Grid Meter » October 2005

October 26, 2005 | Comments: (0)

Hacking into Grid applications

TAGS: None

When we talk about securing the Grid -- it's not just the pathways to the Grid applications that need to be secure, but the applications themselves.

The more prolific implementations of Grid utilize web services in their core. Their hosted applications and mechanisms for accessing them are web services- based and are essentially web apps in and of themselves. As Grid becomes more mainstream, these types of applications and their availability will multiply. So how do we ensure that these applications can remain available to their intended users (often everyone!) yet maintain their use for "good" and not "evil?"

Phil Janson, a program manager with Services Research Assets at IBM, describes the most common attack method that hackers use to get into applications:

"The most frequent attack path hackers use to use stack overflows, buffer overflows, and memory overflows. They send a system an amount of information that is far larger than what the target is expecting. As a result, when the target reads that information, it overflows the memory reserved to read in that parameter, and so it overwrites some other data structure in its memory. If the hacker is clever enough to send the right content of the right length, it can cause the overflow to override a critical data structure, which causes the application to derail and transfer control to a piece of code contained in the parameter that was just sent. And if you can cause the target program to derail and transfer control to that program embedded in this parameter, you can make the target system do anything you want it to."

The purpose of these types of attacks is to transfer control from the original application to another rouge application. However, in the world of web services and web apps there is another potential for abuse. One that uses the original application as is, but not for it's original intent. Take, for example, TinyDisk -- a web app built upon TinyUrl. TinyUrl is a popular free web app used to take a ridiculously long url and hash it into a much shorter version for ease of use in e-mails, instant messaging, or anywhere where the potential for a multi-line URL and the possible insertion of new line characters might cause confusion. The hashed version is kept in a database and when accessed, redirects the accessing browser to the actual URL. TinyDisk uses the hashing algorithm and database of TinyUrl to store actual data. It is essentially a new web app built upon an existing web app that extends the use and original intent of that app. I used the word 'extends' -- however, one could very well use the word 'exploit.' Can we be sure that TinyDisk will not overrun the databases and bandwidth of TinyUrl? The author of TinyDisk has put into place some safeguards for this, however, they can be easily circumvented.

Is TinyDisk a hack? It is simply using a web app, used by millions (actually over 11 million according to the TinyUrl web site!) more or less "as advertised."

Security pros have been steadily releasing new tools geared towards preventing hacks into web services and Grid services. Janson, for example, recently released a 'Web Services Interface Definition for Intrusion Defense' tool that "flags any interface feature that could open a door to hacker attacks against that service."

According to Janson:

"People get excited about security protocols and stuff like that. They tend to ignore input validation and dismiss it as something that any good programmer should do. But the trouble is that most programmers don't ... so you've got to give them tools to help them automate that step. Based on such tools, future Web and grid containers may do automated input validation on the fly on behalf of forgetful or negligent programmers."

With conventional operating systems and applications it can sometimes to be difficult to prevent a hack, however a hack is usually pretty easy to recognize. In the new world of web services and web apps this may not be so clear.

Posted by Greg Nawrocki on October 26, 2005 09:56 AM

October 25, 2005 | Comments: (0)

Securing the Grid and securing Web services ... one in the same?

TAGS: None

We're all familiar with the cliche that the "fortress" approach to enterprise security is dead -- you can't just put things behind a firewall and compete in today's business world. You need practical ways to let the good guys in, and keep the bad guys out. This applies doubly to Grid environments, whose whole reason for existence is coordinated resource sharing across wide areas.

Developers realized in the very early days that without proper security guarantees, Grid computing would stall out of the gates, so this is has been one of the heaviest concentration areas to date.

There's an interesting tutorial today on IBM developerWorks about delegation of rights in Grid environments. What's particularly noteworthy for mainstream enterprise IT folks is that the Globus Toolkit (the most widely used open source middleware for Grid computing) over time has assimilated many of the key components of the Web Services Resource Framework (WSRF).

