates as a method of
authentication
• Allows access from any IP address
• Times out so that IP addresses aren’t
permanently allowed access
• Permits any changes to the firewall, on top
of current firewall settings
Con’s
• Software firewall needs to run on the
gatekeeper – slowing the system
• Remote changes to any firewall are not
popular
• Ideally would use a program such as
IPFilter which has better table controls
• Firewall at remote institution must be
amenable to Globus connections (this may
be part of the demonstration!)
Conclusions
• Good proof of concept
• Dynamic control of ports in a Globus 2based environment is useful
• Slow network bandwidth and root changes
to security-critical services are not
desirable
• Possibly viable on an emergency “backup”
gatekeeper for unforeseen remote access
Download