Cenic.org
  • Home
  • News
  • Science DMZ as a Security Architecture

Science DMZ as a Security Architecture

Categories RENS & NRENS Security Press Release

Tags esnet science dmz security

ESnet’s Michael Sinatra began his presentation (prepared by him and his colleague Nick Buraglio) by observing that many network engineers regard the Science DMZ architecture as a kind of “plug-and-play” solution to network security concerns – a belief that isn’t actually supported by the architecture model itself. However, the Science DMZ architecture as developed by ESnet and Software-Defined Networking (SDN) can give network engineers a new set of tools to use in the pursuit of trustworthy network security. In addressing this topic, Sinatra first described the architecture and then illustrated the ways in which it could be used to meet network security challenges.

After emphasizing that ESnet’s development of the Science DMZ architecture came as a result of codifying successful practices that were in place at various institutions into a coherent, replicable model, Sinatra then mentioned – and dismantled – one of the most common misconceptions about the Science DMZ: that its purpose is “to get around or avoid firewalls and other security controls.” While many of the issues that stymie big-data researchers are related to the security tools implemented on their institutional networks, getting around these preventive measures is certainly not the purpose of the Science DMZ, nor does the absence of a firewall mean that a network is, in fact, a Science DMZ (a belief that Sinatra has encountered). He would sooner see this characterized as matching security controls to what is being protected while maximizing the functionality of the network for those using it – in other words, enabling finer-grained security controls tailored to the risks present in different parts of the network.

Sinatra then described a variety of common network architectures, including those that use firewalls for security between the campus network and the outside world, and others that do not firewall at that point but instead distribute firewalls throughout various parts of the campus network (administrative, student networks, etc.). This permits security to be tailored to the needs of those using the individual components of the campus infrastructure – a model for security that dovetails well with the Science DMZ model.

He also emphasized that implementing a Science DMZ, contrary to common belief, does entail bidirectional traffic-blocking in the interests of protecting both the campus’s Science DMZ, the campus’s general network, and colleagues using networks beyond the campus. It also must be designed and implemented in a way that enables software patching to take place in the smoothest and most convenient manner, as patching is one of the most significant parts of ensuring a secure network.

Sinatra also treated host-level security tools like host-based firewalls and intrusion detection and stated that he was currently undertaking the development of best practices for them.

He then treated several other tools as well, all of which could (and should) be implemented in some manner on a Science DMZ. In Sinatra’s words, “What are your security best practices in other parts of your network? If you’re not doing that in other parts of your network, then why would you think the Science DMZ should be any different?” Science DMZ security, in other words, consists of more than the presence or absence of firewalls and is not so different from that on other parts of a campus’s network.

After treating the uses and utility of intrusion detection and black hole routing, Sinatra then underlined the importance of being familiar with a network’s typical behavior: “You want to make sure you know what your network looks like on a normal day, so that you know what an abnormal day is.”

He then mentioned the necessity of remaining aware of IPv6, citing instances where IPv6 throughput is better than that over IPv4 even when IPv6 queues were longer. The comparison he used was that of a TSA pre-check line in the airport, where the streamlined process provides higher throughput of “packets” – passengers in the case of the airport security line – even when the pre-check line is longer, because one need not disassemble and reassemble one’s possessions in order to pass through the pre-check line.

Sinatra then moved to the topic of Software-Defined Networking (SDN), also commonly believed to be the answer to network security concerns for Science DMZs. While SDN is not a “drop-in solution,” it definitely has applications to ensuring network security and performance, and he described such working implementations as well as cautioning attendees that these implementations are still not “fully baked” in his words and require “care and feeding.” In addition, by adding a layer of complexity to the Science DMZ, SDN-based tools also increase the number and complexity of possible problems and the pursuit of solutions. The drop-in security solution remains an elusive goal, SDN notwithstanding.

After this treatment of how a Science DMZ can be secured by use of tools, Sinatra then moved into how best practices can be used to secure networks connecting to scientific instruments and high-performance computing (HPC) resources. In other words, once a network engineer has implemented and installed the various tools needed to enhance security onto the components of a network, how should those components then be assembled? As a way of illustrating how deceptively complex such an issue can be, Sinatra mentioned one campus’s old but, as of 1999, still used mass spectrometer, which required connectivity to a MicroPDP-11 in order to function. (Other concerns exist as well, such as the use of outdated or unauthorized equipment in campus labs of which network engineers may be entirely unaware.)

Happily, Sinatra then illustrated a variety of far more secure and usable architectures for the connectivity of network-enabled scientific instruments to attendees – all of which can be found in his slides, along with helpful notes.

Related blog posts

CENIC AIR and Your Campus: From Concept to Connection

CENIC AIR and Your Campus: From Concept to Connection

CENIC Network Automation Update: New Network-Source-of-Truth Tool Implemented

CENIC Network Automation Update: New Network-Source-of-Truth Tool Implemented

Recent news

Major CENIC Line System Upgrade Means Improved Provisioning and Services for CENIC Members

Pacific Wave Distributed International Peering Exchange Supports Big-Data Demonstrations at Supercomputing 2024 Conference

Learn What CENIC and Our Members Accomplished Together in the CENIC 2022-24 Community Report

New Connections to Major Cloud Providers Boost Performance and Value for CENIC Members

SDSC at UC San Diego and CENIC Work to Expand AI Education Infrastructure in California

Recent blog posts

CENIC and its Member Community in 2024: Artificial Intelligence, Digital Equity, and R&E Innovation

CENIC Internships: Working with Higher Ed to Create a Skilled Workforce for the Future of Networking

CENIC AIR and Your Campus: From Concept to Connection

The Easy Button for DDoS Attacks: Fast, Convenient, Cost-Effective Mitigation for CENIC Member Institutions

The Venue is the World: CENIC Helps SFJAZZ Share Music with Everyone

Subscribe to our newsletter

Stay up to date on news and stories from the CENIC community.

Subscribe now

About Network CENIC Membership News