[fi-rg] Documents from our first session

Inder Monga imonga at nortel.com
Fri Jul 8 17:41:51 CDT 2005 

Hi All,

Thanks for a good session at GGF14.

The documents presented at the first RG session of Firewall Issues group has
been uploaded to the forge.gridforum.org website:
https://forge.gridforum.org/docman2/ViewCategory.php?group_id=157&category_i
d=1094
<https://forge.gridforum.org/docman2/ViewCategory.php?group_id=157&category_
id=1094> 

The minutes are attached below (and has been uploaded to the website above
as well) :- thanks to Ralph for taking such good notes!!!

Inder

----------------------


Minutes of the GGF 14 - Firewall Issues -Research Group,   
				Wednesday, 29th, 2005 Chicago

1.)	Agenda bashing, find note taker, sign-up sheets, IPR 

Leon Gommans opened the session on 900AM giving a welcome to all
participants of this session. First he introduced the proposed agenda of
this session which was agreed on.

The proposed agenda has been as follows:

	1)	09:00 	Agenda bashing, find note taker, sign-up sheets, IPR
	2)	09:05 	Charter - Leon Gommans
	3)	09:15 	Firewall issues experienced by DLR - Leon Gommans
	4)	09:25 	Gridftp issues - Bill Allcock
	5)	09:40 	Document #1: Objectives and Discussion - Inder
Monga.
	6)	10:15 	Research into Token Based Networking - Leon Gommans
	7)	10:30 	Close. 

Additional information: 



Mailing list: 			fi-rg at ggf.org <mailto:fi-rg at ggf.org> 

Projects page: 		https://forge.gridforum.org/projects/fi-rg
<https://forge.gridforum.org/projects/fi-rg> 

Chairs: 
	Leon Gommans: 	lgommans at science.uva.nl
<mailto:lgommans at science.uva.nl> 
	
Inder Monga: 		imonga at nortel.com <mailto:imonga at nortel.com> 

2.)	Charter - Leon Gommans
 
First idea of a Firewall Issues group came up at GGF 12. Here it was decided
to have a "Firewall Issues - Working Group Charter" at GGF 13 in Korea March
2005. This group should produce an informational document to help GGF
dealing with those aspects. Additionally a performance analysis and
classification of these issues should be provided.

Coming closer to GGF 14 it was decided to change the charter text and to
change the group from a working group to a research group. In the meantime
the "Firewall Issues - Research Group" has been formed and officially
announced.

The new objectives of the research group became:

	*	Spur standards development within IETF and GGF.
	*	Produce informational document to help GGF, network security
people and product vendors understand grid specific issues.
	*	Perform analyses and classification of issues.
	*	Produce informational documents that analyses existing
solutions, identify shortcomings and indicate solutions direction.
	*	Produce a separate results document specifically for IETF.



The new charter is shown below:



"Description of Work:



Grids increasingly require application driven transport privileges from the
network. As such, the network is asked to enforce policy decisions on behalf
of various entities participating in an application. For this purpose, the
network employs functions such as firewalls, network address translators,
application level gateways, VPN style gateways etc.
The research group will first document the type of issues that Grid
applications experience when the need arises to control data transport
policy enforcement devices. Some examples are highlighted in GFD.37. Once
the types of issues have been identified, the group will relate these issues
to specific categories of enforcement devices.
The first group of devices falls into the category the IETF refers to as
"middle-boxes". The group will deliver a document that will analyze and
categorize scenario's using existing IETF protocols, architectures and
frameworks. The analyses will also try to identify functionalities for which
the current state of technology appears not to provide solutions for the
Grid.

The work to be considered includes the work of the following IETF groups:

	* midcom - "middlebox" communication:
http://www.ietf.org/html.charters/midcom-charter.html
<http://www.ietf.org/html.charters/midcom-charter.html> 
	* aft - Authenticated Firewall Traversal:
http://www.ietf.org/html.charters/aft-charter.html
<http://www.ietf.org/html.charters/aft-charter.html> 
	* nsis - Next Steps in Signaling:
http://www.ietf.org/html.charters/nsis-charter.html
<http://www.ietf.org/html.charters/nsis-charter.html> 


Subsequent area's of research will include the description and evaluation of
below category of devices:

	* Application Level Gateways.
	* Host based firewall functions.
	* VPN style gateways.

