Policy-Driven Access Control over a Distributed Firewall Architecture
POLICY '02 Proceedings of the 3rd International Workshop on Policies for Distributed Systems and Networks (POLICY'02)
An XACML-based Policy Management and Authorization Service for Globus Resources
GRID '03 Proceedings of the 4th International Workshop on Grid Computing
TCP-AuthN: An Approach to Dynamic Firewall Operation in Grid Environments
ICNS '09 Proceedings of the 2009 Fifth International Conference on Networking and Services
POLICY '09 Proceedings of the 2009 IEEE International Symposium on Policies for Distributed Systems and Networks
Hi-index | 0.00 |
In today's distributed computing environments, like Grids and Clouds, authentication and authorization decisions take place in the middleware or on the compute and storage resources themselves. Thus, in both cases the decision is felled within the local network of the hosting organization. This is due to several drawbacks in common firewalls. For one, most firewalls only utilize the tupel of IP addresses, port numbers and protocol parameters to decide which connection are legitimate and which are not. This offers minimal configurability, which in complex environments like the Grid or the Cloud is not sufficient for optimal fine grained decisions. Also, the inability of application level firewalls to deal with dynamically opened server ports for encrypted connections like they are in use by GridFTP require very lax firewall rules to be set, if the Grid or Cloud is to operate unhindered. In this paper a solution is presented that moves the authorization enforcement forward into the firewall. The presented system enables an authorization of each connection, based on the user's individual Grid or Cloud attributes. Extending our TCP-AuthN mechanism enables the firewall to operate as a Policy Enforcement Point (PEP) according to the authorization architecture presented in the XACML standard and enables Site administrators to turn back unwanted traffic at the border instead of on the resources themselves.