Collaborative Research: CICI: Secure and Resilient Architecture: SciGuard: Building a Security Architecture for Science DMZ Based on SDN and NFV Technologies

合作研究：CICI：安全和弹性架构：SciGuard：基于SDN和NFV技术构建科学DMZ安全架构

• 批准号: 1642143
• 负责人: Hongxin Hu
• 金额: $ 49.98万
• 依托单位: Clemson University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2017
• 资助国家: 美国
• 起止时间: 2017-01-01 至 2021-04-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1642143&HistoricalAwards=false
• 关键词: Collaborative; Research; CICI; Secure; Resilient

As data-intensive science becomes the norm in many fields of science, high-performance data transfer is rapidly becoming a standard cyberinfrastructure requirement. To meet this requirement, an increasingly large number of university campuses have deployed Science DMZs. A Science DMZ is a portion of the network, built at or near the edge of the campus or laboratory's network, that is designed such that the equipment, configuration, and security policies are optimized for high-performance scientific applications rather than for general-purpose computing. This project develops a secure and resilient architecture called SciGuard that addresses the security challenges and the inherent weaknesses in Science DMZs. SciGuard is based on two emerging networking paradigms, Software-Defined Networking (SDN) and Network Function Virtualization (NFV), both of which enable the granularity, flexibility and elasticity needed to secure Science DMZs. Two core security functions, an SDN firewall application and a virtual Intrusion Detection System (IDS), coexist in SciGuard for protecting Science DMZs. The SDN firewall application is a software-based, in-line security function running atop the SDN controller. It can scale well without bypassing the firewall using per-flow/per-connection network traffic processing. It is also separated from the institutional hardware-based firewalls to enforce tailored security policies for the science-only traffic sent to Science DMZs. The virtual IDS is an NFV-based, passive security function, which can be quickly instantiated and elastically scaled to deal with attack traffic variations in Science DMZs, while significantly reducing both equipment and operational costs. In addition to these functions, the researchers also design a cloud-based federation mechanism for SciGuard to support security policy automatic testing and security intelligence sharing. The new mechanisms developed in this project are robust, scalable, low cost, easily managed, and optimally provisioned, therefore substantially enhancing the security of Science DMZs. This research encourages the diversity of students involved in the project by active recruitment of women and other underrepresented groups for participation in the project. The project has substantial involvement of graduate students in research, and trains promising undergraduate students in the implementation and experiments of the proposed approach. Moreover, the project enhances academic curricula by integrating the research findings into new and existing courses.

随着数据密集型科学成为许多科学领域的常态，高性能数据传输正迅速成为网络基础设施的标准要求。为了满足这一要求，越来越多的大学校园部署了科学 DMZ。科学 DMZ 是网络的一部分，构建在校园或实验室网络边缘或附近，其设计目的是针对高性能科学应用而不是通用目的优化设备、配置和安全策略计算。该项目开发了一种名为 SciGuard 的安全且有弹性的架构，可解决科学 DMZ 中的安全挑战和固有弱点。 SciGuard 基于两种新兴的网络范例：软件定义网络 (SDN) 和网络功能虚拟化 (NFV)，这两种范例都能够实现保护 Science DMZ 所需的粒度、灵活性和弹性。 SciGuard 中共存了两个核心安全功能：SDN 防火墙应用程序和虚拟入侵检测系统 (IDS)，用于保护 Science DMZ。 SDN 防火墙应用程序是运行在 SDN 控制器之上的基于软件的内联安全功能。它可以使用每流/每连接网络流量处理来很好地扩展，而无需绕过防火墙。 它还与基于硬件的机构防火墙分开，为发送到科学 DMZ 的纯科学流量实施定制的安全策略。虚拟IDS是一种基于NFV的被动安全功能，可以快速实例化和弹性扩展，以应对Science DMZ中的攻击流量变化，同时显着降低设备和运营成本。除了这些功能之外，研究人员还为SciGuard设计了基于云的联邦机制，以支持安全策略自动测试和安全情报共享。该项目开发的新机制强大、可扩展、成本低、易于管理且配置最佳，因此大大增强了科学 DMZ 的安全性。这项研究通过积极招募女性和其他代表性不足的群体参与该项目，鼓励参与该项目的学生的多样性。该项目让研究生大量参与研究，并培训有前途的本科生实施和实验所提出的方法。此外，该项目通过将研究成果整合到新课程和现有课程中来增强学术课程。

项目成果

Enabling NFV Elasticity Control With Optimized Flow Migration

• DOI: 10.1109/jsac.2018.2869953
• 发表时间: 2018-09
• 期刊: IEEE Journal on Selected Areas in Communications
• 影响因子: 16.4
• 作者: Chen Sun;J. Bi;Zili Meng;Tong Yang;Xiao Zhang;Hongxin Hu

SmartChain: Enabling High-Performance Service Chain Partition between SmartNIC and CPU

• DOI: 10.1109/icc40277.2020.9149136
• 发表时间: 2020-06
• 期刊: ICC 2020 - 2020 IEEE International Conference on Communications (ICC)
• 作者: Shuhe Wang;Zili Meng;Chen Sun;Minhu Wang;Mingwei Xu;J. Bi;Tong Yang;Qun Huang;Hongxin Hu

Teaching SDN Security Using Hands-on Labs in CloudLab

使用 CloudLab 中的动手实验室教授 SDN 安全性

• 发表时间: 2020
• 期刊: Journal of the Colloquium for Information System Security Education
• 作者: Yuan, Xiaohong;Liu, Zhipeng;Park, Younghee;Hu, Hongxin;Li, Hongda
• 通讯作者: Li, Hongda

FastFE: Accelerating ML-based Traffic Analysis with Programmable Switches

FastFE：利用可编程交换机加速基于 ML 的流量分析

• DOI: 10.1145/3405669.3405818
• 发表时间: 2020
• 期刊: SPIN '20: Proceedings of the Workshop on Secure Programmable Network Infrastructure
• 作者: Bai, Jiasong;Zhang, Menghao;Li, Guanyu;Liu, Chang;Xu, Mingwei;Hu, Hongxin
• 通讯作者: Hu, Hongxin

Towards Efficient Traffic Monitoring for Science DMZ with Side-Channel based Traffic Winnowing

利用基于侧信道的流量风选实现科学 DMZ 的高效流量监控

• DOI: 10.1145/3180465.3180474
• 发表时间: 2018
• 期刊: ACM International Workshop on Security in Software Defined Networks and Network Function Virtualization
• 作者: Li, Hongda;Zhang, Fuqiang;Yu, Lu;Oakley, Jon;Hu, Hongxin;Brooks, Richard R.
• 通讯作者: Brooks, Richard R.