120 likes | 252 Views
Submitting Grid jobs through firewalls. TAU: Halina Abramowicz , Itzhak Ben Akiva, David Horn WI: Ehud Duchovni, David Front, Lorne Levinson, Morton Taragin, Rafi Yaari. www.weizmann.ac.il/~dfront/Submitting Grid jobs through firewalls.ppt. Topics. The issue Testing
E N D
Submitting Grid jobs through firewalls TAU: Halina Abramowicz, Itzhak Ben Akiva, David Horn WI: Ehud Duchovni, David Front, Lorne Levinson, Morton Taragin, Rafi Yaari www.weizmann.ac.il/~dfront/Submitting Grid jobs through firewalls.ppt USA-Israel BSF Grid collaboration
Topics • The issue • Testing • Firewalls in the presence of web services • Firewalls and OGSA • ‘Grid firewall security service’ –teaching firewalls ‘Grid security’ USA-Israel BSF Grid collaboration
The issue • Various Grid projects experience difficulties submitting Grid jobs through firewalls: • Security managers are not willing to open firewall (dynamic ranges of) ports,required for Grid jobs,in order to prevent compromising local network security • Resources at domains that require a secureid to access, are not accessible by automated Grid applications • Our goal: Contribute to research that deals with this issue • Preliminary testing mission: • Learn what difficulties are experienced while submitting (VDT) Grid jobs between firewall guarded sites at multiple Israeli universities USA-Israel BSF Grid collaboration
Testing: settings A Weizmann Institute DMZ eio01.weizmann.ac.il Fire wall Globus Main (secureid) domain eio03.weizmann.ac.il Condor-G User GRAM GridFTP MDS USA-Israel BSF Grid collaboration
Testing: settings B Weizmann Institute TelAviv University DMZ DMZ eio01.weizmann.ac.il Fire wall Fire wall Globus User Condor-G GRAM GridFTP MDS Main (secureid) domain USA-Israel BSF Grid collaboration
Testing: results • Security managers cooperated • At WI, ports were opened only for testing • At WI, a permanent Grid dedicated DMZ cluster is envisioned • No major difficulties have been experienced USA-Israel BSF Grid collaboration
Testing results: Used ports (Setting A) • Submit Globus job: Request: 2119 Response: A range of ports • Globus MDS: Request: 2135 Response: 2135 • GridFTP: Request: 2811 Response: 113 + a range of ports • Submit Condor job: Request: 2119 Response: 37774. Range of ports of responses starts at about 33000 and going up Conclusion: Nothing unexpected USA-Israel BSF Grid collaboration
Firewalls in the presence of Grid web services • It may be more relevant to learn firewalls in the presence of Grid web services than firewalls in the presence of Globus 2 • Web services use http port • ‘Traditionally’, http port is not blocked by firewalls • Firewalls are being enhanced to block web services streams by adding XML interpretation capability • Hence, Grid web services will also have to deal with firewalls USA-Israel BSF Grid collaboration
Firewalls and OGSA • OGSA security group, published an architecture and roadmap at: http://www.cs.virginia.edu/~humphrey/ogsa-sec-wg/ • Among other security grid services, ‘firewall friendly’ grid service will be specified At: ‘OGSA firewall Interoperability’ • The ‘firewall friendly’ seems to replace rather than communicate with a firewall USA-Israel BSF Grid collaboration
Replacing firewalls by an OGSA firewall? USA-Israel BSF Grid collaboration
Current (and future?) Grid security Firewall is not directly aware of Grid security. Hence, more resources should be allowed through firewalls than really required, causing a security compromise. Grid Cluster at DMZ Grid client firewall Grid gate keeper Client may submit resource request Organization USA-Israel BSF Grid collaboration
Morton Taragin’s suggestion:Define a ‘Grid firewall security service’, teaching firewalls ‘Grid security’ 1) Grid firewall security request Grid Cluster at DMZ Grid firewall security server Grid client firewall 2) ‘Allow resource through’ request Grid gate keeper 3) Client may submit resource request Organization USA-Israel BSF Grid collaboration