Securing the Science DMZ Best Practices for securing an open perimeter network

Nick Buraglio Network Engineer, ESnet Lawrence Berkeley National Laboratory

FTW 14-07, Improving Data Mobility and Management for International Climate Science Boulder, CO 7/16/2014

Motivations

●  You have a Science DMZ ●  You need a Science DMZ ●  Need to provide confidentiality, accountability and integrity

IDS, Flow, Security data collectors

IDS, Flow, Security data collectors

Science Image from http://www.science.fau.edu/

100G

IDS, Flow, Security data collectors

7/11/14 6

How does your existing security work? ●  Perimeter Security

●  Patch Scheduling

●  Host integrity

●  Data assurance

●  Accountability

●  Action

Perimeter Access Control

●  Best Practice ACLs ●  Block access to control plane

●  Deny inbound access to known exploitable protocols

Limit exposure

●  Announce only what needs to access research resources •  Where reasonably possible, announce only research resources via science DMZ

Software Patching

●  Patch Scheduling

Host Based firewalls

●  Host Security - Host based Firewalls

Central Management

●  Host Security - Central Management

Host IDS

●  Host Security - HIDS (Host IDS)

Accountability

●  User Accountability

Baselines

●  Traffic graphs

●  Flow Data

●  Syslog (host and network)

Logging

●  Log aggregation

Confidentiality

●  Use secure protocols whenever possible

●  Utilize MD5 and other data verification mechanisms

Heavy Lifting

●  Intrusion detection system

External scanning services

●  Vulnerability scanning

Action

●  Dynamic black hole routing

●  BGP FlowSpec (RFC 5575)

●  Community feeds (Bogons, etc.)

Action – Black Hole Routing

●  Dynamic black hole routing ●  Community BGP feeds (Bogons, etc.)

IDS, Flow, Security data collectors

Black Hole Router

Action – BGP FlowSpec

●  Dynamic black hole routing ●  Dissemination of rules via BGP NLRI

IPv6

●  Don’t forget IPv6

Notable mentions

●  SDN

Collaboration

●  Multiple groups working together

Useful tools and Links

●  engage@es.net

●  http://fasterdata.es.net/science-dmz/science-dmz-security/

●  http://www.bro-ids.org

Example Checklist

●  Announce only research resources

●  Filter access to network, storage and management hardware

●  Utilize host based firewalls

●  Employ central host management

●  Centralize logging and flow data collection

●  Create baselines for traffic and activity

●  Deploy and tune IDS

●  Filter with black hole routing

●  Make use of regularly scheduled external vulnerability scanning

7/11/14 28

Questions?

Securing the Science DMZ Best Practices for securing an open perimeter network

Nick Buraglio Network Engineer Lawrence Berkeley National Laboratory

FTW 14-07, Improving Data Mobility and Management for International Climate Science Boulder, CO 7/16/2014