Dear all, my name is Ralph Niederberger. I am one of the chairs of the FVGA-WG at OGF. We are currently investigating in designing a new protocol for dynamic opening of ports within firewalls by authorized user applications. Sorry for crossposting to all of the infrastructure-area mailing lists, but I would like to get feedback from all of you concerning a draft protocol we are just preparing within our group. And because our area-directors did not provide me with information on an infrastructure-area mailing list, where I could send it once, I had to send it to all RG/WGs The draft description I have appended to this email. It would be very helpful, if you could comment on this proposal, so that the Firewall Virtualisation for Grid Applications - Work Group can work on your comments at the next OGF meeting. We know that there are many other developments, which already have tried to solve this issue, but have not seen any solution, which is widely used and/or provides a similar easy to use interface and broad range of usability. Our intention is to get as much as possible feedback, so that we can decide as soon as possible, if the direction we are going is the right one or if we have missed anything important. Dependent on your feedback, we would like to go for this solution or change the draft accordingly. Then we would like to start the following steps in parallel: a.) Getting in touch with IETF for standardization issues. b.) Implementation of a first very limited prototype (showing that it works as suggested). Step b could be separated into different parts: b1.) prototype implementation for linux iptables b2.) prototype in close cooperation with a Firewall developer (-> a first FiTP aware firewall). Anyone having contact to these guys would be fine. b3.) Communication prototypes for out of band signalling, i.e. for firewalls which are FiTP unaware. So the auth server has to start a subroutine for firewall configuration (via CLI, special firewall managament software, https, ...) b3 could be done for several firewall systems, e.g. Cisco Pix, Checkpoint, ... Here we would need experts having access to those kinds of firewalls within test environments. Next steps are very dependent on the outcome of steps a.) and b.) above. I would like to thank you all in advance for your feedback. best regards Ralph Niederberger -- *************************************************** Ralph Niederberger Juelich Supercomputing Centre Institute for Advanced Simulation Phone: +49 2461 61-4772 Fax: +49 2461 61-6656 E-Mail: r.niederberger@fz-juelich.de WWW: http://www.fz-juelich.de/jsc/ JSC is the coordinator of the John von Neumann Institute for Computing and member of the Gauss Centre for Supercomputing *************************************************** Forschungszentrum Jülich GmbH 52425 Jülich Sitz der Gesellschaft: Jülich Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498 Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe Geschäftsführung: Prof. Dr. Achim Bachem (Vorsitzender), Dr. Ulrich Krafft (stellv. Vorsitzender), Prof. Dr. Harald Bolt, Dr. Sebastian M. Schmidt ***************************************************
Ralph, This is an increasingly important topic - I would like to see cloud infrastructure workloads (especially virtual machines) sandboxed by default and pinholes created for requisite services. For bonus points the ability to specify application level parameters such as allowable HTTP verbs and URL regexps would be helpful. I also think this would be a worthy extension for OCCI at some point in the future (as this is a sensible place for such configuration). I fear that this specific implementation could be a little on the complex side and would prefer to see something like a simple text protocol (e.g. ufw<http://www.ubuntugeek.com/ufw-uncomplicated-firewall-for-ubuntu-hardy.html>) over SSL/HTTPS, though I admit I haven't fully considered the security model. I would suggest this is something we can discuss together after the implementable draft is done next month. Sam On Wed, Apr 22, 2009 at 10:58 AM, Ralph Niederberger < r.niederberger@fz-juelich.de> wrote:
Dear all,
my name is Ralph Niederberger. I am one of the chairs of the FVGA-WG at OGF. We are currently investigating in designing a new protocol for dynamic opening of ports within firewalls by authorized user applications.
Sorry for crossposting to all of the infrastructure-area mailing lists, but I would like to get feedback from all of you concerning a draft protocol we are just preparing within our group. And because our area-directors did not provide me with information on an infrastructure-area mailing list, where I could send it once, I had to send it to all RG/WGs
The draft description I have appended to this email.
It would be very helpful, if you could comment on this proposal, so that the Firewall Virtualisation for Grid Applications - Work Group can work on your comments at the next OGF meeting.
We know that there are many other developments, which already have tried to solve this issue, but have not seen any solution, which is widely used and/or provides a similar easy to use interface and broad range of usability.
Our intention is to get as much as possible feedback, so that we can decide as soon as possible, if the direction we are going is the right one or if we have missed anything important.
Dependent on your feedback, we would like to go for this solution or change the draft accordingly.
Then we would like to start the following steps in parallel: a.) Getting in touch with IETF for standardization issues. b.) Implementation of a first very limited prototype (showing that it works as suggested).
Step b could be separated into different parts: b1.) prototype implementation for linux iptables b2.) prototype in close cooperation with a Firewall developer (-> a first FiTP aware firewall). Anyone having contact to these guys would be fine. b3.) Communication prototypes for out of band signalling, i.e. for firewalls which are FiTP unaware. So the auth server has to start a subroutine for firewall configuration (via CLI, special firewall managament software, https, ...) b3 could be done for several firewall systems, e.g. Cisco Pix, Checkpoint, ... Here we would need experts having access to those kinds of firewalls within test environments.
