Securing the Science DMZ -...
Transcript of Securing the Science DMZ -...
![Page 1: Securing the Science DMZ - Internet2meetings.internet2.edu/.../2014/07/14/20140716-buraglio-sciencedm… · Securing the Science DMZ Best Practices for securing an open perimeter](https://reader035.fdocuments.net/reader035/viewer/2022062920/5f0205ca7e708231d402313a/html5/thumbnails/1.jpg)
Securing the Science DMZ Best Practices for securing an open perimeter network
Nick Buraglio Network Engineer, ESnet Lawrence Berkeley National Laboratory
FTW 14-07, Improving Data Mobility and Management for International Climate Science Boulder, CO 7/16/2014
![Page 2: Securing the Science DMZ - Internet2meetings.internet2.edu/.../2014/07/14/20140716-buraglio-sciencedm… · Securing the Science DMZ Best Practices for securing an open perimeter](https://reader035.fdocuments.net/reader035/viewer/2022062920/5f0205ca7e708231d402313a/html5/thumbnails/2.jpg)
Motivations
● You have a Science DMZ ● You need a Science DMZ ● Need to provide confidentiality, accountability and integrity
![Page 3: Securing the Science DMZ - Internet2meetings.internet2.edu/.../2014/07/14/20140716-buraglio-sciencedm… · Securing the Science DMZ Best Practices for securing an open perimeter](https://reader035.fdocuments.net/reader035/viewer/2022062920/5f0205ca7e708231d402313a/html5/thumbnails/3.jpg)
IDS, Flow, Security data collectors
![Page 4: Securing the Science DMZ - Internet2meetings.internet2.edu/.../2014/07/14/20140716-buraglio-sciencedm… · Securing the Science DMZ Best Practices for securing an open perimeter](https://reader035.fdocuments.net/reader035/viewer/2022062920/5f0205ca7e708231d402313a/html5/thumbnails/4.jpg)
IDS, Flow, Security data collectors
Science Image from http://www.science.fau.edu/
![Page 5: Securing the Science DMZ - Internet2meetings.internet2.edu/.../2014/07/14/20140716-buraglio-sciencedm… · Securing the Science DMZ Best Practices for securing an open perimeter](https://reader035.fdocuments.net/reader035/viewer/2022062920/5f0205ca7e708231d402313a/html5/thumbnails/5.jpg)
100G
![Page 6: Securing the Science DMZ - Internet2meetings.internet2.edu/.../2014/07/14/20140716-buraglio-sciencedm… · Securing the Science DMZ Best Practices for securing an open perimeter](https://reader035.fdocuments.net/reader035/viewer/2022062920/5f0205ca7e708231d402313a/html5/thumbnails/6.jpg)
IDS, Flow, Security data collectors
![Page 7: Securing the Science DMZ - Internet2meetings.internet2.edu/.../2014/07/14/20140716-buraglio-sciencedm… · Securing the Science DMZ Best Practices for securing an open perimeter](https://reader035.fdocuments.net/reader035/viewer/2022062920/5f0205ca7e708231d402313a/html5/thumbnails/7.jpg)
7/11/14 6
How does your existing security work? ● Perimeter Security
● Patch Scheduling
● Host integrity
● Data assurance
● Accountability
● Action
![Page 8: Securing the Science DMZ - Internet2meetings.internet2.edu/.../2014/07/14/20140716-buraglio-sciencedm… · Securing the Science DMZ Best Practices for securing an open perimeter](https://reader035.fdocuments.net/reader035/viewer/2022062920/5f0205ca7e708231d402313a/html5/thumbnails/8.jpg)
Perimeter Access Control
● Best Practice ACLs ● Block access to control plane
● Deny inbound access to known exploitable protocols
![Page 9: Securing the Science DMZ - Internet2meetings.internet2.edu/.../2014/07/14/20140716-buraglio-sciencedm… · Securing the Science DMZ Best Practices for securing an open perimeter](https://reader035.fdocuments.net/reader035/viewer/2022062920/5f0205ca7e708231d402313a/html5/thumbnails/9.jpg)
Limit exposure
● Announce only what needs to access research resources • Where reasonably possible, announce only research resources via science DMZ