For subject matter like security, which is critical yet can be quite daunting, this utilization of accepted standards puts a familiar face on otherwise complex tasks. This tutorial is a great example of how Grid computing is actually well within reach for the skill set of the average IT pro working with web services today.

Posted by Greg Nawrocki on October 25, 2005 09:01 AM

October 24, 2005 | Comments: (0)

Public Internet or dedicated lines for the Grid?

TAGS: None

Joe Touch, director of the Postel Center, one time told me that with the Internet, "everybody gets an Acura ... you can tune things so they don't break, but you don't build a Maserati on the Internet."

Apologies if I've been harping on networking considerations for Grid computing lately -- but one question that I still have is to what extent will the public Internet be satisfactory for Grid traffic? As Touch notes, the Internet is all about a ubiquitous infrastructure, with the focus on the end-to-end principle, and the ability for the maximum amount of users to seamlessly share interchangeable parts.

But in order for Grids to make a case that they can carry mission critical business applications, will it really be acceptable for an organization's Grid applications to be susceptible to the frequent performance snags that we know to be so common to the public Internet? I doubt it. The public Internet is subject to message storms, there are outages; and sometimes it's just plain slow to get what you want when you need it. With dedicated pipes, on the other hand, you have much tighter control of the bandwidth.

Before you object and note the incredible cost of laying down new pipes, bear in mind what's happened in telecom over the last ten years. As John Ennis, VP of Operations at FiberNet Telecom Group says:

"The telecom industry has seen incredible, decreasing prices for bandwidth. In the old days, if you wanted to get a T-1, it would take months. Now it takes a couple of weeks. So the general trends - pricing has gone down tremendously, intervals have gone down tremendously."

So one of the trends that's been attributed to the malaise of the telecom sector -- the fiber glut -- could actually be a great motivating factor for service providers to hop onto the Grid bandwagon. Frankly, I'm surprised that the telcos that own the surplus dark fiber haven't been making more noise about their Grid intentions.

Posted by Greg Nawrocki on October 24, 2005 09:16 AM

October 19, 2005 | Comments: (0)

Ask an Analyst -- will MPLS matter for Grid environments?

TAGS: None

To what extent will the public Internet be adequate to handle the burdens of Grid traffic? I recently took that question to Johna Till Johnson, President of Nemertes Research, and she was quick to point out that Grid / Networking discussions are likely to raise questions about the role of MPLS (multi-protocol label switching) in carrying Grid traffic. Here's what she had to say:

"As long ago as about four or five years ago - when I was CTO of Greenwich Technology Partners - we were doing a lot of work with financial services firms, who were some of the early adopters of Grid computing. One of the things we realized was that with what they were trying to do across the WAN ... the only way they could actually get the quality of service and reliability and availability they needed was to go with a technology like MPLS. Most of the Grid specs assume an IP network. You have to have some technology that translates between IP and whatever the underpinnings are. If you were going to argue that you wanted to do it over frame relay or ATM, you still need a way to get from IP to that.

Another thing that MPLS brings to the table is the availability to set up high bandwidth, low latency high QOS connections between point A and point B - and that's very important. And even on a private network, you have to look at the traffic pattern. Most private network technologies - including ATM and frame relay - have assumed hub-and-spoke traffic patterns. The servers all live at the center, the users all live at the edges of the cloud, it's one hop between the user and the server—and everybody's happy. That's true if all your traffic is client/server. But if you're doing peer to peer or Grid, it's getting closer to an any-to-any traffic pattern. The only way that frame can do that is to start introducing hops, which introduces latency. MPLS can actually allow you at the IP layer to make it any-to-any, and that's key.

So there are 3 basic synergies between MPLS and Grid:

1- Grid assumes that you have a high performance IP network. Most of the service providers have elected to implement their high performance networks on top of MPLS.
2- Grid requires extremely low latency, extremely high QOS, extremely high bandwidth links - MPLS is optimized to be able to deliver that.
3- Grid can be expected to generate any-to-any traffic, and again MPLS can be expected to deliver that.

