research-article

Public Access

Coordinated dataflow protection for ultra-high bandwidth science networks

Authors:

Vasudevan Nagendra,

Vinod Yegneswaran,

Phillip Porras,

Samir R DasAuthors Info & Claims

ACSAC '19: Proceedings of the 35th Annual Computer Security Applications Conference

Pages 568 - 583

https://doi.org/10.1145/3359789.3359843

Published: 09 December 2019 Publication History

Abstract

The Science DMZ (SDMZ) is a special purpose network architecture proposed by ESnet (Energy Sciences Network) to facilitate distributed science experimentation on terabyte- (or petabyte-) scale data, exchanged over ultra-high bandwidth WAN links. Critical security challenges faced by these networks include: (i) network monitoring at high bandwidths, (ii) reconciling site-specific policies with project-level policies for conflict-free policy enforcement, (iii) dealing with geographically-distributed datasets with varying levels of sensitivity, and (iv) dynamically enforcing appropriate security rules. To address these challenges, we develop a fine-grained dataflow-based security enforcement system, called CoordiNetZ (CNZ), that provides coordinated situational awareness, i.e., the use of context-aware tagging for policy enforcement using the dynamic contextual information derived from hosts and network elements. We also developed tag and IP-based security microservices that incur minimal overheads in enforcing security to data flows exchanged across geographically-distributed SDMZ sites. We evaluate our prototype implementation across two geographically distributed SDMZ sites with SDN-based case studies, and present performance measurements that respectively highlight the utility of our framework and demonstrate efficient implementation of security policies across distributed SDMZ networks.

References

[1]

100G DTN. 2017. https://fasterdata.es.net/science-dmz/DTN/100g-dtn/

[2]

Abhashkumar, Anubhavnidhi and Kang, Joon-Myung and Banerjee, Sujata and Akella, Aditya and Zhang, Ying and Wu, Wenfei. 2017. Supporting Diverse Dynamic Intent-based Policies Using Janus. In Proceedings of ACM CoNEXT.

Digital Library

[3]

Amazon EC2. 2018. https://aws.amazon.com/ec2/

[4]

Anonymized for Double-blind submission. [n. d.].

[5]

Berkeley Lab 100G Intrusion Detection System. 2017. https://goo.gl/xc61Zv

[6]

Computing Support for ATLAS. 2018. https://www.bnl.gov/atlas/computing.php.

[7]

Congress Architecture. 2018. http://congress.readthedocs.io/en/latest/architecture.html

[8]

CVS GridFTP Vulnerability for attackers to gain privileges. 2017. http://www.cvedetails.com/cve/CVE-2012-3292/

[9]

Dart, Eli and Rotman, Lauren and Tierney, Brian and Hester, Mary and Zurawski, Jason. 2013. In Proceedings of ACM Supercomputing.

[10]

Data Transfer Tools. 2017. http://fasterdata.es.net/data-transfer-tools/

[11]

EsNet: How the World's Fastest Science Network Was Built. 2017. https://esnetupdates.wordpress.com/category/100g/

[12]

ESnet's Science DMZ Breaks Down Barriers, Speeds up Science. 2015. https://cs.lbl.gov/news-media/news/2015/esnet-science-dmz/

[13]

Experiences building planetlab, Proceedings of USENIX OSDI. 2006. Peterson, Larry and Bavier, Andy and Fiuczynski, Marc E and Muir, Steve.

[14]

Firewall TCP Performance with Science DMZ. 2017. https://fasterdata.es.net/assets/fasterdata/Firewall-tcptrace.pdf

[15]

High Energy Physics - Theory collaboration network. 2018. https://snap.stanford.edu/data/ca-HepTh.html

[16]

Hong, Chi-Yao and Kandula, Srikanth and Mahajan, Ratul and Zhang, Ming and Gill, Vijay and Nanduri, Mohan and Wattenhofer, Roger. 2013. Achieving high utilization with software-driven WAN, ACM SIGCOMM CCR.

[17]

Intel Data Plane Development Kit. 2017. http://dpdk.org/

[18]

Jain, Sushant and Kumar, Alok and Mandal, Subhasree and Ong, Joon and Poutievski, Leon and Singh, Arjun and Venkata, Subbaiah and Wanderer, Jim and Zhou, Junlan and Zhu, Min and others. 2013. B4: Experience with a globally-deployed software defined WAN, ACM SIGCOMM CCR.

[19]

Joon-Myung Kang, Jeongkeun Lee, Vasudevan Nagendra, and Sujata Banerjee. [n. d.]. LMS: Label Management Service for intent-driven Cloud Management. In IFIP/IEEE INM.