![Page 10: Securing the Science DMZ - Internet2meetings.internet2.edu/.../2014/07/14/20140716-buraglio-sciencedm… · Securing the Science DMZ Best Practices for securing an open perimeter](https://reader035.fdocuments.net/reader035/viewer/2022062920/5f0205ca7e708231d402313a/html5/thumbnails/10.jpg)
Software Patching
● Patch Scheduling
![Page 11: Securing the Science DMZ - Internet2meetings.internet2.edu/.../2014/07/14/20140716-buraglio-sciencedm… · Securing the Science DMZ Best Practices for securing an open perimeter](https://reader035.fdocuments.net/reader035/viewer/2022062920/5f0205ca7e708231d402313a/html5/thumbnails/11.jpg)
Host Based firewalls
● Host Security - Host based Firewalls
![Page 12: Securing the Science DMZ - Internet2meetings.internet2.edu/.../2014/07/14/20140716-buraglio-sciencedm… · Securing the Science DMZ Best Practices for securing an open perimeter](https://reader035.fdocuments.net/reader035/viewer/2022062920/5f0205ca7e708231d402313a/html5/thumbnails/12.jpg)
Central Management
● Host Security - Central Management
![Page 13: Securing the Science DMZ - Internet2meetings.internet2.edu/.../2014/07/14/20140716-buraglio-sciencedm… · Securing the Science DMZ Best Practices for securing an open perimeter](https://reader035.fdocuments.net/reader035/viewer/2022062920/5f0205ca7e708231d402313a/html5/thumbnails/13.jpg)
Host IDS
● Host Security - HIDS (Host IDS)
![Page 14: Securing the Science DMZ - Internet2meetings.internet2.edu/.../2014/07/14/20140716-buraglio-sciencedm… · Securing the Science DMZ Best Practices for securing an open perimeter](https://reader035.fdocuments.net/reader035/viewer/2022062920/5f0205ca7e708231d402313a/html5/thumbnails/14.jpg)
Accountability
● User Accountability
![Page 15: Securing the Science DMZ - Internet2meetings.internet2.edu/.../2014/07/14/20140716-buraglio-sciencedm… · Securing the Science DMZ Best Practices for securing an open perimeter](https://reader035.fdocuments.net/reader035/viewer/2022062920/5f0205ca7e708231d402313a/html5/thumbnails/15.jpg)
Baselines
● Traffic graphs
● Flow Data
● Syslog (host and network)
![Page 16: Securing the Science DMZ - Internet2meetings.internet2.edu/.../2014/07/14/20140716-buraglio-sciencedm… · Securing the Science DMZ Best Practices for securing an open perimeter](https://reader035.fdocuments.net/reader035/viewer/2022062920/5f0205ca7e708231d402313a/html5/thumbnails/16.jpg)
Logging
● Log aggregation
![Page 17: Securing the Science DMZ - Internet2meetings.internet2.edu/.../2014/07/14/20140716-buraglio-sciencedm… · Securing the Science DMZ Best Practices for securing an open perimeter](https://reader035.fdocuments.net/reader035/viewer/2022062920/5f0205ca7e708231d402313a/html5/thumbnails/17.jpg)
Confidentiality
● Use secure protocols whenever possible
● Utilize MD5 and other data verification mechanisms
![Page 18: Securing the Science DMZ - Internet2meetings.internet2.edu/.../2014/07/14/20140716-buraglio-sciencedm… · Securing the Science DMZ Best Practices for securing an open perimeter](https://reader035.fdocuments.net/reader035/viewer/2022062920/5f0205ca7e708231d402313a/html5/thumbnails/18.jpg)
Heavy Lifting
● Intrusion detection system
![Page 19: Securing the Science DMZ - Internet2meetings.internet2.edu/.../2014/07/14/20140716-buraglio-sciencedm… · Securing the Science DMZ Best Practices for securing an open perimeter](https://reader035.fdocuments.net/reader035/viewer/2022062920/5f0205ca7e708231d402313a/html5/thumbnails/19.jpg)
External scanning services
● Vulnerability scanning
![Page 20: Securing the Science DMZ - Internet2meetings.internet2.edu/.../2014/07/14/20140716-buraglio-sciencedm… · Securing the Science DMZ Best Practices for securing an open perimeter](https://reader035.fdocuments.net/reader035/viewer/2022062920/5f0205ca7e708231d402313a/html5/thumbnails/20.jpg)
Action
● Dynamic black hole routing
● BGP FlowSpec (RFC 5575)
● Community feeds (Bogons, etc.)
