Fireblade is an Incubator project that gives users access to grid services which are protected by firewalls. It addresses issues which come along while using NAT. It can be used to enforce security policies and open firewalls on demand for non-blocking I/O. This will be a standalone gateway solution which supports (and therefore uses) Globus technology.
This GlobDev project webpage contains information for project committers and contributors. Information for users of Fireblade can be found at http://www.dlr.de/sc/en/desktopdefault.aspx/tabid-1293/1782_read-3223.
The FTP protocol by nature is a dynamic protocol with two streams, the control stream and the data stream. The control stream is established on a well known port and issues no problems, but the data stream is determined dynamically during runtime for both, server and client. Today’s firewalls support those dynamic configurations by listening to the control stream and opening the appropriate ports on demand. They are also able to handle NAT situations.
Unfortunately this approach is no longer possible when using GridFTP, an extension to the original FTP protocol, which raises additional problems, discussed in the globus fi-rg group. With GridFTP the control stream is usually encrypted, thus not allowing the firewalls to extract information out of it. Furthermore GridFTP does not only use one data port, but up to hundreds of data streams due to the high amount of data that needs to be transferred in Grid scenarios.
In consequence the fvga-wg group is developing a new protocol called FiTP which transfers unencrypted information required by the firewall to decide upon opening of specific ports. This even allows third party transfers to work correctly, which is not supported by any current solution. FiTP requires implementation on two sides. First the GridFTP client and server applications have to send correct FiTP messages in addition to their GridFTP commands. Second, all firewalls on the way from the client to the server must analyze those messages and take appropriate actions.
Since it will take a long time for firewall vendors to adapt to this, currently also unfinished, protocol, Fireblade steps into this hole. Fireblade acts as part of the firewall, controlling the range of ports needed for GridFTP. Fireblade is then able to decide on incoming requests whether they are passed or blocked.
Research on firewall issues at the open grid forum
- Firewall Issues Research Group (FI-RG)
- Firewall Issues Overview - GFD-I.083
- Requirements on operating Grids in Firewalled Environments - GFD-I.142
- Firewall Virtualization for Grid Applications WG (FVGA-WG)
- FiTP - A protocol draft for dynamic opening of Firewalls
- Firewall Traversal Protocol (FiTP)
Research on application level gateways at the German Aerospace Centre
- ALG - Application Level Gateway at the German Aerospace Centre
- Design and Implementation of a Security Gateway for Grid Services
- Content-validation of Messages and Policy assurances for a Security-Proxy supporting Grid services
- Application Level Gateway - Securing services using a Proxy
FTP and GridFTP specifications
- RFC765 - FILE TRANSFER PROTOCOL
- The File Transfer Protocol (FTP) and Your Firewall / Network Address Translation (NAT) Router / Load-Balancing Router
- RFC2228 - FTP Security Extensions
- GFD.20 - GridFTP: Protocol Extensions to FTP for the Grid
- GFD.47 - GridFTP v2 Protocol Description
If you would like to become a committer, guidelines are here.
|Developer discussion (fireblade-dev)||archive/subscribe/unsubscribe|
|User discussion (fireblade-user)||archive/subscribe/unsubscribe|
|Commit notifications (fireblade-commit)||archive/subscribe/unsubscribe|
Anonymous access to the cvs repository is either given via the commandline:
CVSROOT=:pserver:email@example.com:/home/globdev/CVS/globus-packages svn co fireblade
Or using the viewvc service located at http://viewcvs.globus.org/viewcvs.cgi/fireblade/.
Please use the fireblade project in the central globus bugzilla to report issues.
In addition to the Globus Alliance Project Guidelines, Fireblade adheres to the following policies: