This is a static archive of the previous Open Grid Forum GridForge content management system saved from host forge.ogf.org file /sf/wiki/do/viewPage/projects.fi-rg/wiki/DynaFire?selectedTab=versions at Sun, 06 Nov 2022 16:02:50 GMT SourceForge : View Wiki Page: DynaFire

Project Home

Tracker

Documents

Tasks

Source Code

Discussions

File Releases

Wiki

Project Admin
Search Wiki Pages Project: FI-RG     Wiki > DynaFire > View Wiki Page
wiki1654: DynaFire

Dyna-Fire

Authors: M.L. Green, S.M. Gallo, R. Miller.

Affiliation: University at Buffalo


Dyna-Fire is an extension of the Netfilter iptables software capable of configuring new filtering rules in response to valid requests from users' applications. Its main features are:

  • The use of Port Knocking as signaling protocol.
  • The deployment of a central database where all users and resources information is stored.
  • The integration with the Globus Gatekeeper.

Port Knocking consists in a client-server communication method in which information is encoded in the form of connection attempts to closed ports. The server initially presents no open ports to public networks and monitors all connection attempts. A client initiates a connection by sending TCP packets carrying SYN flag to a specific sequence of ports. When the server detects a valid knock sequence it triggers a server-side process, usually the opening of the requested port. The knock sequence may contain additional information such as the IP address of the client host, the requested resource (application name or port number), the opening time of the port, and a user identifier.

Dyna-Fire daemon must be integrated into the existing network firewall. In this way it can monitor connection attempts from external entities. When it detects a valid knock sequence it tries to validate it. If all verification criteria are satisfied Dyna-Fire adds a new filtering rule into the iptables firewall. This rule allows access to the destination host and port number only from the IP address that sent the knock sequence and only for a length of time corresponding to the validity of the user proxy certificate.


Contribute by Gian Luca Volpato, RRZN - Leibniz Universitaet Hannover

 




The Open Grid Forum Contact Webmaster | Report a problem | GridForge Help
This is a static archive of the previous Open Grid Forum GridForge content management system saved from host forge.ogf.org file /sf/wiki/do/viewPage/projects.fi-rg/wiki/DynaFire?selectedTab=versions at Sun, 06 Nov 2022 16:02:50 GMT