Collaborative Research: CICI: Secure and Resilient Architecture: S3D: A New SDN-Based Security Framework for the Science DMZ

合作研究：CICI：安全和弹性架构：S3D：用于科学 DMZ 的新的基于 SDN 的安全框架

• 批准号: 1642150
• 负责人: Phillip Porras
• 金额: $ 34.98万
• 依托单位: SRI International
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2016
• 资助国家: 美国
• 起止时间: 2016-11-01 至 2020-10-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1642150&HistoricalAwards=false
• 关键词: Collaborative; Research; CICI; Secure; Resilient

The Science DMZ (SDMZ) is a key foundational element in building state-of-the-art scientific research infrastructure. The SDMZ is a portion of the network, built at the campus or laboratory's edge, that is designed such that the equipment, configuration, and security policies are optimized for high-performance scientific applications rather than for general-purpose business systems or enterprise computing. SDMZs are increasingly being implemented by research agencies, campuses and national labs. In order to improve the throughput of scientific research data, NSF has funded many Science DMZ implementations on campuses by upgrading research network connectivity and encouraging installation of a SDMZ. However, the SDMZ has characteristics that separate it as a unique ecosystem which cannot simply adopt existing enterprise and cloud based network security technologies and policies. This project designs and prototypes an integrated Software Defined Network (SDN) security framework for managing data-intensive science applications utilizing the Science DMZ (SDMZ) model. It offers one of the first demonstrations of how fine-grained security controls can co-exist within a high performance data-intensive network. This project produces significant advancements in the trustworthiness and reliability of large-scale data-intensive scientific research infrastructures.This project evaluates the current state of the SDMZ security architecture, then identifies the current shortcomings in its existing security services. The new proposed framework: 1) defines fine-grained network flow controls using dynamically deployable security services that are migratable and science-application aware; 2) defines a new class of network privilege management policies that can revoke or divert flows that violate SDMZ policies or that differ from user-defined, application-specific usage expectations; 3) establishes high-performance virtual circuits that enable data intensive applications to register and fast-path their authenticated flows across the SDMZ. Furthermore, this project introduces a unified security policy engine to dramatically simplify the control of the above three services. The policy engine offers a valuable and user-friendly abstraction to meet the domain-specific needs of the SDMZ.

科学非军事区（SDMZ）是建设最先进的科学研究基础设施的关键基础要素。SDMZ是网络的一部分，建立在校园或实验室的边缘，其设计使得设备、配置和安全策略针对高性能科学应用而不是通用业务系统或企业计算进行优化。SDMZ越来越多地由研究机构、校园和国家实验室实施。为了提高科学研究数据的吞吐量，NSF通过升级研究网络连接和鼓励安装SDMZ，资助了许多校园科学DMZ的实施。然而，SDMZ具有独特的生态系统特征，不能简单地采用现有的基于企业和云的网络安全技术和策略。该项目设计和原型集成的软件定义网络（SDN）的安全框架，用于管理数据密集型科学应用程序利用科学DMZ（SDMZ）模型。它首次演示了细粒度安全控制如何在高性能数据密集型网络中共存。该项目在大规模数据密集型科研基础设施的可信性和可靠性方面取得了重大进展。该项目评估了SDMZ安全架构的现状，然后确定了其现有安全服务的当前缺陷。新的拟议框架：1）使用可迁移和科学应用感知的可动态部署的安全服务来定义细粒度的网络流控制; 2）定义一类新的网络权限管理策略，其可以撤销或转移违反SDMZ策略或不同于用户定义的特定于应用的使用期望的流; 3）建立高性能虚拟电路，使数据密集型应用程序能够在SDMZ上注册和快速通过其认证流。此外，该项目还引入了一个统一的安全策略引擎，大大简化了对上述三个服务的控制。策略引擎提供了一个有价值的、用户友好的抽象，以满足SDMZ的特定于域的需求。