Collaborative Research: CICI: Secure and Resilient Architecture: SciGuard: Building a Security Architecture for Science DMZ Based on SDN and NFV Technologies

合作研究：CICI：安全和弹性架构：SciGuard：基于SDN和NFV技术构建科学DMZ安全架构

• 批准号: 1642143
• 负责人: Hongxin Hu
• 金额: $ 49.98万
• 依托单位: Clemson University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2017
• 资助国家: 美国
• 起止时间: 2017-01-01 至 2021-04-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1642143&HistoricalAwards=false
• 关键词: Collaborative; Research; CICI; Secure; Resilient

As data-intensive science becomes the norm in many fields of science, high-performance data transfer is rapidly becoming a standard cyberinfrastructure requirement. To meet this requirement, an increasingly large number of university campuses have deployed Science DMZs. A Science DMZ is a portion of the network, built at or near the edge of the campus or laboratory's network, that is designed such that the equipment, configuration, and security policies are optimized for high-performance scientific applications rather than for general-purpose computing. This project develops a secure and resilient architecture called SciGuard that addresses the security challenges and the inherent weaknesses in Science DMZs. SciGuard is based on two emerging networking paradigms, Software-Defined Networking (SDN) and Network Function Virtualization (NFV), both of which enable the granularity, flexibility and elasticity needed to secure Science DMZs. Two core security functions, an SDN firewall application and a virtual Intrusion Detection System (IDS), coexist in SciGuard for protecting Science DMZs. The SDN firewall application is a software-based, in-line security function running atop the SDN controller. It can scale well without bypassing the firewall using per-flow/per-connection network traffic processing. It is also separated from the institutional hardware-based firewalls to enforce tailored security policies for the science-only traffic sent to Science DMZs. The virtual IDS is an NFV-based, passive security function, which can be quickly instantiated and elastically scaled to deal with attack traffic variations in Science DMZs, while significantly reducing both equipment and operational costs. In addition to these functions, the researchers also design a cloud-based federation mechanism for SciGuard to support security policy automatic testing and security intelligence sharing. The new mechanisms developed in this project are robust, scalable, low cost, easily managed, and optimally provisioned, therefore substantially enhancing the security of Science DMZs. This research encourages the diversity of students involved in the project by active recruitment of women and other underrepresented groups for participation in the project. The project has substantial involvement of graduate students in research, and trains promising undergraduate students in the implementation and experiments of the proposed approach. Moreover, the project enhances academic curricula by integrating the research findings into new and existing courses.

随着数据密集型科学成为许多科学领域的规范，高性能数据传输正迅速成为标准的网络基础设施要求。为了满足这一要求，越来越多的大学校园部署了科学DMZ。科学DMZ是在校园或实验室网络边缘或附近建立的网络的一部分，其设计为使设备，配置和安全策略的优化，用于高性能科学应用，而不是通用计算。该项目开发了一种名为Sciguard的安全且有弹性的体系结构，该体系结构解决了科学DMZ中的安全挑战和固有的弱点。 Sciguard基于两个新兴网络范式，软件定义的网络（SDN）和网络功能虚拟化（NFV），这两者都可以启用保护科学DMZ所需的粒度，灵活性和弹性。两个核心安全功能，一个SDN防火墙应用程序和一个虚拟入侵检测系统（IDS），在Sciguard中共有用于保护科学DMZ的Sciguard。 SDN防火墙应用程序是在SDN控制器上运行的基于软件的在线安全函数。它可以很好地缩放，而无需使用人均/每连接网络流量处理绕过防火墙。 它还与基于机构硬件的防火墙分开，以实施量身定制的安全策略，用于发送给科学DMZ的科学流量。虚拟IDS是一个基于NFV的被动安全功能，可以快速实例化并弹性缩放以应对科学DMZ中的攻击流量变化，同时大大降低了设备和操作成本。除这些功能外，研究人员还为Sciguard设计了一种基于云的联合机制，以支持安全策略自动测试和安全情报共享。该项目中开发的新机制是可靠的，可扩展的，低成本的，易于管理和最佳提供的，因此可以大大提高科学DMZ的安全性。这项研究通过积极招募妇女和其他代表性不足的群体来鼓励参与该项目的学生的多样性。该项目具有研究生的大量参与研究，并培训有希望的本科生在实施和实验的实验中。此外，该项目通过将研究结果纳入新的和现有的课程来增强学术课程。

项目成果

Enabling NFV Elasticity Control With Optimized Flow Migration

• DOI: 10.1109/jsac.2018.2869953
• 发表时间: 2018-09
• 期刊: IEEE Journal on Selected Areas in Communications
• 影响因子: 16.4
• 作者: Chen Sun;J. Bi;Zili Meng;Tong Yang;Xiao Zhang;Hongxin Hu

SmartChain: Enabling High-Performance Service Chain Partition between SmartNIC and CPU

• DOI: 10.1109/icc40277.2020.9149136
• 发表时间: 2020-06
• 期刊: ICC 2020 - 2020 IEEE International Conference on Communications (ICC)
• 作者: Shuhe Wang;Zili Meng;Chen Sun;Minhu Wang;Mingwei Xu;J. Bi;Tong Yang;Qun Huang;Hongxin Hu

Teaching SDN Security Using Hands-on Labs in CloudLab

使用 CloudLab 中的动手实验室教授 SDN 安全性

• 发表时间: 2020
• 期刊: Journal of the Colloquium for Information System Security Education
• 作者: Yuan, Xiaohong;Liu, Zhipeng;Park, Younghee;Hu, Hongxin;Li, Hongda
• 通讯作者: Li, Hongda

FastFE: Accelerating ML-based Traffic Analysis with Programmable Switches

FastFE：利用可编程交换机加速基于 ML 的流量分析

• DOI: 10.1145/3405669.3405818
• 发表时间: 2020
• 期刊: SPIN '20: Proceedings of the Workshop on Secure Programmable Network Infrastructure
• 作者: Bai, Jiasong;Zhang, Menghao;Li, Guanyu;Liu, Chang;Xu, Mingwei;Hu, Hongxin
• 通讯作者: Hu, Hongxin

vNIDS: Towards Elastic Security with Safe and Efficient Virtualization of Network Intrusion Detection Systems

• DOI: 10.1145/3243734.3243862
• 发表时间: 2018-10
• 期刊: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security
• 作者: Hongda Li;Hongxin Hu;G. Gu;Gail-Joon Ahn;Fuqiang Zhang