XGE

Timestamp:

04/14/08 10:48:07 (5 years ago)

Author:

MatthiasSchmidt

Comment:

Add section about dynamic firewalling

Design

@@ -40 +40 @@
 == Dynamic firewalls ==
 
-=== Templates ===
+The XGE secures both software and data from being accessed directly by unauthorized users. However, the network and thus the connected resources are fully accessible to a user if no firewalling technology is used. Since users can install software with root privileges (within their own VM), it is easy to install packet sniffing tools to monitor network traffic. It is also possible to probe for remote vulnerabilities in other users' images to gain access illegally. Thus, it is desirable to prevent network access between images of different users. It is also desirable to allow different users to have different network settings concerning the Internet. 
 
+Traditional Grid applications do not require Internet access, but some commercial applications must contact a licensing server (e.g. FlexLM) to run and thus must at least be able to make outgoing connections. Fully service-oriented applications or interactive applications might even need to be reachable from the Internet and thus require incoming connections to be possible. System wide firewall configuration would either restrict applications with high connectivity requirements or unnecessarily endanger applications which normally operate in a private network. 
 
+Since users already have their own operating system, we add to this a user based firewalling approach located in the ''Xen0'' controlling the user image to facilitate the different requirements. The extent a user is allowed to open or close ports for his or her image is specified by the administrator of the site either on a per user and/or a per virtual organization (VO) basis, relying on the amount of trust a user or a VO has.
+