[20]

Kang, Nanxi and Rottenstreich, Ori and Rao, Sanjay and Rexford, Jennifer. 2015. Alpaca: Compact Network Policies with Attribute-carrying Addresses. In Proceedings of ACM CoNEXT.

Digital Library

[21]

Kim, Hyojoon and Reich, Joshua and Gupta, Arpit and Shahbaz, Muhammad and Feamster, Nick and Clark, Russ. 2015. Kinetic: Verifiable Dynamic Network Control. In Proceedings of USENIX NSDI.

[22]

MacDavid, Robert and Birkner, Rudiger and Rottenstreich, Ori and Gupta, Arpit and Feamster, Nick and Rexford, Jennifer. 2017. Concise encoding of flow attributes in SDN switches, Proceedings of ACM SOSR.

Digital Library

[23]

Malik, Tanu and Nistor, Ligia and Gehani, Ashish. 2010. Tracking and Sketching Distributed Data Provenance. In Proceedings of IEEE e-Science.

Digital Library

[24]

Michael DePhillips. 2018. Brookhaven National Laboratories Capabilities For Advanced Analyses Of Cyber Threats. https://www.bnl.gov/isd/documents/86283.pdf

[25]

Microsoft Azure. 2018. https://azure.microsoft.com/en-us/

[26]

Monsanto, Christopher and Reich, Joshua and Foster, Nate and Rexford, Jennifer and Walker, David. 2013. Composing Software-defined Networks. In Proceedings of USENIX NSDI.

[27]

Murad Kablan and Azzam Alsudais and Eric Keller and Franck Le. 2017. Stateless Network Functions: Breaking the Tight Coupling of State and Processing, 14th USENIX Symposium on Networked Systems Design and Implementation (NSDI 17).

[28]

Muthukumaran, Divya and O'Keeffe, Dan and Priebe, Christian and Eyers, David and Shand, Brian and Pietzuch, Peter. 2015. FlowWatcher: Defending Against Data Disclosure Vulnerabilities in Web Applications. In Proceedings of ACM CCS.

Digital Library

[29]

National research and education network. 2018. https://en.wikipedia.org/wiki/National_research_and_education_network

[30]

Open vSwitch with DPDK Overview. 2017. https://software.intel.com/en-us/articles/open-vswitch-with-dpdk-overview

[31]

OVS: Open Virtual Switch. 2017. https://www.openvswitch.org/

[32]

Pappas, Vasilis and Kemerlis, Vasileios P. and Zavou, Angeliki and Polychronakis, Michalis and Keromytis, Angelos D. 2013. CloudFence: Data Flow Tracking As a Cloud Service. In Proceedings of RAID.

Digital Library

[33]

Penn state Minimum Security Baseline. 2017. http://www.rn.psu.edu/wp-content/uploads/sites/4349/2016/01/Minimum-Security-Baseline-v004.pdf

[34]

Performant Endpoint Visibility. 2017. https://osquery.io/docs/tables/

[35]

Policy Canvas: Draw your policies for OpenStack service. 2018. https://www.openstack.org/assets/presentation-media/20160428-PolicyCanvas-OpenStackSummitAustin-print.pdf

[36]

Prakash, Chaithan and Lee, Jeongkeun and Turner, Yoshio and Kang, Joon-Myung and Akella, Aditya and Banerjee, Sujata and Clark, Charles and Ma, Yadi and Sharma, Puneet and Zhang, Ying. 2015. PGA: Using Graphs to Express and Automatically Reconcile Network Policies. In Proceedings of the 2015 ACM Conference on Special Interest Group on Data Communication.

Digital Library

[37]

PSUtils 5.2.2. 2017. https://pypi.python.org/pypi/psutil/

[38]

Science DMZ ECAR - WG Technology Spotlight. 2017. https://library.educause.edu/~/media/files/library/2015/11/erb1511.pdf

[39]

Science DMZ Security - Firewalls vs. Router ACLs. 2017. https://fasterdata.es.net/science-dmz/science-dmz-security/

[40]

SciPass: IDS Load Balancer & Science DMZ. 2017. https://globalnoc.iu.edu/sdn/scipass.html

[41]

Seyed Kaveh Fayazbakhsh and Luis Chiang and Vyas Sekar and Minlan Yu and Jeffrey C. Mogul. 2014. Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions using FlowTags. In Proceedings of USENIX NSDI.

[42]

Shin, Seungwon and Porras, Phillip A and Yegneswaran, Vinod and Fong, Martin W and Gu, Guofei and Tyson, Mabry. 2013. FRESCO: Modular Composable Security Services for Software-Defined Networks. In Proceedings of ISOC NDSS.

