LCG Firewall System

Introduction

In order to enhance the protection of the Grid from external attacks, a firewall service for the Grid components is desired. This firewall would enable them to isolate the changing list of external hosts that are part of the Grid from the rest of the Internet.

Such a firewall would need to be distributed amongst the different participants, and its rules would need to be built and updated dynamically in order to:

  • include the different (sub)networks that may be used by a site;
  • dynamically integrate and exclude Grid sites;
  • insure that the rules have not been tampered with.

Proposed solution

The GOC database contains a Firewall entry, which is intended to store the trusted network for the site as a comma-separated list of IP/MASK addresses. The firewall system would consist of a server host that queries periodically the GOC DB, checks (as possible) that the network addresses are valid, and creates and publishes a iptables configuration file that can be pulled by a client in order to be isolated from outside the grid.

fw-arch2.png

Security considerations

  • All the transactions between hosts will be mutually authenticated through exchange of X.509 certificates.
  • Download of the published file is only authorized to clients known to belong to the grid.
  • The server must validate that the network addresses published in the GOC DB are meaningful, in order to avoid addresses like '0.0.0.0/32' to interfere with the proper configuration of the clients.
  • The client must check that the downloaded configuration doesn't leave it without network access.

System components

At the server side:
  1. A querier process, run periodically as a cron job, that:
    • queries the GOC DB to get the list of networks that compose the grid,
    • performs the required sanity checks to the data,
    • creates a iptables configuration file, and
    • stores the file in a location where the publisher can read it.
  2. A publisher web application, that:
    • handles the authentication and authorization of the clients, and
    • publishes the configuration file.

At the client side:

  1. A client process, run periodically as a cron job, that:
    • pulls the published configuration,
    • verifies that the new configuration allows it to have network access,
    • installs it in the host, and
    • provides a rollback mechanism when the new configuration fails.

Proposed development steps

Querier
Analysis of validation of published addresses Done
Analysis of rule creation details Needs review
Coordinate with GOC a more convenient interface Pending
Implementation Done
Testing Pending
Client
Analysis of safety measures to avoid breaking local fw Done
Implementation Done
Testing Pending
Publisher
Analysis of client authorization mechanism Done
Definition of web server configuration Done
Implementation of the application Not needed
Testing Pending
Integration
Analysis of Querier-GOC authentication issues Done
Analysis of Publisher-Client authentication issues Done



Current situation

As of 6th september 2006:
  • only 4 sites have published their trusted network on their GOC DB entry;
  • the only way to perform the relevant query is by following these steps:
    1. download the front page of the GOC DB web interface, and parse the HTML code to get the site list from the site selection combo box;
    2. for each site, download its entry page, and parse the HTML code to get the firewall entry.
    This mechanism is very unconvenient, since it introduces unnecessary steps and makes the querying program to depend on a page layout that could eventually change.

-- Main.rbonvall - 11 Sep 2006

Edit | Attach | Watch | Print version | History: r23 < r22 < r21 < r20 < r19 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r21 - 2007-01-12 - unknown
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    LCG All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2021 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback