Collaborative Research: CICI: Secure and Resilient Architecture: S3D: A New SDN-Based Security Framework for the Science DMZ

合作研究：CICI：安全和弹性架构：S3D：用于科学 DMZ 的新的基于 SDN 的安全框架

• 批准号: 1642101
• 负责人: Douglas Swany
• 金额: $ 30万
• 依托单位: Indiana University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2016
• 资助国家: 美国
• 起止时间: 2016-11-01 至 2019-10-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1642101&HistoricalAwards=false
• 关键词: Collaborative; Research; CICI; Secure; Resilient

The Science DMZ (SDMZ) is a key foundational element in building state-of-the-art scientific research infrastructure. The SDMZ is a portion of the network, built at the campus or laboratory's edge, that is designed such that the equipment, configuration, and security policies are optimized for high-performance scientific applications rather than for general-purpose business systems or enterprise computing. SDMZs are increasingly being implemented by research agencies, campuses and national labs. In order to improve the throughput of scientific research data, NSF has funded many Science DMZ implementations on campuses by upgrading research network connectivity and encouraging installation of a SDMZ. However, the SDMZ has characteristics that separate it as a unique ecosystem which cannot simply adopt existing enterprise and cloud based network security technologies and policies. This project designs and prototypes an integrated Software Defined Network (SDN) security framework for managing data-intensive science applications utilizing the Science DMZ (SDMZ) model. It offers one of the first demonstrations of how fine-grained security controls can co-exist within a high performance data-intensive network. This project produces significant advancements in the trustworthiness and reliability of large-scale data-intensive scientific research infrastructures.This project evaluates the current state of the SDMZ security architecture, then identifies the current shortcomings in its existing security services. The new proposed framework: 1) defines fine-grained network flow controls using dynamically deployable security services that are migratable and science-application aware; 2) defines a new class of network privilege management policies that can revoke or divert flows that violate SDMZ policies or that differ from user-defined, application-specific usage expectations; 3) establishes high-performance virtual circuits that enable data intensive applications to register and fast-path their authenticated flows across the SDMZ. Furthermore, this project introduces a unified security policy engine to dramatically simplify the control of the above three services. The policy engine offers a valuable and user-friendly abstraction to meet the domain-specific needs of the SDMZ.

科学 DMZ (SDMZ) 是建设最先进的科学研究基础设施的关键基础要素。 SDMZ 是网络的一部分，构建在校园或实验室边缘，其设计目的是针对高性能科学应用程序而不是通用业务系统或企业计算来优化设备、配置和安全策略。 SDMZ 越来越多地由研究机构、校园和国家实验室实施。为了提高科学研究数据的吞吐量，NSF 通过升级研究网络连接和鼓励安装 SDMZ 来资助许多校园科学 DMZ 的实施。然而，SDMZ 的特点使其成为一个独特的生态系统，不能简单地采用现有的企业和基于云的网络安全技术和策略。该项目设计并构建了一个集成的软件定义网络 (SDN) 安全框架原型，用于利用科学 DMZ (SDMZ) 模型管理数据密集型科学应用程序。它提供了细粒度安全控制如何在高性能数据密集型网络中共存的首批演示之一。该项目在大规模数据密集型科学研究基础设施的可信度和可靠性方面取得了重大进步。该项目评估了SDMZ安全架构的现状，然后识别了其现有安全服务中的当前缺陷。新提出的框架：1）使用可迁移和科学应用感知的动态可部署安全服务定义细粒度的网络流量控制； 2) 定义一类新的网络权限管理策略，可以撤销或转移违反​​ SDMZ 策略或与用户定义的、特定于应用程序的使用期望不同的流量； 3) 建立高性能虚拟电路，使数据密集型应用程序能够在 SDMZ 上注册并快速传输其经过身份验证的流。此外，该项目引入了统一的安全策略引擎，大大简化了对上述三种服务的控制。策略引擎提供了有价值且用户友好的抽象，以满足 SDMZ 的特定领域需求。