Logo Leibniz Universität Hannover
Logo: Computational Health Informatics
Logo Leibniz Universität Hannover
Logo: Computational Health Informatics
  • Zielgruppen
  • Suche
 

TCPAuthN: A Method for Dynamic Firewall Operation

The essential idea of Grid computing is the user's transparent access to distributed resources. This transparent access provides enormous benefit to users but also challenges the administrators in charge of secure operation of these resources.

To enable Grid computing, an unhindered communication between several components of the Grid must be possible. Moreover, not only Grid components rely on communication among one another, additionally, clients with temporary IP addresses need access to the Grid resources. Therefore, it is recommended to open 5000 TCP ports to allow incoming connections on the protecting firewalls from an almost unrestricted range of IP addresses. These recommendations not only concern the firewalls protecting the servers but also the firewalls protecting the clients.

Firewalls are designed to control the network traffic between the protected network and the insecure network, e.g. the Internet. Modern firewalls are able to inspect the content of the network traffic and to remove suspicious payload or to open ports (e.g. for FTP data channel) to enable communication. Conventional non-Grid services use standardized ports and the communication is established from the client to the server, or the firewall is able to interpret the protocol (e.g. the FTP protocol) and operate dynamically. In Grid environments services are not always bound to standard ports, the direction of the communication establishment is not necessarily from client to server and a client can initiate the communication between two application servers. Additionally, nearly all communication in the Grid context is encrypted, therefore interpretation of the used protocols is not possible, hence existing firewall solutions don't work satisfactorily. The need for communication in the Grid and on the other hand the encrypted protocols leads to the recommendation to open wide port ranges on the firewalls protecting the Grid resources. These necessarily open port ranges on the firewalls are commonly accepted as insecure, attackers from the outside and malicious users from the inside could exploit these security weakness for their own purposes.

To enhance the security of Grid resources and to circumvent the described firewall issues we developed the new method TCP-AuthN that provides dynamic firewall operation based on the verified identities of users. 

TCP-AuthN uses the initial TCP segments exchanged to establish connection between client and server to transport user's authentication information. This information enables the firewall to authorize the connection establishment on individual, user-based information.

TCPAuthN Implementation
Figure 1: TCPAuthN Implementation

In today's distributed computing environments, like Grids and Clouds, authentication and authorization decisions take place in the middleware or on the compute and storage resources themselves. Thus, in both cases the decision is felled within the local network of the hosting organization. This is due to several drawbacks in common firewalls. For one, most firewalls only utilize the tupel of IP addresses, port numbers and protocol parameters to decide which connection are legitimate and which are not.TCP-AuthN provides a solution that moves the authorization enforcement forward into the firewall. The presented system enables an authorization of each connection, based on the user's individual Grid or Cloud attributes.
Extending our TCP-AuthN mechanism enables the firewall to operate as a Policy Enforcement Point (PEP) according to the authorization architecture presented in the XACML standard and enables Site administrators to turn back unwanted traffic at the border instead of on the resources themselves.

TCPAuth Implementation
Figure 2: The Firewall as Policy Execution Point (PEP)

Related Publications

J. Wiebelitz, S. Piger, C. Kunz, C. Grimm (2009): Transparent Identity-based Firewall Transition for eScience, (accepted paper) eScience 2009

Abstract:

As new concepts for eSciene like Grid computing and Cloud computing tend to leave the research phase and develop towards production quality, the security eventually moves into focus. Up to now research in the security area concentrates  on authentication and authorization on the resources themselves, but to enhance network security more generally, access control must be pushed back to the entry point of the resource providers' network.
In this paper TCP-AuthN is presented, an approach for dynamic firewall operation, which uses the TCP three-way handshake to transport users' authentication information for dynamic firewall operation. The authentication information enables firewalls to authorize each connection establishment individually, based on the user's proven identity. To prevent man-in-the-middle attacks and replay attacks, a challenge-response procedure must be accomplished before the connection is finally allowed. To distinguish the authentication information from application level data, a new TCP option tcpauthn was designed.
The presented approach is intended to withdraw the initial authorization decision from the esources and therefore from the internal network and move this decision to firewalls, which are employed to protect networks and services.
 

J. Wiebelitz, C. Kunz, S. Piger, C. Grimm (2009): TCP-AuthN: TCP Inline Authentication to Enhance Network Security in Grid Environments, Proc. of the 8th International Symposium on Parallel and Distributed Computing (ISPDC '09)

Abstract:

To secure communication in Grids many efforts have been made regarding authentication and authorization. Due to some applications requirements it is up to now recommended to open wide port ranges on firewalls. A configuration that is commonly accepted as insecure.
We present an approach to enhance the security of firewalled Grid components by a new method to dynamically authorize TCP connections on firewalls. The authorization decision relies on the authenticated identity of users or conveyed attribute assertions. Authentication information is transferred within the TCP three-way-handshake. To distinguish the authentication information from application data a new TCP option \emph{tcpauthn} is introduced.
The new method TCP-AuthN leads to a new paradigm in firewall operation as the firewall comes to the final decision to allow or reject/deny a connection after the third segment of the TCP three-way-handshake is verified. The firewall denies/rejects each connection on an individual basis depending on the users proven identity.

J. Wiebelitz, C. Kunz, S. Piger, C. Grimm (2009): TCP-AuthN: An Approach to Dynamic Firewall Operation in Grid Environments, Proc. of the 5th International Conference on Networking and Services (ICNS 2009) Proceedings of the 2009 Fifth International Conference on Networking and Services


Abstract:

Grid computing provides users with transparent access to substantial compute and storage resources. Up to now the main focus lay in the development of Grid infrastructures and the development of services providing access to Grid resources. This leads to a negligence of security aspects, which, for example, leads to the recommendation of open wide port ranges on firewalls protecting the Grid resources. In this paper we present an approach for a dynamic firewall operation facilitated by a strong inline authentication for every TCP connection. The presented approach, which is based on X.509 certificates and public-key encryption uses TCP segments exchanged during the TCP three-way handshake between the client and the server to transport user authentication information. Firewalls on the path use this authentication information to authorize the connection. To distinguish the authentication information in the TCP segments from application data a new TCP option tcpauthn is introduced.