Collaborative Research: CICI: Secure and Resilient Architecture: SciGuard: Building a Security Architecture for Science DMZ Based on SDN and NFV Technologies

As data-intensive science becomes the norm in many fields of science, high-performance data transfer is rapidly becoming a standard cyberinfrastructure requirement. To meet this requirement, an increasingly large number of university campuses have deployed Science DMZs. A Science DMZ is a portion of the network, built at or near the edge of the campus or laboratory's network, that is designed such that the equipment, configuration, and security policies are optimized for high-performance scientific applications rather than for general-purpose computing.

This project develops a secure and resilient architecture called SciGuard that addresses the security challenges and the inherent weaknesses in Science DMZs. SciGuard is based on two emerging networking paradigms, Software-Defined Networking (SDN) and Network Function Virtualization (NFV), both of which enable the granularity, flexibility and elasticity needed to secure Science DMZs.

Two core security functions, an SDN firewall application and a virtual Intrusion Detection System (IDS), coexist in SciGuard for protecting Science DMZs. The SDN firewall application is a software-based, in-line security function running atop the SDN controller. It can scale well without bypassing the firewall using per-flow/per-connection network traffic processing.

It is also separated from the institutional hardware-based firewalls to enforce tailored security policies for the science-only traffic sent to Science DMZs. The virtual IDS is an NFV-based, passive security function, which can be quickly instantiated and elastically scaled to deal with attack traffic variations in Science DMZs, while significantly reducing both equipment and operational costs.

In addition to these functions, the researchers also design a cloud-based federation mechanism for SciGuard to support security policy automatic testing and security intelligence sharing. The new mechanisms developed in this project are robust, scalable, low cost, easily managed, and optimally provisioned, therefore substantially enhancing the security of Science DMZs.

This research encourages the diversity of students involved in the project by active recruitment of women and other underrepresented groups for participation in the project. The project has substantial involvement of graduate students in research, and trains promising undergraduate students in the implementation and experiments of the proposed approach.

Moreover, the project enhances academic curricula by integrating the research findings into new and existing courses.