Dealing with Internet Connectivity in Distributed Computing

1
Dealing with Internet Connectivity in Distributed
Computing
2
Firewalls Private Networks

• Firewalls
• provide cheap and good way to protect networks
• becoming headquarters of integrated security
  systems
• Private networks
• A solution to IPv4 address shortage problem
• Easy network management and easy address planning
• We have many firewalls and private networks
  deployed and will continue to have them in the
  future

3
Problems

• Non-universal connectivity
• Asymmetric connectivity
• Collaboration becomes difficult or impossible
• Resources are wasted

4
Agenda

• Introduction
• DPF (Dynamic Port Forwarding)
• GCB (Generic Connection Brokering)
• eGCB (extended GCB)
• Conclusion

5
Dynamic Port Forwarding
B socket()
bind(B, ANY)
getsockname(B, X)
Server app

A socket()
DPF agent
connect(A, X)
NAT
DPF lib
Client
X ?? B
6
DPF

• Basic Idea On-demand open/close
• Supporting Environments
• Headnode Linux NAT box
• DPFnized private application
• Regular public application

7
DPF

• DPF can be used with any firewall that allows you
  to control opening/closing through the following
  APIs
• open (local, remote, sec)
• timeout (sec), where sec may be 0 to close the
  opening
• list
• Confirms MIDCOM specification at semantics level

8
GCB socket registration
B socket()
bind(B, ANY)
getsockname(B, X)
GCB lib
GCB lib
Broker
9
GCB passive connection
connect(A, X)
GCB lib
GCB lib
Broker
10
GCB relay connection
connect(A, X)
GCB lib
GCB lib
Broker
11
GCB

• Basic Idea reversing the direction underneath
  the application
• Supporting Environments
• No requirement to firewalls
• Outbound connections are allowed
• Broker is placed either on the edge or outside of
  the private network

12
eGCB (extended GCB)

• Support for multiple connection mechanisms
• Integration of DPF GCB
• Security to protect the Broker
• Extension to DPF
• On-demand open/close for outbound connections

13
Support for Multiple Methods
14
Connection Setup
inagent
15
Conclusions

• DPF requires administrative and technical control
  on headnodes but it is fast and scalable
• GCB is a little slower than DPF but requires no
  control on headnodes
• The combination of DPF and GCB supports wider
  range of network setting than any other system
• GCB and eGCB are generic mechanisms and can be
  used any application

16
Thank you!Sonny (Sechang) SonRm
3387sschang_at_cs.wisc.edu
17
Ways to handle

• Manual opening
• Same effect as not having firewall for the range
  of addresses
• Impossible for administrator to know how many and
  how long addresses must be opened
• Deceiving firewalls
• War between firewalls and firewall-friendly
  software
• We need a cooperative way!

18
Security Enforcement
Security Enforcement
inagent
Sec. Req.
Sec. Req.