1 / 48

Agenda

Secure Generic Connection Brokering – SGCB enhancing secure submission of grid jobs across firewalls. David Front, Lorne Levinson, Morton Taragin Weizmann Institute of Science, Rehovot Miron Livny, Se-Chang Son, University of Wisconsin, Madison Itzhak Ben-Akiva, Tel Aviv University, Tel Aviv.

pello
Télécharger la présentation

Agenda

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Secure Generic Connection Brokering – SGCBenhancing secure submission of grid jobs across firewalls David Front, Lorne Levinson, Morton Taragin Weizmann Institute of Science, RehovotMiron Livny, Se-Chang Son, University of Wisconsin, MadisonItzhak Ben-Akiva, Tel Aviv University, Tel Aviv JPDPS 2003 Grid computing SGCB

  2. Agenda • The problem • Requirements • Architecture • Performance, evaluation • References JPDPS 2003 Grid computing SGCB

  3. The problem • In order to use (Grid) servers, incoming connections should be created • Organization security policies restrict connections to prevent malicious acts • Incoming connections are more threatening than outgoing connections • Hence, organization security managers object to allow incoming connections to grid domain firewalls JPDPS 2003 Grid computing SGCB

  4. In addition, client’s firewall prevents Connections to client. No direct connection is possible 2 Client firewall The problem: 2 use cases (Grid) network applications fail to create incoming connections, because of organization security policy, enforced by firewall/s Serverfirewall Server’s firewall prevents Connections to server. Server may connect client. server client 1 JPDPS 2003 Grid computing SGCB

  5. Requirements A solution to securely submit jobs across firewalls should: • Satisfy security managers: allow incoming connections, yet not violate security policies • Not require dynamic firewall changes • Support communication with standard sockets • Not require changes at communicating applications • Not require kernel changes • Supportvarious security schemes • Not require root privilege to install/run JPDPS 2003 Grid computing SGCB

  6. SGCB architecture Generic Connection Brokering (GCB) Generic Connection Brokering (GCB)by Sechang Son and Miron Livny + Bypassby Douglas Thain and Miron Livny + Security layer for management messages: • Trivial security • GSI security JPDPS 2003 Grid computing SGCB

  7. GCB use case 1: reversed TCP connection Serverfirewall A GCB management message server client broker 1 Register me Time 2 I want to connect server 3 Connect client connect() data JPDPS 2003 Grid computing SGCB

  8. GCB use case 2: relayed TCP connection Serverfirewall A GCB management message server client 1 Register me 2 I want to connect server Time 3 Connect me Connect() broker 4 Connect me Connect() Data is relayed Clientfirewall JPDPS 2003 Grid computing SGCB

  9. firewalls holes without GCB Clientfirewall Serverfirewall Server incoming Client outgoing Holes for Server-client connections JPDPS 2003 Grid computing SGCB

  10. firewalls holes with GCB Clientfirewall Brokerfirewall Serverfirewall Server outgoing Broker incoming Client outgoing Holes for management messages Holes for Server-client connections JPDPS 2003 Grid computing SGCB

  11. GCB socket SW layer GCB socket calls GCB_bind(), GCB_connect(), GCB_accept() ... GCB calls do whatever is needed to connect, such as: communicate with other entities reverse connection direction initiate standard socket calls: GCB calls replace standard socket calls at server and client applications call bind(), connect(), accept() … Standard socket calls JPDPS 2003 Grid computing SGCB

  12. GCB layer: reversed TCP connection client machine broker machine server machine GCB_socket Time GCB_bind GCB_listen GCB_connect GCB_accept JPDPS 2003 Grid computing SGCB

  13. GCB layer: relayed TCP connection GCB_socket Time GCB_bind GCB_listen GCB_connect GCB_accept JPDPS 2003 Grid computing SGCB

  14. SGCB architecture Applications must call GCB socket functions in order to use GCB Using Bypass avoids this need JPDPS 2003 Grid computing SGCB

  15. 1Agent squeezes in between application and system calls 3 Agent intercepts, and runs agent code GCB_accept() 4 For example:call connect() connect() Bypass Bypass is a code generator software, for making C++ interposition agents. 2 Application issues a system call accept() call JPDPS 2003 Grid computing SGCB

  16. Agent Agent GCB_socket GCB_bind GCB_listen GCB_connect GCB_accept GCB Bypass agent implements GCB seamlessly to applications Bypassing GCB Application Application broker socket bind Time listen connect accept Server Client JPDPS 2003 Grid computing SGCB

  17. SGCB architecture GCB management messages are not secure: SGCB Security layer adds security JPDPS 2003 Grid computing SGCB

  18. GCB: No management message security Server/Client Broker Connect Accept Time Data Data JPDPS 2003 Grid computing SGCB

  19. SGCB security scheme 1: trivial security Applicable for management messages Server/Client Broker Connect Time Accept AUTH_assert userid@hostname AUTH_accept userid@hostname Data Data JPDPS 2003 Grid computing SGCB

