1 / 11

Dynamic Connectivity Service

Dynamic Connectivity Service. Oscar Koeroo JRA3. Content. What’s the problem? What do we need? How do we want to solve it Our prototype and how does it work. What’s the problem?. Most to all WNs (in LCG-2) can make outbound connection to almost any machine on the Internet

ashby
Download Presentation

Dynamic Connectivity Service

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Dynamic Connectivity Service Oscar Koeroo JRA3

  2. Content • What’s the problem? • What do we need? • How do we want to solve it • Our prototype • and how does it work Dynamic Connectivity Service

  3. What’s the problem? • Most to all WNs (in LCG-2) can make outbound connection to almost any machine on the Internet • No Firewalls that limits a user • A few possibilities are: • WN publicly addressable • Inbound is prohibited and outbound is still free to use • NAT box • Firewall rules • WNs are locked up for any Internet traffic • VOs request ability for their users to connect to there own servers • Pulling VO specific data on a WN • Packages • Data • Push result on to VO specific machines • Interactive • Database access • This means that every (rogue) user can do harmful things like: • Launch DDoS - Grid Jobs can aid or start a DDoS on a (web-)server • Share Warez - Compromised machines can serve as Warez servers • Make a pass-through for Worms & Viruses Dynamic Connectivity Service

  4. What we need… • Network containment • We need to keep a user primarily in the fabric • If users have a connectivity wish they can request it at the (concerning) resource centers • RCs need to be in full control of their (network) domain Dynamic Connectivity Service

  5. How do we want to solve it • Lockup a site tight • Let the Grid services be connectable and let them connect to others • Grid services mutual authenticate themselves to other services with some kind of access control so they can be regarded as safe(r) connections • For the WNs and the jobs: • No (direct) inbound connectivity • Achieved by setting up a router, NAT box or Firewall (or some combination) prohibiting these connections • No outbound connectivity • The router, NAT box or firewall (or a combi.) prohibit these connections • Only when needed open-up a port to make a (controlled) connection available Dynamic Connectivity Service

  6. Firewall 1 2 3 WS Service How does it work: Use Case #1 Internet Site / Fabric Outbound connectivity possible WN running a Job Request connectivity to WS • Portnumber • IP • TCP / UDP • Inbound / Outbound AuthN user to service AuthZ user & request Open port on a Firewall Keeping track of opened ports Dynamic Connectivity Service

  7. Firewall 1 2 3 WS Service How does it work: Use Case #2 Site / Fabric User from some Internet location Inbound connectivity possible Firewalled machine Request connectivity to WS • Portnumber • IP • TCP / UDP • Inbound / Outbound AuthN user to service AuthZ user & request Open port on a Firewall Keeping track of opened ports Dynamic Connectivity Service

  8. Private ip-addresses ip-address: 10.1.x.x Std gateway: 10.1.0.1 WN WN WN WN How to Deploy? – with NAT On req. of user to DCS: Req. dest. ip-addr A portNo X Source is ip-addr WN On behalf of user’s proxy eth0: 10.1.0.1 (private ip) Dynamic Connectivity Service On NAT box eth1: 192.16.186.x (public ip) Core Router Dynamic Connectivity Service

  9. Public ip-address ip-address: 192.16.186.x Std gateway: 192.16.186.102 WN WN WN WN eth0: 192.16.186.102 Dynamic Connectivity Service On Level3 Bridge eth1: 192.16.187.101 How to Deploy? – with routers #1 On req. of user to DCS: Req. dest. ip-addr A portNo X Source is ip-addr WN On behalf of user’s proxy Core Router Dynamic Connectivity Service

  10. Public ip-address ip-address: 192.16.186.x Std gateway: 192.16.186.102 WN WN WN WN eth0: 192.16.186.102 Dynamic Connectivity Service On Level3 Bridge eth1: 192.16.187.101 How to Deploy? – with routers #2 On req. of user to DCS: Req. dest. ip-addr A portNo X Source is ip-addr WN On behalf of user’s proxy Core Router Dynamic Connectivity Service

  11. Present & Future • Current prototype implementation (Feb 2005) • Design finished • No AuthN and AuthZ security elements • Only portnumber requests • Current supported setup: • NAT box with IPTables in different configurations • Future • AuthN & AuthZ • Fine & coarse grained connectivity policy description • Connectivity can be requested on DNS • Support for other setups: • Telnet/SNMP controlled routers • Different firewalls • Different IPTables setups configurable • Scalability tests Dynamic Connectivity Service

More Related