Existing documents from the grid community will be used as starting point.
Relevant output of this Research Group will be brought to the attention of
the IETF via the GGF liaison to the IETF.

Goals and Milestones:



Submit informational documents that describe:

	1)	An inventory of the type of issues when Grid jobs have to
deal with middle-box functions, application level gateways, VPN style
gateways, etc. Describe and classify the issues in document #1
	2)	An evaluation of existing IETF middle-box (signaling-)
protocols and functions. Recognize possible limitations and produce a list
of requirements towards the IETF in document #2
	3)	An evaluation of approaches and solutions such as
application level gateways, host based firewalls, VPN style gateways etc.
Capture results in document #3


GGF13: 	Charter discussion and group volunteers (done).
GGF14: 	Collection of existing documents with Group discussions
GGF15: 	First draft of document #1 and Group discussions.
GGF 16: 	WG-last call and submission of doc #1. Draft of doc #2 and
group discussions
GGF 17: 	WG last-call and final submission of document #2.
GGF 18: 	Draft document #3 and group discussions.
GGF 19: 	2nd draft of document #3 with group discussions.
GGF 20: 	WG last-call and final submission of document #3.
"

Questions arose throughout the presentation:

Q: 	Is a firewall always IP based? 	
A: 	We have to define within our documents explicitly what we mean by
firewall.


Q:   	What will be the impact on IETF? Is anything we do relevant to IETF?
A: 		We want to produce a couple of documents, so only some of
this issues will be  relevant to IETF. Others target at other groups: 
	*	#1 document being some kind of inventory.
	*	#2 document for information / requests to IETF.
	*	#3 document as a document for firewall vendors containing
what we think should be provided/developed/implemented by these vendors.


3)	Firewall issues experienced by DLR - Leon Gommans


Leon presented a presentation sent in by Thijs Metsch from DLR, Germany who
could not participate at this meeting. Details of the presentation can be
found within the FI-RG web area soon.

Remark by a participant (which all agreed on):  "The shown scenario is very
similar to that what many other institutions have to deal with. This issue
is an important one where the group  has to look into."

4)	Gridftp issues - Bill Allcock


Bill gave a presentation "Gridftp vs. the Firewall". Details of the
presentation can be found within the FI-RG web area soon. In detail he
presented two solution to overcome the well known problems of gridftp with
firewalls opening up a lot of ports at the firewall. Different solutions
arose which one is best. Both solutions have their pros and cons.

Solution one using a server inside to authenticate application/user requests
and to request a GDO-(Garage Door opener-)Server to open ports at a firewall
will be the more general approach. But could be used by hackers to open
anything.

Solution two having a server outside of the two communicating domains doing
a proxy like service focuses security on hardening this server, but giving
hackers an external point to hack on.

Wenbo Mao provided a link to his presentation at the "Innovations for Grid
Security from Trusted Computing" session later this day dealing with
"Distributed firewalls" which could be interesting also.

 
5)	Document #1: Objectives and Discussion - Inder Monga.


Inder lead the discussion concerning the first #1 document presumable coming
out of FI-RG at GGF 15. For detailed structure of the document see at the
FI-RG web area soon. Discussions on name of document will go on. The
proposed "classification" chapter may be presumable become a standalone
document.
Aspects currently not covered within the document are "auditing issues". Who
looks onto the functions (opening ports) done by the firewall. When will it
be looked into. Some institutions may not allow dynamic opening of channels
before having checked authorities or before having looked into the used
application. Checking logs afterwards may not be enough.

6)	Research into Token Based Networking - Leon Gommans


At the end of the session Leon presented current research in "Token Based
Networking" at University of Amsterdam interesting in the GLIF (Global
Lambda Integrated Facility) environment which could make firewalls
dispensable in some scenarios. This presentation will be available also at
the FI-RG web space soon.

7)	Closing

At 1030PM Leon and Inder closed the session thanking all participants for
their interest in this new research group. They asked all the participants
to become active in this group, to give input for document #1, and to join
the fi-rg mail list.

Notes taken by: 
Ralph Niederberger, Research Center Jülich, Germany,
r.niederberger at fz-juelich.de 



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.ogf.org/pipermail/fi-rg/attachments/20050708/191d7684/attachment.html

More information about the fi-rg mailing list