利用协调态势感知保护超高带宽科学DMZ网络

Vasudevan Nagendra, V. Yegneswaran, Phillip A. Porras
{"title":"利用协调态势感知保护超高带宽科学DMZ网络","authors":"Vasudevan Nagendra, V. Yegneswaran, Phillip A. Porras","doi":"10.1145/3152434.3152460","DOIUrl":null,"url":null,"abstract":"The Science DMZ (SDMZ) is a special purpose network infrastructure that is engineered to cater to the ultra-high bandwidth needs of the scientific and high performance computing (HPC) communities. These networks are isolated from stateful security devices such as firewalls and deep packet inspection (DPI) engines to allow HPC data transfer nodes (DTNs) to efficiently transfer petabytes of data without associated bandwidth and performance bottlenecks. This paper presents our ongoing effort toward the development of more fine-grained data flow access control policies to manage SDMZ networks that service large-scale experiments with varying data sensitivity levels and privacy constraints. We present a novel system, called CoordiNetZ (CNZ), that provides coordinated security monitoring and policy enforcement for sites participating in SDMZ projects by using an intent-based policy framework for effectively capturing the high-level policy intents of non-admin SDMZ project users (e.g., scientists, researchers, students). Central to our solution is the notion of coordinated situational awareness that is extracted from the synthesis of context derived from SDMZ host DTN applications and the network substrate. To realize this vision, we present a specialized process-monitoring system and flow-monitoring tool that facilitate context-aware data-flow intervention and policy enforcement in ultra-highspeed data transfer environments. We evaluate our prototype implementation using case studies that highlight the utility of our framework and demonstrate how security policy could be effectively specified and implemented within and across SDMZ networks.","PeriodicalId":120886,"journal":{"name":"Proceedings of the 16th ACM Workshop on Hot Topics in Networks","volume":"31 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2017-11-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"8","resultStr":"{\"title\":\"Securing Ultra-High-Bandwidth Science DMZ Networks with Coordinated Situational Awareness\",\"authors\":\"Vasudevan Nagendra, V. Yegneswaran, Phillip A. Porras\",\"doi\":\"10.1145/3152434.3152460\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"The Science DMZ (SDMZ) is a special purpose network infrastructure that is engineered to cater to the ultra-high bandwidth needs of the scientific and high performance computing (HPC) communities. These networks are isolated from stateful security devices such as firewalls and deep packet inspection (DPI) engines to allow HPC data transfer nodes (DTNs) to efficiently transfer petabytes of data without associated bandwidth and performance bottlenecks. This paper presents our ongoing effort toward the development of more fine-grained data flow access control policies to manage SDMZ networks that service large-scale experiments with varying data sensitivity levels and privacy constraints. We present a novel system, called CoordiNetZ (CNZ), that provides coordinated security monitoring and policy enforcement for sites participating in SDMZ projects by using an intent-based policy framework for effectively capturing the high-level policy intents of non-admin SDMZ project users (e.g., scientists, researchers, students). Central to our solution is the notion of coordinated situational awareness that is extracted from the synthesis of context derived from SDMZ host DTN applications and the network substrate. To realize this vision, we present a specialized process-monitoring system and flow-monitoring tool that facilitate context-aware data-flow intervention and policy enforcement in ultra-highspeed data transfer environments. We evaluate our prototype implementation using case studies that highlight the utility of our framework and demonstrate how security policy could be effectively specified and implemented within and across SDMZ networks.\",\"PeriodicalId\":120886,\"journal\":{\"name\":\"Proceedings of the 16th ACM Workshop on Hot Topics in Networks\",\"volume\":\"31 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2017-11-30\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"8\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Proceedings of the 16th ACM Workshop on Hot Topics in Networks\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/3152434.3152460\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 16th ACM Workshop on Hot Topics in Networks","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3152434.3152460","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 8

摘要

Science DMZ (SDMZ)是一种特殊用途的网络基础设施,旨在满足科学和高性能计算(HPC)社区的超高带宽需求。这些网络与有状态安全设备(如防火墙和深度数据包检测(DPI)引擎)隔离,允许HPC数据传输节点(dtn)有效地传输pb级数据,而不会出现相关的带宽和性能瓶颈。本文介绍了我们正在努力开发更细粒度的数据流访问控制策略,以管理具有不同数据敏感性级别和隐私约束的大规模实验服务的SDMZ网络。我们提出了一个新的系统,称为CoordiNetZ (CNZ),它通过使用基于意图的策略框架来有效地捕获非管理SDMZ项目用户(例如,科学家、研究人员、学生)的高级策略意图,为参与SDMZ项目的站点提供协调的安全监控和策略实施。我们的解决方案的核心是从SDMZ主机DTN应用程序和网络基板派生的上下文综合中提取的协调态势感知概念。为了实现这一愿景,我们提出了一个专门的过程监控系统和流量监控工具,以促进超高速数据传输环境中上下文感知的数据流干预和策略执行。我们使用案例研究来评估我们的原型实现,这些案例研究突出了我们框架的实用性,并演示了如何在SDMZ网络内部和跨SDMZ网络有效地指定和实现安全策略。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
Securing Ultra-High-Bandwidth Science DMZ Networks with Coordinated Situational Awareness
The Science DMZ (SDMZ) is a special purpose network infrastructure that is engineered to cater to the ultra-high bandwidth needs of the scientific and high performance computing (HPC) communities. These networks are isolated from stateful security devices such as firewalls and deep packet inspection (DPI) engines to allow HPC data transfer nodes (DTNs) to efficiently transfer petabytes of data without associated bandwidth and performance bottlenecks. This paper presents our ongoing effort toward the development of more fine-grained data flow access control policies to manage SDMZ networks that service large-scale experiments with varying data sensitivity levels and privacy constraints. We present a novel system, called CoordiNetZ (CNZ), that provides coordinated security monitoring and policy enforcement for sites participating in SDMZ projects by using an intent-based policy framework for effectively capturing the high-level policy intents of non-admin SDMZ project users (e.g., scientists, researchers, students). Central to our solution is the notion of coordinated situational awareness that is extracted from the synthesis of context derived from SDMZ host DTN applications and the network substrate. To realize this vision, we present a specialized process-monitoring system and flow-monitoring tool that facilitate context-aware data-flow intervention and policy enforcement in ultra-highspeed data transfer environments. We evaluate our prototype implementation using case studies that highlight the utility of our framework and demonstrate how security policy could be effectively specified and implemented within and across SDMZ networks.
求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信