Dataplane and Content Security on Optical Networks panel

1
Dataplane and Content Security on Optical
Networkspanel
2
Agenda

• Digital Media Security - Laurin Herr
• Data Encryption - Kim Roberts
• Firewall Issues - Leon Gommans
• Discussion.

3
Firewall Issuesand the Grid
Leon Gommans - University of Amsterdam
4
Perspective
It would be good if grandma went to a retirement
home
5
Perspective
It is a good thing that we have firewalls
6
Prevention both good and bad
Grid Application Issues
Prevent
Firewall
Network safety!
My application needs to work!
Network Security Issues
Detect
Act
Network Security Cycle
7
Firewall Issues Research Group

• Research Group at the Global Grid Forum
  (www.ggf.org)
• Scope Issues with firewall style functions
• Functional, Control, Performance, Organizational
  issues
• Firewalls NATs, VPN gateways, Application
  gateways
• First formal meeting held at june GGF meeting in
  Chicago.
• Looking for additional participation from
  applications

8
Charter items

• Collect and document issues from the grid
  viewpoint.
• Define the categories of issues.
• Study existing technologies available
• Identify gaps and define requirements for
  standards bodies.
• Issue document also handy for Network Security
  People.
• Research alternative ways to ensure network
  security.

9
Contributions received so far

• German Aerospace Centre
• Workflow driven firewall control requirements.
• Forchungs Zentrum Juelich
• Authorization requirements
• Argonne National Laboratory
• Why Gridftp needs a firewall garage door
  opener
• External clients using WS End Point References
  behind a firewall
• University of Amsterdam
• Integrate firewalls long haul optical (peer)
  connections.
• Using EAP as garage door opener
• Your contribution?

10
Example gridftp

• Firewall administrators dont want to open 1002
  holes in their firewall. Any questions ?
• Globus recommends to open ports 50.000-51.000
  (1001)
• Gridftp single control channel port (2811)
  multiple data ports in Globus port range.
• Protocol requires that the sending side do the
  TCP connect.
• Information which port(s) will be used is known
  at last moment.
• 8 streams per file-transfer has proven to be
  reasonable.
• Gridftp needs a garage-door opener for
  individual ports at time of transfer. Door must
  also automatically close.
• Thinking about EAP style (like used in 802.1X
  WLANs) solution where you authenticate an
  application in stead of a user. Application
  profiles determine which holes are allowed.

11
Optical long haul network
Gr
id

V
O
M
u
lt
i
-
do
m
a
i
n

c
o
nt
r
o
l

a
nd m
a
nage
m
e
n
t p
l
an
e
Gr
id
Gr
id
A
pp
A
pp
l
l
I
nt
e
rne
t
B
y
pa
s
s
Fi
re
Fi
re
W
a
l
l
W
a
l
l
D
MZ
D
MZ
Gr
id
Gr
id
A
D
FTP
FTP
Fi
re
Fi
re
n
t
er
I
W
a
l
l
W
a
l
l
ne
t
B
C
12
Future documents

• Requirements towards standards bodies
• IETF NSIS, MIDCOM, EAP
• Trusted Computing group
• Trusted Computing Architecture
• EAP extensions for virus checking
• Research into new directions
• Token Based networking
• High speed encryption
• Workflow system integration
• etc.