Securing the Science DMZ Best Practices for securing an open perimeter network Nick Buraglio Network Engineer, ESnet Lawrence Berkeley National Laboratory FTW 14-07, Improving Data Mobility and Management for International Climate Science Boulder, CO 7/16/2014
30
Embed
Securing the Science DMZ - Internet2meetings.internet2.edu/.../2014/07/14/20140716-buraglio-sciencedm… · Securing the Science DMZ Best Practices for securing an open perimeter
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Securing the Science DMZ Best Practices for securing an open perimeter network
Nick Buraglio Network Engineer, ESnet Lawrence Berkeley National Laboratory
FTW 14-07, Improving Data Mobility and Management for International Climate Science Boulder, CO 7/16/2014
Motivations
● You have a Science DMZ ● You need a Science DMZ ● Need to provide confidentiality, accountability and integrity
IDS, Flow, Security data collectors
IDS, Flow, Security data collectors
Science Image from http://www.science.fau.edu/
100G
IDS, Flow, Security data collectors
7/11/14 6
How does your existing security work? ● Perimeter Security
● Patch Scheduling
● Host integrity
● Data assurance
● Accountability
● Action
Perimeter Access Control
● Best Practice ACLs ● Block access to control plane
● Deny inbound access to known exploitable protocols
Limit exposure
● Announce only what needs to access research resources • Where reasonably possible, announce only research resources via science DMZ
Software Patching
● Patch Scheduling
Host Based firewalls
● Host Security - Host based Firewalls
Central Management
● Host Security - Central Management
Host IDS
● Host Security - HIDS (Host IDS)
Accountability
● User Accountability
Baselines
● Traffic graphs
● Flow Data
● Syslog (host and network)
Logging
● Log aggregation
Confidentiality
● Use secure protocols whenever possible
● Utilize MD5 and other data verification mechanisms
Heavy Lifting
● Intrusion detection system
External scanning services
● Vulnerability scanning
Action
● Dynamic black hole routing
● BGP FlowSpec (RFC 5575)
● Community feeds (Bogons, etc.)
Action – Black Hole Routing
● Dynamic black hole routing ● Community BGP feeds (Bogons, etc.)
IDS, Flow, Security data collectors
Black Hole Router
Action – BGP FlowSpec
● Dynamic black hole routing ● Dissemination of rules via BGP NLRI