LCG Firewall System
Introduction
In order to enhance the protection of the Grid from external attacks, a firewall service for the Grid components is desired. This firewall would enable them to isolate the changing list of external hosts that are part of the Grid from the rest of the Internet. Such a firewall would need to be distributed amongst the different participants, and its rules would need to be built and updated dynamically in order to:- include the different (sub)networks that may be used by a site;
- dynamically integrate and exclude Grid sites;
- insure that the rules have not been tampered with.
Proposed solution
The GOC database
contains a Firewall entry, which is intended to store the trusted network for the site as a comma-separated list of IP/MASK addresses. The firewall system would consist of a server host that queries periodically the GOC DB, checks (as possible) that the network addresses are valid, and creates and publishes a iptables configuration file that can be pulled by a client in order to be isolated from outside the grid.
Security considerations
- All the transactions between hosts will be mutually authenticated through exchange of X.509 certificates.
- Download of the published file is only authorized to clients known to belong to the grid.
- The server must validate that the network addresses published in the GOC DB are meaningful, in order to avoid addresses like '0.0.0.0/32' to interfere with the proper configuration of the clients.
- The client must check that the downloaded configuration doesn't leave it without network access.
System components
At the server side:- A querier process, run periodically as a cron job, that:
- queries the GOC DB to get the list of networks that compose the grid,
- performs the required sanity checks to the data,
- creates a iptables configuration file, and
- stores the file in a location where the publisher can read it.
- A publisher web application, that:
- handles the authentication and authorization of the clients, and
- publishes the configuration file.
- A client process, run periodically as a cron job, that:
- pulls the published configuration,
- verifies that the new configuration allows it to have network access,
- installs it in the host, and
- provides a rollback mechanism when the new configuration fails.
Proposed development steps
| Querier | ||
|---|---|---|
| Analysis of validation of published addresses | Pending | 22-26 Oct |
| Analysis of rule creation details | Pending | |
| Coordinate with GOC a more convenient interface | Pending | |
| Implementation | Pending | |
| Testing | Pending | |
| Client | ||
| Analysis of safety measures to avoid breaking local fw | Pending | 22-26 Oct |
| Implementation | Pending | |
| Testing | Pending | |
| Publisher | ||
| Analysis of client authorization mechanism | In progress | 16-20 Oct |
| Definition of web server configuration | Pending | |
| Implementation of the application | Pending | |
| Testing | Pending | |
| Integration | ||
| Analysis of Querier-GOC authentication issues | Pending | |
| Analysis of Publisher-Client authentication issues | In progress | 16-20 Oct |
Current situation
As of 6th september 2006:- only 4 sites have published their trusted network on their GOC DB entry;
- the only way to perform the relevant query is by following these steps:
- download the front page of the GOC DB web interface, and parse the HTML code to get the site list from the site selection combo box;
- for each site, download its entry page, and parse the HTML code to get the firewall entry.
LCG Wikis
- ABATBEA
- ACPP
- ADCgroup
- AEGIS
- AfricaMap
- AgileInfrastructure
- ALICE
- AliceEbyE
- AliceSPD
- AliceSSD
- AliceTOF
- AliFemto
- ALPHA
- ArdaGrid
- ASACUSA
- AthenaFCalTBAna
- Atlas
- AtlasLBNL
- AXIALPET
- CAE
- CALICE
- CDS
- CENF
- CERNSearch
- CLIC
- Cloud
- CloudServices
- CMS
- Controls
- CTA
- CvmFS
- DB
- DefaultWeb
- DESgroup
- DPHEP
- DM-LHC
- DSSGroup
- EGEE
- EgeePtf
- ELFms
- EMI
- ETICS
- FIOgroup
- FlukaTeam
- Frontier
- Gaudi
- GeneratorServices
- GuidesInfo
- HardwareLabs
- HCC
- HEPIX
- ILCBDSColl
- ILCTPC
- IMWG
- Inspire
- IPv6
- IT
- ItCommTeam
- ITCoord
- ITdeptTechForum
- ITDRP
- ITGT
- ITSDC
- LAr
- LCG
- LCGAAWorkbook
- Leade
- LHCAccess
- LHCAtHome
- LHCb
- LHCgas
- LHCONE
- LHCOPN
- LinuxSupport
- Main
- Medipix
- Messaging
- MPGD
- NA49
- NA61
- NA62
- NTOF
- Openlab
- PDBService
- Persistency
- PESgroup
- Plugins
- PSAccess
- PSBUpgrade
- R2Eproject
- RCTF
- RD42
- RFCond12
- RFLowLevel
- ROXIE
- Sandbox
- SocialActivities
- SPI
- SRMDev
- SSM
- Student
- SuperComputing
- Support
- SwfCatalogue
- TMVA
- TOTEM
- TWiki
- UNOSAT
- Virtualization
- VOBox
- WITCH
- XTCA
 |
|
Copyright &© 2008-2021 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback