Collaborative Research: CICI: Secure and Resilient Architecture: S3D: A New SDN-Based Security Framework for the Science DMZ
- View All
The Science DMZ (SDMZ) is a key foundational element in building state-of-the-art scientific research infrastructure. The SDMZ is a portion of the network, built at the campus or laboratory''s edge, that is designed such that the equipment, configuration, and security policies are optimized for high-performance scientific applications rather than for general-purpose business systems or enterprise computing. SDMZs are increasingly being implemented by research agencies, campuses and national labs. In order to improve the throughput of scientific research data, NSF has funded many Science DMZ implementations on campuses by upgrading research network connectivity and encouraging installation of a SDMZ. However, the SDMZ has characteristics that separate it as a unique ecosystem which cannot simply adopt existing enterprise and cloud based network security technologies and policies. This project designs and prototypes an integrated Software Defined Network (SDN) security framework for managing data-intensive science applications utilizing the Science DMZ (SDMZ) model. It offers one of the first demonstrations of how fine-grained security controls can co-exist within a high performance data-intensive network. This project produces significant advancements in the trustworthiness and reliability of large-scale data-intensive scientific research infrastructures.This project evaluates the current state of the SDMZ security architecture, then identifies the current shortcomings in its existing security services. The new proposed framework: 1) defines fine-grained network flow controls using dynamically deployable security services that are migratable and science-application aware; 2) defines a new class of network privilege management policies that can revoke or divert flows that violate SDMZ policies or that differ from user-defined, application-specific usage expectations; 3) establishes high-performance virtual circuits that enable data intensive applications to register and fast-path their authenticated flows across the SDMZ. Furthermore, this project introduces a unified security policy engine to dramatically simplify the control of the above three services. The policy engine offers a valuable and user-friendly abstraction to meet the domain-specific needs of the SDMZ.