AT&T made a big commitment to MPLS a few years ago - some of the other service providers then bit the bullet. MPLS is very mainstream now."

Posted by Greg Nawrocki on October 19, 2005 07:42 AM

October 18, 2005 | Comments: (0)

Open Source Virtualization and the Grid

TAGS: None

Not surprisingly, some of the most interesting progress around virtualization is happening in open source. There has been quite a bit of excitement around Xen making its way into popular Linux distros, which means that ISV certification and support will be right around the corner for enterprises that use Linux virtualization. So a free OS with free virtualization capabilities (and readily available support), running on a preferred architecture of cheap servers (rather than big, expensive SMPs or mainframes) ... organizations are chomping at the bit to realize the cost savings that virtualization promises.

Today, on the open source Grid computing side, researchers are busily working out the details around how the Grid can leverage virtualization – and how the Grid will carve out "Virtual Workspaces." Katarzyna Keahey, Assistant Scientist at Argonne National Laboratory explains:

"A Virtual Workspace is an abstraction of an execution environment that can be made dynamically available in the Grid, and it's primarily focused on two broad requirements. One of them is the ability to associate an activity in the Grid with a certain quantum of resource, a certain percentage of CPU... say, memory, or disk, and so forth. The other requirement is recreating the necessary environment (in terms of software configuration) that the user needs on the Grid. Most applications require a very specific configuration - how do you provide it on a remote resource in the Grid reliably and dynamically? Those are the main issues that Virtual Workspaces are trying to tackle.

About two years ago, when we first started talking to users about our prototypes using virtual machines for the Grid all the focus was on VMWare. And because the licensing fees are high, the project was slow to take off. We'd hear people ask 'If I have to spend $5K on a virtual machine, why wouldn't I just buy a real one?'

Last summer we start experimenting with Xen, which is a very efficient open source hypervisor implementation slated to become a part of the Linux kernel in the near future. Suddenly we started getting traction as a lot of people became more interested in exploring virtual machines in Grid environments. So these two aspects - efficiency and availability -- provided a crucial critical mass for the project."

Posted by Greg Nawrocki on October 18, 2005 07:07 AM

October 17, 2005 | Comments: (0)

Virtualization and Grid computing heading in similar directions

TAGS: None

How do virtualization and Grid relate to one another? As enterprises increasingly leverage virtualization techniques (IDC is reporting more than 60% growth from last year) - that's a question I'm increasingly fielding these days.

Virtualization is not in of itself a complete solution to how enterprises manage their resources. However, it does provide great capabilities in managing and moving operating systems (and the full software stack supporting a given application) onto different hardware resources. As Steve Tuecke, CEO of Univa says:

"From a technical standpoint, virtualization does two things extremely well. First, it allows you to run multiple workloads on a single machine with great isolation between those workloads. By providing this hardware-level abstraction and strong isolation between multiple host operating systems, if one workload crashes, the other can continue to run unobstructed. The second great value of virtualization is that it's great at suspending, resuming and migrating images around an IT environment, in run-time. Without even shutting down an image, you can move jobs to new machines without any sort of disruption in performance."

Like Grid, virtualization is a trend that's being driven by economics. Rather than having to overprovision on the hardware side to meet peak demands, organizations can use virtualization approaches to get better utilization out of existing (underutilized) hardware.

It's also worth noting that virtualization is possibly on its way to becoming a mainstream approach to managing network resources. According to David Martin, Program Director, Internet Standards & Technology, IBM:

"In the next generation of Grids, applications will not necessarily be designed to run on a certain piece of hardware or on a certain network - but will be written to consume certain types of resources, which could be provided anywhere on the network. To do that, we need more dynamic networks than we have now, and the virtualization efforts in the networking community are already pointing the industry in that direction."

And not surprisingly, some of the most interesting progress around virtualization is happening in open source. I'll share more thoughts on that tomorrow.

Posted by Greg Nawrocki on October 17, 2005 08:57 AM

October 05, 2005 | Comments: (0)

Still more questions than answers with Grid...

