Firewalls and Grid – Issues

Currently most research and development activities in grid computing takes place for the e-sciences community. The community is big and the research challenges are enormous. However, when the grid moves to en- terprises several interesting and critical challenges will be witnessed. Some of the challenges and possible efforts have been highlighted in the previous chapters. Another big challenge is the integration with the firewall tech- nologies. Most of the enterprises employ some amount of firewalls and packet filtering and efforts need to be taken to solve the problem of easy integration with the existing firewalls.

Globus and Firewall

Figure 8.2 shows the firewall requirements for different components of Globus. In the figure, a controllable ephemeral port describes a port which is selected by the Globus Toolkit, which is constrained by a configurable limit. On the other hand, an ephemeral port describes a non-deterministic port assigned by the system in the range less than 1024. The requirements of the different components are described as follows:

• GSI: GSI involves the authentication, confidentiality, integrity, and secure delegation modules of Globus. The request should originate from an ephemeral port and similar to ssh configuration, the server listens to port 22.

• GRAM: GRAM is the resource management module of Globus.In the GT4 GRAM, connections are initiated by the client from an ephemeral port. To initiate and control jobs, all traffic goes through a single hosting environment defined by port 8443/tcp. For GT3, this port is 8080/tcp.

• MDS: MDS is the monitoring service of Globus. Similar to GRAM, connections are initiated by the client from an ephemeral port and all traffic goes through a single hosting environment de- fined by port 8443/tcp. As in GRAM GT3, for MDS GT3 this port is 8080/tcp.

• MyProxy: As mentioned in Chap. 9,MyProxy is a credential stor- age service for X.509 credentials. MyProxy connections are au- thenticated and secured with GSI and are normally from ephemeral ports on the client to 7512/tcp on the server.

• GridFTP: Similar to any FTP service, GridFTP also requires two different channels: control and data channels. The control connec- tion is established from a controllable ephemeral port on the client to the well-known static port of 2811/tcp on the server. In the case

of a single data channel, the connection is established from a con- trollable ephemeral port on the client to a controllable ephemeral port on the server. In the case of third-party transfers (a client con- trolling a file transfer between two servers), this connection may be from a server to another server. In the case of multiple parallel data channels, the direction of the connection establishment is depend- ant on the direction of data flow – the connection will be in the same direction the data flow.

Adaptive Firewall for the Grid (AGF)

The Adaptive Firewall for the Grid (AGF) [147] is a project done at Tech- nical University of Denmark (DTU). The main motivation behind the work is the observation that to meet the grid firewall requirements, the adminis- trators need to open several well-known ports, and a range of ephemeral ports for incoming connections. This can be dangerous as adversaries may be able to sneak into the system through the open ports. The AGF system develops a mechanism so that the firewall can adaptively open and close ports based on service requests. The firewall will open the ports when it receives authenticated requests. Moreover, the firewall will close the ports when there are no service activities on those ports.

8.2 Firewalls 167 Following are the different messages exchanged by the client and the server which is illustrated in Figure 8.3.

• ASK is sent from client and is the first message for a session. The message indicates that the client wants to open a port.

• Once the server receives the ASK message from the client, the server sends the CHAL message to the client. This contains a chal- lenge to the client, encrypted with the client’s primary key. It also includes the session key to be used.

• The third message is the PORT message which is sent from the client and includes the expected port number that the client wants to open.

• On receiving the PORT message, an OPEN message is sent from server indicating the firewall could be opened for such a port.

• Then, a KEEP message is sent from the client, confirming that the client wants to open the firewall. The server then opens the fire- wall.

• ACK is sent from server, indicating the firewall has opened, and the client should continue to send the keep-alive message.

• KEEP and ACK are continuously sent between client and server, until termination of the connection takes place.

• TERM is sent from client, when the client wants to terminate the firewall. The server closes the firewall when such message is re- ceived.

• “TACK” is sent from server, acknowledging that the server has terminated the firewall. All the previous messages (from PORT to TACK) are encrypted by the shared session key.