  20. SGCB security scheme 2: GSI security Applicable for GCB management messages Server/Client Broker Connect Time Accept AUTH_assert certificate AUTH_accept certificate Data decrypt encrypt Data decrypt encrypt JPDPS 2003 Grid computing SGCB

  21. Broker location BrokerDMZ Server outgoing Broker incoming Client outgoing • A brokers has relaxed security policy, allowing incoming connections • It is recommended to locate a broker at a DMZ with no other computers JPDPS 2003 Grid computing SGCB

  22. GCB TCP performance test passing across a private network GCB does not coerce a big time penalty JPDPS 2003 Grid computing SGCB

  23. Evaluation SGCB does satisfy its requirements, however: Scalability: The broker is a potential traffic bottleneck. Brokering of up to thousands machines, yet to be tested Robustness: The broker is a single point of failure Complexity: Adding SGCB and Bypass SW layers to a grid application adds complexity and causes a debugging challenge Experimental: Globus problems with GCB and bypass Applicability: SGCB is relevant for GT2 more than for GT3 JPDPS 2003 Grid computing SGCB

  24. References • Globus Toolkit Firewall Requirements:Von Welch http://www-fp.globus.org/security/firewalls/Globus%20Firewall%20Requirements-5.pdf • GCB: Recovering Internet Symmetry in Distributed Computing,Sechang Son and Miron Livny, Computer Science Department, University of Wisconsin http://www.cs.wisc.edu/condor/doc/CCGRID2003.pdf • Bypass: Douglas Thain and Miron Livny http://www.cs.wisc.edu/condor/bypass/ • SGCB user guide:David Front www.weizmann.ac.il/~dfront/sgcb.htm • SSH tunnels and Globus (alternative attitude to connect across firewalls):Globus Grid and Firewalls: Issues and Solutions in a Utility Data Center Environment1, Sven Graupner, Carsten Reimann, HP Laboratories Palo Alto, HPL-2002-278, October 2nd , 2002 http://www.hpl.hp.com/techreports/2002/HPL-2002-278.pdf JPDPS 2003 Grid computing SGCB

  25. Spare slides JPDPS 2003 Grid computing SGCB

  26. Status SGCB works with test applications: creates Bypass’ed connections across firewalls with trivial or GSI security. SGCB support for Globus is under development JPDPS 2003 Grid computing SGCB

  27. Web services, GT2/3 and SGCB JPDPS 2003 Grid computing SGCB

  28. GCB Sechang Son and Miron Livny’s GCB architecture GCB allows Condor to seamlessly work across private networks and over firewalls SGCB is based on and enhances GCB, adding a security layer JPDPS 2003 Grid computing SGCB * Mainly for presentation simplification reasons, GCB entity names is slightly changed in following slides

  29. SGCB Firewall settings Broker machine Allow creation of incoming connections, from legal machines: GCB connections:Any port to be brokered by GCB, from clients and servers. Management connections to GCB management port: Internal server machines: BROKER_LOCAL_PORT, 65430. External client machines: BROKER_ PUBLIC _PORT, 65432. Server machine Allow creation of outgoing connections to legal machines: GCB connections:Any server ports, towards the broker and possibly to clients. Management connections:BROKER_LOCAL_PORT, 65430 towards the broker. Client machine Allow creation of outgoing connections towards the broker and possibly from servers: GCB connections:Any client ports, towards the broker, and possibly from servers. Management connections:BROKER_ PUBLIC _PORT, 65432 towards the broker. JPDPS 2003 Grid computing SGCB

  30. Standard connection-creation Time Client 0) No connection Server • bind() port to socketlisten(), wait for connect() 2) Connect() to ip:port 3) accept() connection Client Server Connection established: both parties may communicate JPDPS 2003 Grid computing SGCB

  31. Bypass Bypass, a research project of Douglas Thain and Miron Livny, is a compiler like, code generator software, for making C++ interposition agents. An interposition agent is software that squeezes itself into an existing program, between the program and the operating system, and transforms the program: When the program attempts certain system calls, the agent grabs control and runs the agent code, as supplied by the programmer. Agents can be used to emulate operations that otherwise might not be available. JPDPS 2003 Grid computing SGCB

  32. Using Bypass • Write an agent specification. Partial example: calls GCB_accept() when accept() is called int accept(int fd, struct sockaddr * peer, socklen_t *addrlen) agent_action {{ return GCB_accept(fd, peer, addrlen); }}; • Compile and dynamically link the agent • Bypassed application should be dynamically linked. • Activate agent at user session: Export LD_PRELOAD=<agent library file> JPDPS 2003 Grid computing SGCB

  33. Bypassing GCB Application does not have to be changed in order to use GCB • GCB socket calls • GCB_bind(), GCB_connect(), GCB_accept() ... • GCB calls do whatever is needed • to create connection, such as: • communicate with other entities • reverse connection creation direction • initiate standard socket calls: JPDPS 2003 Grid computing SGCB

