1. Field of the Invention
This invention pertains in general to utility computing and network security and in particular to a firewall for protecting a utility computing system environment.
2. Description of the Related Art
Utility computing is a paradigm that provides scalable access to computing resources much like electrical utilities provide access to electricity. A utility computing system has a pool of computing resources that can be dynamically provisioned to meet the changing demands of an enterprise. For example, during a typical day, 30% of the resources can be provisioned as web servers to serve HTTP requests, 40% of the resources can be provisioned to provide back-end database support, 20% of the resources can be provisioned to run JAVA middleware software, and 10% of the resources can be left idle in order to provide extra computing power during peak periods. Should demand for one of the resources increase, the utility computing system can dynamically provision some of the idle resources and/or re-provision some of the other resources to meet the demand.
At its core, the utility computing system contains a set of computers acting in the provisioned roles. The computers can be real or virtual, and can be provisioned in multiple roles. For example, the utility computing system can contain a computer that is provisioned to act as both a web server and a database server.
Computers within a utility computing system that are provisioned as web servers, database servers, or in other roles that require interaction with clients have interfaces that are exposed to the Internet and/or other networks. Due to these interfaces, the computers are susceptible to malicious behavior on the network. Thus, a computer acting as a web server and executing particular web server software is susceptible to any vulnerabilities in that software. Such vulnerabilities present a security risk and the risk is further magnified because of the large numbers of computers that are often present in a utility computing system.
A firewall is a common way to protect computers from network-based attacks. However, a firewall is not well-suited to utility computing systems where there are multiple computers in dynamically-changing roles. An administrator setting the firewall's policy might allow communications to all ports that are used in all of the potential roles, thereby creating a security risk by providing greater than the minimum set of access rights. Alternatively, the administrator can configure the firewall to provide the minimum set of access rights for a specified role, thereby running the risk that the computer will not function if it is dynamically provisioned into another role. Neither of these options is desirable.
Therefore, there is a need in the art for a firewall that is suited to protecting a utility computing system.