1 / 13

Firewalls, Networking and Monitoring Rolly Gilmour

Firewalls, Networking and Monitoring Rolly Gilmour. Object: to discuss issues relating to the Operation of the Grid and Grid middleware in a campus network environment. What is a firewall Router with ACLs providing Port/Address Filters

bowie
Download Presentation

Firewalls, Networking and Monitoring Rolly Gilmour

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Firewalls, Networking and MonitoringRolly Gilmour Object: to discuss issues relating to the Operation of the Grid and Grid middleware in a campus network environment

  2. What is a firewall Router with ACLs providing Port/Address Filters Commodity system (e.g PC) running Open source or commercial Firewall code Custom appliance Features may range from ACLs providing IP port and address filters Statefull inspection - monitoring and controlling discrete flows Application aware e.g H323 Firewalls - fact of life for many Institutions

  3. Need to open access for certain ports gatekeeper - 2119 GRIS/GIIS 2135 GridFTP 2811 GSI Enabled SSH 22 Plus Port range defined by Globus_TCP_Port_Range These requirements relate specifically to Globus Access Grid Node and other Apps will impose additional requirements Firewalls - Grid Rrequirements

  4. Institutional security Policy Political Consideration Firewall performance Filtering and Forwarding capabilities Throughput Number of Flows supported Effect on performance of adding additional rulesets Knowledge of Grid applications and their behavior Effect on site security Effect on Firewall performance/stability Opening port range considered bad practice Firewalls - Operational Constraints

  5. Better understanding and confidence: Grid applications and behavior Grid Middleware security Globus security audit ByPass Firewalls Parallel Universe Grid Application Proxies Grid Application aware Firewalls (Proxies) Standardize Globus port range IANA assigned If not then agreement at UK level Consider multiple site firewalls rather than single Institutional firewall Firewalls - Possible solutions

  6. Firewalls - Recommendations • Improve dialogue between Grid community and CS Departments • Improve CS Departments knowledge and understanding of Grid applications and middleware • Improve Grid communities understanding of CS departments responsibilities, priorities and available resources • Request IANA assigned port range for Grid Applications • Attempt to produce best practice guide for different scenarios • Single institutional firewall • Firewall By-Pass • Multiple site firewalls • GNT to discuss requirements with CS departments

  7. Networking - Grid Requirements • Anticipated Demand • Massive bandwidth • Low latency and Jitter • Actual Demand • Not yet known • Multicast support for Access Grid Node

  8. Networking - Operational Constraints • Institutions current campus Network • Institutions link to MAN • MANs link to SuperJANET • Location of Grid Activity • Consolidated • Dispersed • Funding source for Grid resources • Specific • Shared

  9. Better understanding and confidence: Grid applications and behavior Campus LAN Upgrades Parallel Universe (costly) Overlay on campus LAN VLANS QoS Treat as just another application Add QoS as and when required Upgrade Institutions link to MAN Negotiate Private Grid feed to SuperJANET May need special engineering Parallel Universe or Overlay Routing Policies Networking - Possible solutions

  10. Improve dialogue between Grid community and CS Departments Improve CS Departments knowledge of Grid applications including Multicast, Bandwidth and QoS requirements Improve Grid communities understanding of CS departments responsibilities, priorities and available resources Capacity Planning for Institutions Grid activities Attempt to produce best practice guides for different scenarios Parallel Universe Overlay with QoS Just another set of applications GNT to discuss requirements with CS departments and MAN RNOs Networking - Recommendations

  11. Monitoring - Grid Requirements • Data Grid Monitoring Tools • End-to-End probes to determine capacity, loss, latency and jitter between source and destination sites • Possible uses • Validate SLA’s QoS profiles • Determine viability of proposed bulk transfers

  12. Monitoring - Operational Constraints • Site policy may block probes • To many probes from different Grid activities may cause operational problems • Lack of knowledge of local, MAN and SJ topologies may give rise to misleading interpretations • Sites may also wish to monitor Grid activity for possible effects on Network performance, Firewall friendliness and application behavior

  13. Improve dialogue between Grid community and CS Departments Improve CS Departments knowledge of Grid applications including Multicast, Bandwidth and QoS requirements Improve Grid communities understanding of CS departments responsibilities, priorities and available resources Liaise with CS departments on Monitoring requirements Consider asking CS to perform monitoring or work closely with them Attempt to produce best practice guides for monitoring activities GNT to discuss requirements with CS departments and MAN RNOs Monitoring - Recommendations

More Related