  34. SGCB Security schemes GCB created connections security Applications that use GBC to create connections are responsible for the security of those connections. GCB management messages security The security of the underlying GCB management messages between applications and the broker is: • independent to the security of the GCB connections • under the responsibility of GCB • determined at GCB configuration time • may be one of the following: 1. GSI, 2. Trivial, 3. none. JPDPS 2003 Grid computing SGCB

  35. AUTH security layer SGCB uses AUTH simple (generic) security layer for authentication, based on similar code from Bypass. Auth consists of the following functions: • Auth_register: An application that implements AUTH registers at startup to the security mechanism/s that it supports.(Currently,) the security mechanism may be ‘GSI’ or ‘trivial’. • Auth_assert: Called by clients that wishes to authenticate itself towards a server. After AUTH negotiates with the other party for the best protocol supported by both, the selected specific assert function is called to perform authentication. • Auth_accept: Counter function of Auth_assert. It grants or does not grant authentication, via negotiated protocol accept function. JPDPS 2003 Grid computing SGCB

  36. SGCB management messages security schemes • GSI security GSI is the de-facto security basis of (Globus based) grid systems. If you use GCB for an application that has GSI infrastructure, this is the recommended scheme to use. • trivial security Trivial security uses a simple user repository of the form <userid>@<host>, residing at the broker, to authenticate SGCB users. • no security Applications that use GCB to create connections must use the same security scheme at both ends of a connection SGCB applications (as opposed to GCB) negotiate the security scheme per connection request JPDPS 2003 Grid computing SGCB

  37. Related work JPDPS 2003 Grid computing SGCB

  38. ssh tunnelingA secure means to pass 2 firewalls ssh is an open source, accepted security standard, available for unix machines. ssh supports certificates, and GSI-enabled ssh programmatically connects ssh and GSI. Once an ssh connection is made across a firewall, channels may be opened by it, to various ports, from both directions, without the firewall being aware of this because the traffic within the tunnel is encrypted JPDPS 2003 Grid computing SGCB

  39. Globus Grid and Firewalls: Issues and Solutions ..Sven Graupner, Carsten Reimann, HP Laboratories Palo Alto HP researches tested ssh tunnels as a means to submit Globus jobs Through one or two firewalls. JPDPS 2003 Grid computing SGCB

  40. SSH - drawbacks • Connection between application and sshdserver is not secure • Unless you have a ‘bridge host’, • there should be a hole in the server or client firewall • Either all traffic is encrypted or the whole thing is not secure JPDPS 2003 Grid computing SGCB

  41. GGF Grid specific firewallplanned by OGSA JPDPS 2003 Grid computing SGCB

  42. More approaches For a discussion of more approaches, see Sechang Son’s http://www.cs.wisc.edu/condor/doc/CCGRID2003.pdf. • It refers to ‘Application-specific connection brokering’, such as Napster server and Gnutella • And generic IETF approaches, such as SOCKS and Realm Specific IP (RSIP), explaining there relevancy, characteristics and reasons for not using them. JPDPS 2003 Grid computing SGCB

  43. GRAM and GSI Globus: GSI used once, to connect gatekeeper JPDPS 2003 Grid computing SGCB

  44. SGCB firewall sGCB firewall sGCB listener clients sGCB host Static configuration - No out going connections - Allow incoming connections to management port, from any ip:port (or from friends ip:ports) sGCB server broker The Internet relayers Dynamic configuration Dis/allow incoming connections, as ordered by firewall manager firewall manager commands sGCB connectors JPDPS 2003 Grid computing SGCB

  45. GCB Performance GCB TCP performance tests of connection and data (echo) time average and standard deviation (in parentheses), in msec. Private to public is similar to 1 firewall, incoming connection to server Public to private is similar to 1 firewall, outgoing connection from server Private to private is similar to 2 firewalls, at server and at client applications. Conclusions: - GCB causes connection time to be longer than regular, but still connection time is smaller than echo time - Relaying data only causes a small time penalty JPDPS 2003 Grid computing SGCB

  46. GT2 network traffic characteristics Server ports: 2219, 2135, 2811, (22,) 7512 + ephemeral ports range, controllable by GLOBUS_TCP_PORT_RANGE JPDPS 2003 Grid computing SGCB

  47. GT3 network traffic characteristics Server ports: (8080,) 2811, (22,) 7512 + ephemeral ports range, controllable by GLOBUS_TCP_PORT_RANGE JPDPS 2003 Grid computing SGCB

  48. GCB broker implementation GCB broker is implemented as a daemon that can be run with the least privilege. GCB broker does not assume that it can directly talk to its clients and It can be placed anywhere both clients and public nodes can talk to it. When GCB broker receives a register request from a client, it creates a proxy socket and a record for the client. Connection requests to the client are brokered by referring the record. When a connection is accepted to a proxy socket, the broker creates a relay record and uses it to relay packets. Relaying is delegated by the broker to (one of) a (set of) local relayServer process(es). GCB broker, needs not maintain information persistent over broker restart or machine reboot. Instead it just does fresh start when it restarts. To keep the correct set of client records, GCB broker asks the client from which a heartbeat is received but whose record is not in the broker to register again. JPDPS 2003 Grid computing SGCB

More Related