The interconnection network plays a beneficial role in the next generation of super computers, clusters, and data centers. As larger cloud computing architectures are introduced, the performance and administrative bottlenecks associated with the traditional network and storage have become a significant problem. A next generation data center can include a middleware machine system having a plurality of compute nodes for hosting applications. One example of such a middleware machine system is the Oracle® Exalogic computer appliance. A next generation data center can also include a database server system. One example of a database server system is the Oracle® Exadata Database Machine. The middleware machine system works in cooperation with the database server system. Data stored in the database server system is used and retrieved for computer operations in the middleware machine system, data generated or modified in the middleware machine system is stored in the database server system. Accordingly, it is important that the connection between the middleware machine system and the database server system be reliable, high speed, low latency and high bandwidth with low protocol overhead. For example, the InfiniBand (IB) technology has seen increased deployment as the foundation for a cloud computing fabric. InfiniBand is a connection-based communication protocol which uses a switched fabric topology which can support, among other things, remote direct memory access (RDMA) operations between the middleware machine system and database server system.
However, data centers are often shared by multiple tenants. The multiple tenants may be for example different corporate entities in cloud computing environments. Even where a data center is dedicated to a single corporate entity there may be multiple tenants in the form of different departments such as finance, human resources, engineering and the like which own data which must be kept private from other departments. It is important or necessary in multitenant environments that data be secured and accessible to authorized tenants and associated users and not accessible to unauthorized tenants and associated users. Likewise applications in the middleware machine system are associated with particular tenants and thus data in the database server system should be accessible to certain applications and not to others.
A conventional way to protect data from unauthorized access is to use a firewall appliance. A firewall appliance such as an Ethernet firewall appliance can be placed between a middleware machine system and a database server system sitting in the shared Ethernet medium. The firewall appliance controls access to database services making a port available for such service to authorized tenants and their associated applications and not to unauthorized tenants and their associated applications. However, use of such a firewall appliance necessarily prevents direct connection between the middleware machine system and the database server system and acts as a bottleneck on the indirect connection. No InfiniBand firewall appliance is currently available. Thus, if a firewall is required/specified, a conventional Ethernet firewall appliance (or the like) should be used. However, the use of a conventional Ethernet firewall appliance introduces additional networking overhead, and creates a bottleneck which limits the scalability of the system. The use of a conventional Ethernet firewall appliance precludes the use of a high speed connection-based switched fabric such as InfiniBand as well as the optimizations that such a connection-based switched fabric provides to operations performed between the middleware machine system and the database server system.
Prior systems and methods for providing and controlling data flow in an engineered system for middleware and application execution system using an intermediate node to provide security are described in U.S. patent application titled “SYSTEM AND METHOD FOR PROVIDING A DATA SERVICE IN AN ENGINEERED SYSTEM FOR MIDDLEWARE AND application EXECUTION”, application Ser. No. 14/467,859, filed Aug. 25, 2014; U.S. patent application titled “SYSTEM AND METHOD FOR CONTROLLING A DATA FLOW IN AN ENGINEERED SYSTEM FOR MIDDLEWARE AND APPLICATION EXECUTION”, application Ser. No. 14/467,860, filed Aug. 25, 2014; U.S. patent application titled “SYSTEM AND METHOD FOR SUPPORTING DATA SERVICE ADDRESSING IN AN ENGINEERED SYSTEM FOR MIDDLEWARE AND APPLICATION EXECUTION”, application Ser. No. 14/467,868, filed Aug. 25, 2014; and U.S. patent application titled “SYSTEM AND METHOD FOR SUPPORTING HOST CHANNEL ADAPTER (HCA) FILTERING IN AN ENGINEERED SYSTEM FOR MIDDLEWARE AND APPLICATION EXECUTION”, application Ser. No. 14/467,896, filed Aug. 25, 2014, which applications are incorporated herein by reference. However, use of an intermediate node necessarily increases latency and overhead to the communication channel. These applications describe a firewall appliance which has general applicability. However, the solution requires extra networking overhead, impacting latency and scalability issues, because the intermediate node receives and processes each packet traveling between two end points. Additionally, in light of the processing required for each packet, the system makes a trade-off between how much deep packet processing is performed relative to the overhead, latency, and scalability impacts.
In order to provide solution similar to one described in this invention disclosure using standard firewall appliance, one would need to track state of each connection and association of this connection with specific application layer construct, like for example database service, as we described in this invention disclosure.
It would therefore be desirable to overcome the disadvantages presented by the conventional use of an intermediary firewall appliance and/or intermediary node while providing a security solution that ensures the security of data in a multitenant environment.