Securing the Science DMZ Best Practices for securing an open perimeter network
Nick Buraglio Network Engineer, ESnet Lawrence Berkeley National Laboratory
FTW 14-07, Improving Data Mobility and Management for International Climate Science Boulder, CO 7/16/2014
Motivations
● You have a Science DMZ ● You need a Science DMZ ● Need to provide confidentiality, accountability and integrity
IDS, Flow, Security data collectors
IDS, Flow, Security data collectors
Science Image from http://www.science.fau.edu/
100G
IDS, Flow, Security data collectors
7/11/14 6
How does your existing security work? ● Perimeter Security
● Patch Scheduling
● Host integrity
● Data assurance
● Accountability
● Action
Perimeter Access Control
● Best Practice ACLs ● Block access to control plane
● Deny inbound access to known exploitable protocols
Limit exposure
● Announce only what needs to access research resources • Where reasonably possible, announce only research resources via science DMZ
Software Patching
● Patch Scheduling
Host Based firewalls
● Host Security - Host based Firewalls
Central Management
● Host Security - Central Management
Host IDS
● Host Security - HIDS (Host IDS)
Accountability
● User Accountability
Baselines
● Traffic graphs
● Flow Data
● Syslog (host and network)
Logging
● Log aggregation
Confidentiality
● Use secure protocols whenever possible
● Utilize MD5 and other data verification mechanisms
Heavy Lifting
● Intrusion detection system
External scanning services
● Vulnerability scanning
Action
● Dynamic black hole routing
● BGP FlowSpec (RFC 5575)
● Community feeds (Bogons, etc.)
Action – Black Hole Routing
● Dynamic black hole routing ● Community BGP feeds (Bogons, etc.)
IDS, Flow, Security data collectors
Black Hole Router
Action – BGP FlowSpec
● Dynamic black hole routing ● Dissemination of rules via BGP NLRI
IPv6
● Don’t forget IPv6
Notable mentions
● SDN
Collaboration
● Multiple groups working together
Useful tools and Links
● http://fasterdata.es.net/science-dmz/science-dmz-security/
● http://www.bro-ids.org
Example Checklist
● Announce only research resources
● Filter access to network, storage and management hardware
● Utilize host based firewalls
● Employ central host management
● Centralize logging and flow data collection
● Create baselines for traffic and activity
● Deploy and tune IDS
● Filter with black hole routing
● Make use of regularly scheduled external vulnerability scanning
7/11/14 28
Questions?
Securing the Science DMZ Best Practices for securing an open perimeter network
Nick Buraglio Network Engineer Lawrence Berkeley National Laboratory
FTW 14-07, Improving Data Mobility and Management for International Climate Science Boulder, CO 7/16/2014