[43]

The Risks of Not Deploying IPv6 in the R&E Community. 2017. https://esnetupdates.wordpress.com/2012/05/21/the-risks-of-not-deploying-ipv6-in-the-re-community-2/

[44]

UCSC 100 Gbps Science DMZ. 2015. https://meetings.internet2.edu/media/medialibrary/2015/09/30/20151005-Smith-RECommSciDMZ.pdf

[45]

UW Madison IT Security Baseline For Research and Academic Computing. 2017. https://aci.wisc.edu/wp-content/uploads/2014/07/IT-Security-Baseline-for-Research-and-Academic-Computing-v1.pdf

[46]

Yu, Tianlong and Fayaz, Seyed K and Collins, Michael and Sekar, Vyas and Seshan, Srinivasan. 2017. PSI: Precise security instrumentation for enterprise networks. In Proceedings of ISOC NDSS.

[47]

Yuan, Yifei and Lin, Dong and Mishra, Ankit and Marwaha, Sajal and Alur, Rajeev and Loo, Boon Thau. 2017. Quantitative Network Monitoring with NetQRE. In Proceedings of ACM SIGCOMM.

Digital Library

[48]

Zavou, Angeliki and Portokalidis, Georgios and Keromytis, Angelos D. 2011. Taint-exchange: A Generic System for Cross-process and Cross-host Taint Tracking. In Proceedings of IWSEC.

[49]

Zhang, Wei and Hwang, Jinho and Rajagopalan, Shriram and Ramakrishnan, K.K. and Wood, Timothy. 2016. Flurries: Countless Fine-Grained NFs for Flexible Per-Flow Customization, Proceedings of ACM CoNEXT.

Cited By

Brassil J(2022)Network Traffic as a Federated Testbed Service2022 IEEE Future Networks World Forum (FNWF)10.1109/FNWF55208.2022.00086(450-455)Online publication date: Oct-2022
https://doi.org/10.1109/FNWF55208.2022.00086
Gong QDeMar PAltunay M(2022)ThunderSecure: deploying real-time intrusion detection for 100G research networks by leveraging stream-based features and one-class classification networkInternational Journal of Information Security10.1007/s10207-022-00584-921:4(799-812)Online publication date: 16-Mar-2022
https://doi.org/10.1007/s10207-022-00584-9

Index Terms

Coordinated dataflow protection for ultra-high bandwidth science networks
1. Networks
2. Security and privacy
  1. Systems security
    1. Firewalls

Recommendations

Securing Ultra-High-Bandwidth Science DMZ Networks with Coordinated Situational Awareness
HotNets '17: Proceedings of the 16th ACM Workshop on Hot Topics in Networks

The Science DMZ (SDMZ) is a special purpose network infrastructure that is engineered to cater to the ultra-high bandwidth needs of the scientific and high performance computing (HPC) communities. These networks are isolated from stateful security ...
Security in Software Defined Networks: A Survey
Software defined networking (SDN) decouples the network control and data planes. The network intelligence and state are logically centralized and the underlying network infrastructure is abstracted from applications. SDN enhances network security by means ...
Towards a Blockchain-SDN Architecture for Secure and Trustworthy 5G Massive IoT Networks
SDN-NFV Sec'21: Proceedings of the 2021 ACM International Workshop on Software Defined Networks & Network Function Virtualization Security

The emerging 5G mobile network is a prominent technology for addressing networking related challenges of Internet of Things (IoT). The forthcoming 5G is expected to allow low-power massive IoT devices to produce high volumes of data that can be ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '19: Proceedings of the 35th Annual Computer Security Applications Conference

December 2019

821 pages

ISBN:9781450376280

DOI:10.1145/3359789

Conference Chair:
David Balenson
SRI International

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 09 December 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Science Foundation

Conference

ACSAC '19

ACSAC '19: 2019 Annual Computer Security Applications Conference

December 9 - 13, 2019

Puerto Rico, San Juan, USA

Acceptance Rates

ACSAC '19 Paper Acceptance Rate 60 of 266 submissions, 23%;

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
300
Total Downloads

Downloads (Last 12 months)67
Downloads (Last 6 weeks)14

Reflects downloads up to 09 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Brassil J(2022)Network Traffic as a Federated Testbed Service2022 IEEE Future Networks World Forum (FNWF)10.1109/FNWF55208.2022.00086(450-455)Online publication date: Oct-2022
https://doi.org/10.1109/FNWF55208.2022.00086
Gong QDeMar PAltunay M(2022)ThunderSecure: deploying real-time intrusion detection for 100G research networks by leveraging stream-based features and one-class classification networkInternational Journal of Information Security10.1007/s10207-022-00584-921:4(799-812)Online publication date: 16-Mar-2022
https://doi.org/10.1007/s10207-022-00584-9

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents