Science DMZ Security


Error message

  • Notice: Undefined variable: transcript_video_id in include() (line 13 of /var/www/drupal/sites/all/themes/learn/templates/youtube-video-transcript.tpl.php).
  • Notice: Undefined variable: field_transcript_video_id in include() (line 14 of /var/www/drupal/sites/all/themes/learn/templates/youtube-video-transcript.tpl.php).
  • Notice: Undefined index: field_transcript_video_id in include() (line 15 of /var/www/drupal/sites/all/themes/learn/templates/youtube-video-transcript.tpl.php).
The core idea behind the Science DMZ is a targeted security policy. There are two approaches to security:
  • Identifying risks, and creating mitigation strategies based on this study.
  • Implementing broad controls.
The separation of enterprise and Science DMZ security allows each to be optimized. This video describes mechanisms to provide high-performance security for data transfer applications in the Science DMZ, and their contrast to enterprise firewalls.
i2lHQgLBmSE1 2 3 4
View YouTube Transcript
Let's take a look at an overview of science DMZ security. The goal for science DMZ security is of course to defend the assets in the science DMZ. The way we're going to do that is we're going to disentangle the security policy and policy enforcement mechanisms used to defend data-intensive science applications from the security policy and policy enforcement mechanisms used to defend enterprise or business systems. The rationale for this is the two traffic profiles are actually quite different. In the science DMZ we have data transfer applications that need to move at high speed with small number of flows and very high per flow data rate. In an enterprise environment we have a very large number of data flows, each of which is pretty low performance actually, and we have a wide variety of applications running with a pretty significant attack surface and threat profile. Whereas in the science DMZ the data transfer applications all they do is exchange credentials over an encrypted channel, open up a couple of data sockets, write a few terabytes to disk and close. That traffic profile is much simpler from a network security perspective and so if by disentangling that from the enterprise traffic it allows us to do some optimizations for performance reasons. So if we look at the core information security principles of confidentiality, availability and integrity in the science DMZ for data-intensive science we've added a fourth requirement which is performance. We can call it pika if we want to pronounce it we can say CIAP if we want to pronounce a bunch of letters but it doesn't really matter all that much how we describe it. The key point here is we have a fourth requirement, performance. If the performance is compromised the science mission fails so we have to figure out a way to secure our systems while maintaining the performance that's required to support the science workflows. If we look at the way the the science DMZ is constructed the science DMZ is outside the enterprise firewall from a network perimeter design perspective, that's deliberate. The data packets going from the wide area network into the data transfer node do not traverse the data plane of the firewall. That doesn't mean they don't go through packet filters but they don't go through the data plane of a firewall and that's specifically because the data plan of a firewall is engineered to provide a wide variety of additional security services that often come with a performance penalty. So what are those security services? Firewalls are incredibly sophisticated in an enterprise environment -- they do protocol analysis, they do deep packet inspection, they’re user aware, they've got integrated VPNs, they've got a whole bunch of stuff that's completely irrelevant for the workflow of a data transfer node and a science DMZ. And so if all we need to do is move five terabytes of data from one file system to another file system and we're going to use a simple tool to do it we can optimize the way in which we do the security for the science DMZ to accommodate that. Now if we were going to do this through a firewall we'd have to ask the firewall administrator to open up the the data transfer application to allow it through the firewall. What would the firewall administrator ask for? They would not ask for what tool we were using so they can implement a sophisticated protocol analyzer to deeply understand exactly what was going on inside the data transfer application, instead all they're going to do is ask you for the address and ask you for the port. If all we're going to do is filter by address and port we can write an access list to do exactly that same thing and the access list functionality is already built into the science DMZ switch router you've already bought. You don't have to buy a firewall in order to do that and in fact the access list is not going to cause a performance impact to traffic that's permitted by policy. So that's actually a really key point -- traffic permitted by policy should not experience performance impact as a result of the policy being applied. So does this mean that we ignore security? Absolutely not. We do packet filtering, in some cases very aggressive packet filtering in the science DMZ. But we do science DMZ security in a way that does not compromise the performance of the science mission for which the science DMZ assets were deployed.

© 2016, The Regents of the University of California, through Lawrence Berkeley National Laboratory (subject to receipt of any required approvals from the U.S. Dept. of Energy). All rights reserved.

NOTICE. This material is owned by the U.S. Department of Energy. As such, the U.S. Government has been granted for itself and others acting on its behalf a paid-up, nonexclusive, irrevocable, worldwide license in the material to reproduce, prepare derivative works, and perform publicly and display publicly.