Content-validation of Messages and Policy assurances for a Security-Proxy supporting Grid services

Abstract

Today Grid computing is an important technology that allows scientists and engineers to solve large and complex problems, to work in complex and heterogeneous environments, and to cooperate in various new ways. In Grid environments integrate distributed computing resources, networks, scientific instruments, data archives and databases, and visualization environments. The virtualization of these resources results in resource environments allowing the dynamic generation of Virtual Organizations (VO) to increase the productivity and quality of scientific work. This work describes a security concept for securing Grid Services in a Firewalled environment. The main aspect of this concept is a security gateway which performs content based checks on incoming Grid requests. This is an application level gateway and it checks SOAP messages of Grid Service requests and decides on the application level (OSI level 7) whether the message should pass the gateway or be blocked. In combination with packet filtering, provided by usual rewall solutions, and encrypted data transfer methods, this allows a shared secured use of Grid resources, separated by security gateways. This can be accomplished without changing the respective Grid middleware and without increasing security risks to an unacceptable level (e. g., by opening network ports). The work on this topic led to the conclusion that with an appropriate concept, modern services based distributed environments can be secured. This concept includes the use of Firewalls and security proxies.