TAGS: None

After attending the keynotes and several sessions at the first day of the enterprise program at GridWorld I'd love to report back with a clear insight as to where the Grid market is headed. However, that is not the case. One thing that became very clear early on is that there are still more questions than answers in this space.

And somewhat disturbingly they are the same age-old questions and general comments that I've heard over the course of the last several years.

You know the remarks... "Grid is a disruptive technology, the dividing line between Grid / SOA / Utility computing is blurry, Grids reduce cycle time, there is no clear definition between clusters and Grids, blah, blah blah..."

To be clear, this is certainly not a reflection of the event itself, but more of an observation on the nebulous Grid market. So what is going to break this redundant cycle?

One thing that was clearly missing yesterday was talk of applications, and again, to be fair, I wasn't present in all of the sessions. But I did not hear a good discussion of what's working in Grid environments, what isn't, and what are some of the metrics for measuring this. Those working in this space often categorize themselves in vertical markets, and these markets are defined by their applications.

When we talk of Grid, we often mention the recent enterprise computing trend of the transformation from vertically integrated silos to horizontally integrated, service-oriented systems in the same breath. Perhaps we should be doing the same at the higher levels of the "Grid stack". Instead of focusing on the uniqueness of the applications that define a market (vertical view), we should be examining the commonalities between them (horizontal view). I believe that with a better view of these commonalities we can better define the forces that will drive application integration in Grid environments and therefore accelerate Grid adoption.

One comment that really summed up the day for me I heard during the "What is the Software Licensing Model for Grids?" panel. In a nutshell the panelist said, "look, there are many ways to go about licensing software deployed in Grid environments and we've named several here, but most importantly, don't get in the way with pricing and licensing models right now, let the market grow."

To paraphrase Bob Dylan, if you have to remind people to get out of the new road if they can't lend a hand, then clearly, the times are still a-changin'.

Posted by Greg Nawrocki on October 5, 2005 07:20 AM

October 03, 2005 | Comments: (0)

Univa and IBM team up for enterprise Grid

TAGS: None

GridWorld's starting off on an interesting note here in Boston this week, with today's announcement from Grid start-up Univa that it has partnered with IBM for a commercially-supported version of the Globus Toolkit.

[According to the announcement]: "Under the three-year agreement, Univa will deliver a commercially supported and enterprise-ready release of open-standard software built around the Globus Toolkit for use across IBM's eServer platforms running both AIX and Linux, including IBM eServer iSeries, pSeries, xSeries, zSeries and BladeCenter systems. IBM will also provide Univa with product development resources and technology assets to assist in the development, delivery and support of the Univa commercial releases on IBM platforms."

For those that have followed the Grid computing evolution for a while, IBM has been a long-time supporter of the Globus Toolkit. IBM Global Services has had a huge footprint in many of the enterprise Globus Toolkit implementations to date (not to mention the vast financial support and development that IBM has contributed to the actual Globus Toolkit code historically). For a number of years, IBM has released its own Grid Toolbox, their own version of an open source Grid toolkit, based on Globus. But under the terms of this partnership, IBM will license a Univa distro of the Globus Toolkit, specifically geared towards the unique Grid computing requirements of enterprise environments.

What is particularly interesting to ponder in the context of the future of Grid computing is that here, IBM is partnering with the first major enterprise distro of the Globus Toolkit, similar to IBM's support of Red Hat and SuSe in the early days of Linux. Similar to how there are many flavors of Linux distros today -- there may some day be many different flavors of Globus Toolkit distros. We will likely see many different types of Grid computing environments take shape in enterprise, so there will be plenty of opportunities for other Grid services and support startups to create variants of the Globus Toolkit.

But in these nascent days of enterprise Grid, Univa is particularly well-positioned to lead the market, considering that their founders are the original creators of the Globus Toolkit (i.e., Steve Tuecke, Ian Foster, Carl Kesselman).

Posted by Greg Nawrocki on October 3, 2005 07:48 AM