Securing the Science DMZ - Securing the Science DMZ Best Practices for securing an open perimeter network

  • View
    0

  • Download
    0

Embed Size (px)

Text of Securing the Science DMZ - Securing the Science DMZ Best Practices for securing an open perimeter...

  • Securing the Science DMZ Best Practices for securing an open perimeter network

    Nick Buraglio Network Engineer, ESnet Lawrence Berkeley National Laboratory

    FTW 14-07, Improving Data Mobility and Management for International Climate Science Boulder, CO 7/16/2014

  • Motivations

    ●  You have a Science DMZ ●  You need a Science DMZ ●  Need to provide confidentiality, accountability and integrity

  • IDS, Flow, Security data collectors

  • IDS, Flow, Security data collectors

    Science Image from http://www.science.fau.edu/

  • 100G

  • IDS, Flow, Security data collectors

  • 7/11/14 6

    How does your existing security work? ●  Perimeter Security

    ●  Patch Scheduling

    ●  Host integrity

    ●  Data assurance

    ●  Accountability

    ●  Action

  • Perimeter Access Control

    ●  Best Practice ACLs ●  Block access to control plane

    ●  Deny inbound access to known exploitable protocols

  • Limit exposure

    ●  Announce only what needs to access research resources •  Where reasonably possible, announce only research resources via science DMZ

  • Software Patching

    ●  Patch Scheduling

  • Host Based firewalls

    ●  Host Security - Host based Firewalls

  • Central Management

    ●  Host Security - Central Management

  • Host IDS

    ●  Host Security - HIDS (Host IDS)

  • Accountability

    ●  User Accountability

  • Baselines

    ●  Traffic graphs

    ●  Flow Data

    ●  Syslog (host and network)

  • Logging

    ●  Log aggregation

  • Confidentiality

    ●  Use secure protocols whenever possible

    ●  Utilize MD5 and other data verification mechanisms

  • Heavy Lifting

    ●  Intrusion detection system

  • External scanning services

    ●  Vulnerability scanning

  • Action

    ●  Dynamic black hole routing

    ●  BGP FlowSpec (RFC 5575)

    ●  Community feeds (Bogons, etc.)

  • Action – Black Hole Routing

    ●  Dynamic black hole routing ●  Community BGP feeds (Bogons, etc.)

  • IDS, Flow, Security data collectors

    Black Hole Router

  • Action – BGP FlowSpec

    ●  Dynamic black hole routing ●  Dissemination of rules via BGP NLRI

  • IPv6

    ●  Don’t forget IPv6

  • Notable mentions

    ●  SDN

  • Collaboration

    ●  Multiple groups working together

  • Useful tools and Links

    ●  engage@es.net

    ●  http://fasterdata.es.net/science-dmz/science-dmz-security/

    ●  http://www.bro-ids.org

  • Example Checklist

    ●  Announce only research resources

    ●  Filter access to network, storage and management hardware

    ●  Utilize host based firewalls

    ●  Employ central host management

    ●  Centralize logging and flow data collection

    ●  Create baselines for traffic and activity

    ●  Deploy and tune IDS

    ●  Filter with black hole routing

    ●  Make use of regularly scheduled external vulnerability scanning

  • 7/11/14 28

    Questions?

  • Securing the Science DMZ Best Practices for securing an open perimeter network

    Nick Buraglio Network Engineer Lawrence Berkeley National Laboratory

    FTW 14-07, Improving Data Mobility and Management for International Climate Science Boulder, CO 7/16/2014