Securing the Science DMZ and Research Damian Doyle, Director of Enterprise Infrastructure, UMBC Nick Lewis, NET+ Program Manager for Security and Identity, Internet2 April 2016
Agenda Current State Securing the Science DMZ How this could integrate into your campus information security program Questions
What is Research Security? Protect the research, researchers, human subject, and the institution! Researchers have broad compliance responsibilities Pre and post award Common Rule, NIST, FISMA, HIPAA, FDA, ITAR, EAR, NERC, Select Agents, oh my!
Why Is Research Security Important? Requirements from funding agencies around protecting research Requirements differ between agencies and other funders Oversight and guidance differs as well FBI National Security report from 2011 https://www.fbi.gov/about-us/investigate/counterintelligence/higher-education-and-national-security High profile attacks on research at universities
The Science DMZ in 1 Slide Consists of three key components, all required: “Friction free” network path Security policy and enforcement specific to science workflows Dedicated, high-performance Data Transfer Nodes (DTNs) Performance measurement/test node Engagement with end users https://fasterdata.es.net/science-dmz/
Campus Information Security Program Most campuses have a program for managing IT security risk across campus Working with IT, auditors, compliance, legal, risk, privacy, security officers, and boards Research is one component of the group Which includes Science DMZs Addressing highest risks, but risk from research may not be well understood
Research Security from Community Few resources on how to handle security requirements from research Ok, there are some. See presentations at here, prior years, and elsewhere. Many institutions have some guidance HEISC InfoSec Guide: https://spaces.internet2.edu/display/2014infosecurityguide/Top+Information+Security+Concerns+for+Researchers Center for Trustworthy Scientific Cyberinfrastructure NET+ program does have some services Example from NET+ program around AWS and Azure
Current State from Researcher Most researchers know they need to protect their research especially if it includes human subjects or high security topics Researchers must be experts in science, tech, grants, finance, and administration IT security one of many requirements Everything other than the research takes time from the research Researchers know they need to protect human subjects
Examples with Risk In Research Vaccine trials in neonatal ICU Secondary data analysis on health insurance data Nuclear materials Compromised HPC to mine bitcoin Genome Databases
What is Securing the Science DMZ and Research? How to include the Science DMZ into your research security program Make researchers and administration aware of the capabilities so they can include them in research proposal planning and design Template language to include in proposals Enable researchers to do research!
Potential Best Practices Develop and share with the community! How to identify research that needs Science DMZ Flow charts? How to explain to researchers, auditors, legal, compliance, IT, and others Example: If the IRB or research administration reviews a proposal that requires servers setup for researcher, data transfer with outside parties, or complicated IT requirements, they could refer the researcher to the Science DMZ
Origins of the Science DMZ Research data streams often use different applications from the enterprise network and can have very different latency and performance characteristics Latency and jitter cause havoc on long distance connections Traditional enterprise security platforms must do deep inspection because of the wide breadth of applications and usage they have to protect A lot of research data can bottleneck and may only be available for short periods of time due to constant updates/refreshes Enterprise security perceived as a barrier to research Needed a way to allow research without requiring massive investment in enterprise security platform to support needs of a few research groups
Early Misconceptions (How I learned to stop worrying and love the Science DMZ) The Science DMZ bypasses security by avoiding campus firewalls The intent was never to bypass security Researchers don’t want to deal with security because it gets in the way of their research Researchers to want to protect their data, but they approach this from a very different mindset than enterprise security tend to Science DMZs are only for major research centers Anyone who pulls in research data can benefit from a Science DMZ, and they can be very easy to put in place We need to change the discussion and refocus it
Technical Approaches There is no one size fits all solution It depends on the amount of research being done and the requirements of those researchers DTNs and why we should love them DTNs, Data Transfer Nodes, are really a server sitting in a Science DMZ that is designed to pump data in and out very quickly They are not meant to be a long term repository, they are a staging area for data so that it can be pulled/pushed quickly regardless of the backend systems and infrastructure in place throughout the campus Two basic types: Open DTN, where it is reachable from the Internet and is isolated in the Science DMZ so that a compromise doesn’t lead to cascading infections. Closed DTN, only reachable to defined resources on the Internet that have been whitelisted Different Science DMZ approaches we will discuss Basic deployment, low impact, small resources needed Advanced deployment, longer term, more flexible but requires more resources
Basic Science DMZ Approach Establish a data transfer node (DTN) in SDMZ Open DTN option Size local storage to hold enough data so it can stream in quickly, then trickle into the campus through the existing enterprise security Closed DTN option Only whitelisted IP addresses can access it from outside the campus Utilize router access control lists or local machine firewalls to establish default deny policies Does not need much local storage, can be directly linked to the internal resources because of extremely restrictive access
Basic Science DMZ configuration options Internet Campus Network Open DTN Host Closed DTN Host DTN Local Storage Research Environments
Advanced Science DMZ Approach Intermediate: Scaling beyond IPTABLES/ACLs Implement BRO for Open DTN and other resources within the Science DMZ Continue to use IPTABLES when possible Longer-term: Deploy SDN for regular campus flows Add SDN to the DTN node to lower latency and improve end-to-end performance. SDN will allow for real time adjustments on a flow by flow basis, enabling access only as required Focus on largest transfers or low-latency.
Intermediate - Add Intrusion Detection Science DMZ I1 & I2 Open DTN Host HPC DTN Host DTN Local Storage Infiniband HPCC Intrusion Detection
UMBC Science DMZ DTN Infiniband HPCF Open HPC DTN Host DTN Host CHMPR Campus 10 Gb Internet Links from MDREN in Baltimore and College Park 100 Gb SDN Enabled Internet 2 link from College Park Open DTN Host HPC DTN Host Campus Border Routers DTN Intrusion Detection CHMPR (IBM Cluster) Infiniband HPCF Local Storage Cluster Storage
Questions for the audience Do you have a Science DMZ? How do you move big research data around? What kind of engagement do you have with your research community? How do your researchers include information security in their work? Is this something you think more IT security and researchers need more guidance on?
Questions for us? If you have any questions, please contact: Damian Doyle, Director of Enterprise Infrastructure, UMBC damian@umbc.edu Nick Lewis, Internet2 NET+ Program Manager, Security and Identity nlewis@internet2.edu
Securing the Science DMZ and Research Please remember to fill out your session evaluation!