1 / 12

Submitting Grid jobs through firewalls

Submitting Grid jobs through firewalls. TAU: Halina Abramowicz , Itzhak Ben Akiva, David Horn WI: Ehud Duchovni, David Front, Lorne Levinson, Morton Taragin, Rafi Yaari. www.weizmann.ac.il/~dfront/Submitting Grid jobs through firewalls.ppt. Topics. The issue Testing

ondrea
Download Presentation

Submitting Grid jobs through firewalls

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Submitting Grid jobs through firewalls TAU: Halina Abramowicz, Itzhak Ben Akiva, David Horn WI: Ehud Duchovni, David Front, Lorne Levinson, Morton Taragin, Rafi Yaari www.weizmann.ac.il/~dfront/Submitting Grid jobs through firewalls.ppt USA-Israel BSF Grid collaboration

  2. Topics • The issue • Testing • Firewalls in the presence of web services • Firewalls and OGSA • ‘Grid firewall security service’ –teaching firewalls ‘Grid security’ USA-Israel BSF Grid collaboration

  3. The issue • Various Grid projects experience difficulties submitting Grid jobs through firewalls: • Security managers are not willing to open firewall (dynamic ranges of) ports,required for Grid jobs,in order to prevent compromising local network security • Resources at domains that require a secureid to access, are not accessible by automated Grid applications • Our goal: Contribute to research that deals with this issue • Preliminary testing mission: • Learn what difficulties are experienced while submitting (VDT) Grid jobs between firewall guarded sites at multiple Israeli universities USA-Israel BSF Grid collaboration

  4. Testing: settings A Weizmann Institute DMZ eio01.weizmann.ac.il Fire wall Globus Main (secureid) domain eio03.weizmann.ac.il Condor-G User GRAM GridFTP MDS USA-Israel BSF Grid collaboration

  5. Testing: settings B Weizmann Institute TelAviv University DMZ DMZ eio01.weizmann.ac.il Fire wall Fire wall Globus User Condor-G GRAM GridFTP MDS Main (secureid) domain USA-Israel BSF Grid collaboration

  6. Testing: results • Security managers cooperated • At WI, ports were opened only for testing • At WI, a permanent Grid dedicated DMZ cluster is envisioned • No major difficulties have been experienced USA-Israel BSF Grid collaboration

  7. Testing results: Used ports (Setting A) • Submit Globus job: Request: 2119 Response: A range of ports        • Globus MDS: Request: 2135 Response: 2135 • GridFTP: Request: 2811 Response: 113 + a range of ports • Submit Condor job: Request: 2119 Response: 37774. Range of ports of responses starts at about 33000 and going up Conclusion: Nothing unexpected USA-Israel BSF Grid collaboration

  8. Firewalls in the presence of Grid web services • It may be more relevant to learn firewalls in the presence of Grid web services than firewalls in the presence of Globus 2 • Web services use http port • ‘Traditionally’, http port is not blocked by firewalls • Firewalls are being enhanced to block web services streams by adding XML interpretation capability • Hence, Grid web services will also have to deal with firewalls USA-Israel BSF Grid collaboration

  9. Firewalls and OGSA • OGSA security group, published an architecture and roadmap at: http://www.cs.virginia.edu/~humphrey/ogsa-sec-wg/ • Among other security grid services, ‘firewall friendly’ grid service will be specified At: ‘OGSA firewall Interoperability’ • The ‘firewall friendly’ seems to replace rather than communicate with a firewall USA-Israel BSF Grid collaboration

  10. Replacing firewalls by an OGSA firewall? USA-Israel BSF Grid collaboration

  11. Current (and future?) Grid security Firewall is not directly aware of Grid security. Hence, more resources should be allowed through firewalls than really required, causing a security compromise. Grid Cluster at DMZ Grid client firewall Grid gate keeper Client may submit resource request Organization USA-Israel BSF Grid collaboration

  12. Morton Taragin’s suggestion:Define a ‘Grid firewall security service’, teaching firewalls ‘Grid security’ 1) Grid firewall security request Grid Cluster at DMZ Grid firewall security server Grid client firewall 2) ‘Allow resource through’ request Grid gate keeper 3) Client may submit resource request Organization USA-Israel BSF Grid collaboration

More Related