1 / 18

Presented by Xiaoyu Qin 21637881

Presented by Xiaoyu Qin 21637881. Virtualized Access Control & Firewall Virtualization. Outline. Background Project Aims & Previous Research Research Problem Research Approach & Method Analysis Demo Implementation Design Review Future Work Conclusion.

tamarr
Download Presentation

Presented by Xiaoyu Qin 21637881

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Presented by Xiaoyu Qin 21637881 Virtualized Access Control & Firewall Virtualization

  2. Outline • Background • Project Aims & Previous Research • Research Problem • Research Approach & Method • Analysis • Demo Implementation • Design Review • Future Work • Conclusion

  3. Background – Grid Network & Security • Application Solutions • Globus Security Infrastructure • Security of Open Grid Services Architecture • Security as Services • Public Key Infrastructure • Virtual Organization & Virtual Connectivity • Gateway Solutions • Common Solutions • Grid Firewall & Firewall Traversal

  4. Background – Understanding Virtualization • Pooling & Reallocating • Resource: Pooling • Infrastructure: Multiplying, Clustering • Simulation • Simulators: VMs • Application Virtualization: Sandbox • Network: Tunnelling • Grid: Virtual Organization * • Firewall Virtualization • Dynamic Firewall • Zone Based Virtual Firewall • Virtual Access Control

  5. Project Aims & Previous Research – Security Gateway for Grid • Grid Security Scenario • Unpredictable application & users • Dynamic • Large quantity of devices • Security Gateway • Packet Filtering • Access Control • Intrusion Detection/Prevention

  6. Project Aims & Previous Research – Firewall Traversal & Firewall Virtualization • Firewall Proxy Model • Firewall Control Model

  7. Research Problem – NAT Problem • Server IP + Port == A TCP Service • Source IP + Port != Client User Identity

  8. Research Approach & Method • Research Approach • A grid firewall solution • Without NAT problem • Easy to implement & deploy • Research Method • Problem Oriented Research

  9. Analysis – Problem Breaking Down

  10. Analysis – Research Questions • Central Question : • How do we determine the identity information? • Q1: What can a firewall determine? How? • What can a pure network firewall determine? • Is there any other choice (IPTables) which can do more? • Q2: How to generate and carry the information which can be determined? • Can the program change some existing properties of the communication? How? • Can the program add new properties? How?

  11. Analysis – Research Hypotheses • Capability of Network Firewall • IP: Source and target IP address • TCP: Source and target port • Protocol • Special Capability of IPTables • Owner: uid, pid, gid...... (IPFW has also ‘out uid’) • Change existing properties of communication • Packet based: • Changing Address: Authentication based NAT/PAT • Changing protocol: Tunnel/Proxy (useless) • Connection based: • Extra handshake (hard to implement) • Can the program add new properties? How? • Application specific Tunnel/Proxy

  12. Analysis – Possible Solution: NAT/PAT • Cons • Customize IP assigning mechanism • Not supported by most of current VPN solutions • Hard to program • Check after tunnel created • Complex control signal • Delay caused • Hard to program but possible* • Pro • Existing firewall can be used, but extra component to run the program is still needed.

  13. Analysis – Possible Solution: Tunnel/Proxy • Few Firewall Choice: IPTables, IPFW… • Tunnel Proxy Choice • Does it create process for each session? • Can the process owner one-to-one map to the client identity? • SSH Port Forwarding • Pros: • Commonly used • Gateway-to-Gateway • Only tunnel the request (Comparing with VPN) • Cons: Client command & settings • Other methods can be examined

  14. Demo Implementation • VAC> show • use whitelist • service 0 10.1.1.2:80 TCP //Http AppServer • ACCEPT User xyqin1 • Client>ssh -N -f -L 80:10.1.1.2:80 xyqin1@VFW

  15. Design Review • NAT Problem • NAT between the gateways does not harm • Efficiency Cost • Pre-defined tunnel and filtering rules • One time encapsulating • Only tunnel the request • Non-Cipher SSH is a choice & SSH is not the only choice • Capability & Reliability • Clustering • Load Balance

  16. Future Work • Virtualization • Scalable (Zones, Multiple Instances) • Dynamic Access Control • Clustering • Usability • Client side program • Remote Administration • Distributable • Authentication Server • Extendable • Extensions? API?

  17. Conclusion • It is possible and necessary to implement authentication based access control on grid gateway, which is secure, extensible and interoperable with grid. • Pure network filtering firewall is very weak solution for grid security purpose. • Grid security needs application level methods because of virtualization.

  18. Q & A

More Related