Early defense: enabling attribute-based authorization in Grid firewalls

Authors:
Jan Wiebelitz;Michael Brenner;Christopher Kunz;Matthew Smith
Affiliations:
Gottfried Wilhelm Leibniz Universität, Hannover, Germany;Gottfried Wilhelm Leibniz Universität, Hannover, Germany;Gottfried Wilhelm Leibniz Universität, Hannover, Germany;Gottfried Wilhelm Leibniz Universität, Hannover, Germany
Venue:
Proceedings of the 19th ACM International Symposium on High Performance Distributed Computing
Year:
2010

Citing 4
Cited 0

Policy-Driven Access Control over a Distributed Firewall Architecture

POLICY '02 Proceedings of the 3rd International Workshop on Policies for Distributed Systems and Networks (POLICY'02)
An XACML-based Policy Management and Authorization Service for Globus Resources

GRID '03 Proceedings of the 4th International Workshop on Grid Computing
TCP-AuthN: An Approach to Dynamic Firewall Operation in Grid Environments

ICNS '09 Proceedings of the 2009 Fifth International Conference on Networking and Services
XACML Policy Profile for Multidomain Network Resource Provisioning and Supporting Authorisation Infrastructure

POLICY '09 Proceedings of the 2009 IEEE International Symposium on Policies for Distributed Systems and Networks

Quantified Score

Hi-index	0.00

Visualization

Abstract

In today's distributed computing environments, like Grids and Clouds, authentication and authorization decisions take place in the middleware or on the compute and storage resources themselves. Thus, in both cases the decision is felled within the local network of the hosting organization. This is due to several drawbacks in common firewalls. For one, most firewalls only utilize the tupel of IP addresses, port numbers and protocol parameters to decide which connection are legitimate and which are not. This offers minimal configurability, which in complex environments like the Grid or the Cloud is not sufficient for optimal fine grained decisions. Also, the inability of application level firewalls to deal with dynamically opened server ports for encrypted connections like they are in use by GridFTP require very lax firewall rules to be set, if the Grid or Cloud is to operate unhindered. In this paper a solution is presented that moves the authorization enforcement forward into the firewall. The presented system enables an authorization of each connection, based on the user's individual Grid or Cloud attributes. Extending our TCP-AuthN mechanism enables the firewall to operate as a Policy Enforcement Point (PEP) according to the authorization architecture presented in the XACML standard and enables Site administrators to turn back unwanted traffic at the border instead of on the resources themselves.