| NSF Org: |
OAC Office of Advanced Cyberinfrastructure (OAC) |
| Recipient: |
|
| Initial Amendment Date: | August 18, 2016 |
| Latest Amendment Date: | August 18, 2016 |
| Award Number: | 1642150 |
| Award Instrument: | Standard Grant |
| Program Manager: |
Rob Beverly
OAC Office of Advanced Cyberinfrastructure (OAC) CSE Directorate for Computer and Information Science and Engineering |
| Start Date: | November 1, 2016 |
| End Date: | October 31, 2020 (Estimated) |
| Total Intended Award Amount: | $349,798.00 |
| Total Awarded Amount to Date: | $349,798.00 |
| Funds Obligated to Date: |
|
| History of Investigator: |
|
| Recipient Sponsored Research Office: |
333 RAVENSWOOD AVE MENLO PARK CA US 94025-3493 (609)734-2285 |
| Sponsor Congressional District: |
|
| Primary Place of Performance: |
333 Ravenswood Avenue Menlo Park CA US 94025-3493 |
| Primary Place of
Performance Congressional District: |
|
| Unique Entity Identifier (UEI): |
|
| Parent UEI: |
|
| NSF Program(s): | Cybersecurity Innovation |
| Primary Program Source: |
|
| Program Reference Code(s): | |
| Program Element Code(s): |
|
| Award Agency Code: | 4900 |
| Fund Agency Code: | 4900 |
| Assistance Listing Number(s): | 47.070 |
ABSTRACT
The Science DMZ (SDMZ) is a key foundational element in building state-of-the-art scientific research infrastructure. The SDMZ is a portion of the network, built at the campus or laboratory's edge, that is designed such that the equipment, configuration, and security policies are optimized for high-performance scientific applications rather than for general-purpose business systems or enterprise computing. SDMZs are increasingly being implemented by research agencies, campuses and national labs. In order to improve the throughput of scientific research data, NSF has funded many Science DMZ implementations on campuses by upgrading research network connectivity and encouraging installation of a SDMZ. However, the SDMZ has characteristics that separate it as a unique ecosystem which cannot simply adopt existing enterprise and cloud based network security technologies and policies. This project designs and prototypes an integrated Software Defined Network (SDN) security framework for managing data-intensive science applications utilizing the Science DMZ (SDMZ) model. It offers one of the first demonstrations of how fine-grained security controls can co-exist within a high performance data-intensive network. This project produces significant advancements in the trustworthiness and reliability of large-scale data-intensive scientific research infrastructures.
This project evaluates the current state of the SDMZ security architecture, then identifies the current shortcomings in its existing security services. The new proposed framework: 1) defines fine-grained network flow controls using dynamically deployable security services that are migratable and science-application aware; 2) defines a new class of network privilege management policies that can revoke or divert flows that violate SDMZ policies or that differ from user-defined, application-specific usage expectations; 3) establishes high-performance virtual circuits that enable data intensive applications to register and fast-path their authenticated flows across the SDMZ. Furthermore, this project introduces a unified security policy engine to dramatically simplify the control of the above three services. The policy engine offers a valuable and user-friendly abstraction to meet the domain-specific needs of the SDMZ.
PROJECT OUTCOMES REPORT
Disclaimer
This Project Outcomes Report for the General Public is displayed verbatim as submitted by the Principal Investigator (PI) for this award. Any opinions, findings, and conclusions or recommendations expressed in this Report are those of the PI and do not necessarily reflect the views of the National Science Foundation; NSF has not approved or endorsed its content.
Our project, entitled S3D, examined methods to increase the trustworthiness and reliability of the NSF-sponsored Science DMZ. The Science DMZ (SDMZ) is a special purpose network architecture proposed by ESnet (Energy Sciences Network) to facilitate distributed science experimentation on terabyte- (or petabyte-) scale data, exchanged over ultra-high bandwidth WAN links. Critical security challenges faced by these networks include: (i) network monitoring at high bandwidths, (ii) reconciling site-specific policies with project-level policies for conflict-free policy enforcement, (iii) dealing with geographically-distributed datasets with varying levels of sensitivity, and (iv) dynamically enforcing appropriate security rules. To address these challenges, we develop a fine-grained data-flow-based security enforcement system, called CoordiNetZ (CNZ), which provides coordinated situational awareness, i.e., the use of context-aware tagging for policy enforcement using the dynamic contextual information derived from hosts and network elements. We also developed tag and IP-based security microservices that incur minimal overheads in enforcing security to data flows exchanged across geographically-distributed SDMZ sites.
The CoordiNetZ framework facilitates advancements in cross-domain security enforcement by providing a dataflow-based policy framework with necessary tools for policy specification, deconfliction, and tag-based enforcement. CoordiNetZ helps bridge a critical gap between applied security research and science experiments on real near-production infrastructure at scale, maximizing the benefits of SDN. This is effectively achieved in CoordiNetZ by extracting the necessary contextual information from the host systems at the granularity of process specific details pertaining to its file and network IO and distributing it to the network through SDN and CNZ Controller entities for enforcing it as tag-based policies. Our initial step towards building security-based microservices specific to SDMZ networks, such as spoof-protection, tag-based filtering, and connection tracking modules performed within 92-99% of line-rate throughputs. Our project produced a reference prototype Secure SDMZ framework to stimulate additional research specifically in enhancing the security of the SDMZ network and other data-intensive high-performance network infrastructures.
Last Modified: 10/31/2020
Modified by: Phillip A Porras
Please report errors in award information by writing to: awardsearch@nsf.gov.