![Page 21: Securing the Science DMZ - Internet2meetings.internet2.edu/.../2014/07/14/20140716-buraglio-sciencedm… · Securing the Science DMZ Best Practices for securing an open perimeter](https://reader035.fdocuments.net/reader035/viewer/2022062920/5f0205ca7e708231d402313a/html5/thumbnails/21.jpg)
Action – Black Hole Routing
● Dynamic black hole routing ● Community BGP feeds (Bogons, etc.)
![Page 22: Securing the Science DMZ - Internet2meetings.internet2.edu/.../2014/07/14/20140716-buraglio-sciencedm… · Securing the Science DMZ Best Practices for securing an open perimeter](https://reader035.fdocuments.net/reader035/viewer/2022062920/5f0205ca7e708231d402313a/html5/thumbnails/22.jpg)
IDS, Flow, Security data collectors
Black Hole Router
![Page 23: Securing the Science DMZ - Internet2meetings.internet2.edu/.../2014/07/14/20140716-buraglio-sciencedm… · Securing the Science DMZ Best Practices for securing an open perimeter](https://reader035.fdocuments.net/reader035/viewer/2022062920/5f0205ca7e708231d402313a/html5/thumbnails/23.jpg)
Action – BGP FlowSpec
● Dynamic black hole routing ● Dissemination of rules via BGP NLRI
![Page 24: Securing the Science DMZ - Internet2meetings.internet2.edu/.../2014/07/14/20140716-buraglio-sciencedm… · Securing the Science DMZ Best Practices for securing an open perimeter](https://reader035.fdocuments.net/reader035/viewer/2022062920/5f0205ca7e708231d402313a/html5/thumbnails/24.jpg)
IPv6
● Don’t forget IPv6
![Page 25: Securing the Science DMZ - Internet2meetings.internet2.edu/.../2014/07/14/20140716-buraglio-sciencedm… · Securing the Science DMZ Best Practices for securing an open perimeter](https://reader035.fdocuments.net/reader035/viewer/2022062920/5f0205ca7e708231d402313a/html5/thumbnails/25.jpg)
Notable mentions
● SDN
![Page 26: Securing the Science DMZ - Internet2meetings.internet2.edu/.../2014/07/14/20140716-buraglio-sciencedm… · Securing the Science DMZ Best Practices for securing an open perimeter](https://reader035.fdocuments.net/reader035/viewer/2022062920/5f0205ca7e708231d402313a/html5/thumbnails/26.jpg)
Collaboration
● Multiple groups working together
![Page 27: Securing the Science DMZ - Internet2meetings.internet2.edu/.../2014/07/14/20140716-buraglio-sciencedm… · Securing the Science DMZ Best Practices for securing an open perimeter](https://reader035.fdocuments.net/reader035/viewer/2022062920/5f0205ca7e708231d402313a/html5/thumbnails/27.jpg)
Useful tools and Links
● http://fasterdata.es.net/science-dmz/science-dmz-security/
● http://www.bro-ids.org
![Page 28: Securing the Science DMZ - Internet2meetings.internet2.edu/.../2014/07/14/20140716-buraglio-sciencedm… · Securing the Science DMZ Best Practices for securing an open perimeter](https://reader035.fdocuments.net/reader035/viewer/2022062920/5f0205ca7e708231d402313a/html5/thumbnails/28.jpg)
Example Checklist
● Announce only research resources
● Filter access to network, storage and management hardware
● Utilize host based firewalls
● Employ central host management
● Centralize logging and flow data collection
● Create baselines for traffic and activity
● Deploy and tune IDS
● Filter with black hole routing
● Make use of regularly scheduled external vulnerability scanning
![Page 29: Securing the Science DMZ - Internet2meetings.internet2.edu/.../2014/07/14/20140716-buraglio-sciencedm… · Securing the Science DMZ Best Practices for securing an open perimeter](https://reader035.fdocuments.net/reader035/viewer/2022062920/5f0205ca7e708231d402313a/html5/thumbnails/29.jpg)
7/11/14 28
Questions?
![Page 30: Securing the Science DMZ - Internet2meetings.internet2.edu/.../2014/07/14/20140716-buraglio-sciencedm… · Securing the Science DMZ Best Practices for securing an open perimeter](https://reader035.fdocuments.net/reader035/viewer/2022062920/5f0205ca7e708231d402313a/html5/thumbnails/30.jpg)
Securing the Science DMZ Best Practices for securing an open perimeter network
Nick Buraglio Network Engineer Lawrence Berkeley National Laboratory
FTW 14-07, Improving Data Mobility and Management for International Climate Science Boulder, CO 7/16/2014