The fifth, and final session of the Workshop on Operational Security at GGF12 was on “Firewalls and High-Performance Computing”. The four panelists were
Reagan Moore, San Diego Supercomputing Center
Kate Keahey, Argonne National Laboratories
Mike Helm, ESNet/Lawrence Berkeley Labs
Frank Siebenlist, Argonne National Laboratories
The chair for the session, Dr. Bruce Barkstrom from the Atmospheric Sciences Data Center at NASA Langley Research Center had requested that the panelists provide some experience with firewalls and see what light that experience sheds on the following questtions:
Do we need firewalls with Grid?
If we don’t have firewalls, can we sell Grid computing to SA’s and Security Managers?
Is there some way of reducing installation difficulties of Grid and firewalls?
Will firewall manufacturers help?
Dr. Reagan Moore provided a summary of approaches that had been taken with the Storage Resource Broker (SRB), for which there is now a substantial body of experience. It is probably fair to summarize this experience as suggesting that there are at least five work-arounds for dealing with the interaction between Grid computing and firewalls. Dr. Moore's slides illustrate how these work-arounds function, both on the client-side and on the server-side of an interaction and suggest some interesting variations when the software needs to deal with third-party authentication.
Dr. Kate Keahey provided comments on Grid computing and firewalls in the context of the National Fusion Collaboratory, where DOE policy mandates use of firewalls. From her standpoint, the largest problems come from the need for dealing with single sign-on continuity for an individual working on multiple sessions at several different locations. She also noted that design decisions are being made on the basis of the current situation with respect to firewalls – and that these decisions can “lock in” current technological responses to that situation.
Dr. Mike Helm dealt with the situation in the Fusion Grid, reiterating many of the points provided by Keahey. He noted in particular that there are a multiplicity of vendor solutions for authentication devices, which adds to the complexity of working with firewalls. He also pointed out that sites are moving to one-time passwords as a way of dealing with password hygine.
Dr. Frank Siebenlist noted that the situation is complex, particularly given the requirements of marrying Grid technology to Web Services. In particular, the security policy must allow multiple transmissions.
Audience Discussion following these panelists was lively. There were three distinct options:
Avoid firewalls and use Intrusion Detection Systems.
Use workarounds, as suggested by the approaches identified by Reagan Moore
Look to the possiblity of creating protocols that would allow scheduled interchanges of data or computation
The liveliness of the discussion suggested that it may be appropriate for the Grid Forum to consider having a BOF to consider recommendations on how to deal with the issues related to firewalls and Grid software. The author also notes that his security staff had suggested an interesting variant of option 3, known as “portknocking”. In this appproach, communication may be opened if the party desiring a connection “tickles” the server ports with a pre-specified sequence of requests (see http://www.portknocking.org/ for details).