Next steps are very dependent on the outcome of steps a.) and b.) above.
I would like to thank you all in advance for your feedback.
best regards
Ralph Niederberger
--
*************************************************** Ralph Niederberger Juelich Supercomputing Centre Institute for Advanced Simulation
Phone: +49 2461 61-4772 Fax: +49 2461 61-6656 E-Mail: r.niederberger@fz-juelich.de WWW: http://www.fz-juelich.de/jsc/
JSC is the coordinator of the John von Neumann Institute for Computing and member of the Gauss Centre for Supercomputing ***************************************************
Forschungszentrum Jülich GmbH 52425 Jülich
Sitz der Gesellschaft: Jülich Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498 Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe Geschäftsführung: Prof. Dr. Achim Bachem (Vorsitzender), Dr. Ulrich Krafft (stellv. Vorsitzender), Prof. Dr. Harald Bolt, Dr. Sebastian M. Schmidt ***************************************************
_______________________________________________ occi-wg mailing list occi-wg@ogf.org http://www.ogf.org/mailman/listinfo/occi-wg
Hi Ralph - You mentioned IETF, perhaps the BEHAVE WG [1] might be a useful port of call. They aim to introduce and track "best current practices to enable NATs to function in as deterministic a fashion as possible." HTH, Andy [1] http://www.ietf.org/html.charters/behave-charter.html -----Original Message----- From: occi-wg-bounces@ogf.org [mailto:occi-wg-bounces@ogf.org] On Behalf Of Ralph Niederberger Sent: 22 April 2009 09:59 To: fvga-wg@ogf.org; ghpn-rg@ogf.org; Network Markup Language Working Group; nmc-wg@ogf.org; nm-wg@ogf.org; nsi-wg@ogf.org; occi-wg@ogf.org Subject: [occi-wg] Comments on draft OGF protocol description requested Dear all, my name is Ralph Niederberger. I am one of the chairs of the FVGA-WG at OGF. We are currently investigating in designing a new protocol for dynamic opening of ports within firewalls by authorized user applications. Sorry for crossposting to all of the infrastructure-area mailing lists, but I would like to get feedback from all of you concerning a draft protocol we are just preparing within our group. And because our area-directors did not provide me with information on an infrastructure-area mailing list, where I could send it once, I had to send it to all RG/WGs The draft description I have appended to this email. It would be very helpful, if you could comment on this proposal, so that the Firewall Virtualisation for Grid Applications - Work Group can work on your comments at the next OGF meeting. We know that there are many other developments, which already have tried to solve this issue, but have not seen any solution, which is widely used and/or provides a similar easy to use interface and broad range of usability. Our intention is to get as much as possible feedback, so that we can decide as soon as possible, if the direction we are going is the right one or if we have missed anything important. Dependent on your feedback, we would like to go for this solution or change the draft accordingly. Then we would like to start the following steps in parallel: a.) Getting in touch with IETF for standardization issues. b.) Implementation of a first very limited prototype (showing that it works as suggested). Step b could be separated into different parts: b1.) prototype implementation for linux iptables b2.) prototype in close cooperation with a Firewall developer (-> a first FiTP aware firewall). Anyone having contact to these guys would be fine. b3.) Communication prototypes for out of band signalling, i.e. for firewalls which are FiTP unaware. So the auth server has to start a subroutine for firewall configuration (via CLI, special firewall managament software, https, ...) b3 could be done for several firewall systems, e.g. Cisco Pix, Checkpoint, ... Here we would need experts having access to those kinds of firewalls within test environments. Next steps are very dependent on the outcome of steps a.) and b.) above. I would like to thank you all in advance for your feedback. best regards Ralph Niederberger -- *************************************************** Ralph Niederberger Juelich Supercomputing Centre Institute for Advanced Simulation Phone: +49 2461 61-4772 Fax: +49 2461 61-6656 E-Mail: r.niederberger@fz-juelich.de WWW: http://www.fz-juelich.de/jsc/ JSC is the coordinator of the John von Neumann Institute for Computing and member of the Gauss Centre for Supercomputing *************************************************** Forschungszentrum Jülich GmbH 52425 Jülich Sitz der Gesellschaft: Jülich Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498 Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe Geschäftsführung: Prof. Dr. Achim Bachem (Vorsitzender), Dr. Ulrich Krafft (stellv. Vorsitzender), Prof. Dr. Harald Bolt, Dr. Sebastian M. Schmidt *************************************************** ------------------------------------------------------------- Intel Ireland Limited (Branch) Collinstown Industrial Park, Leixlip, County Kildare, Ireland Registered Number: E902934 This e-mail and any attachments may contain confidential material for the sole use of the intended recipient(s). Any review or distribution by others is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies.
participants (3)
-
Edmonds, AndrewX -
Ralph Niederberger -
Sam Johnston