Aug 2016: The Science DMZ as a Security Architecture

The Science DMZ architecture proposes a novel method of design for network segments optimized for large­ scale data transfer (LSDT) functionality. LSDT has special requirements, both in the security and functional arenas. Attempts to incorporate LSDT functionality into a more traditional perimeter security model can cause problems both with LSDT functionality, as well as weaken overall campus security. The Science DMZ attempts to solve this problem by segmenting the LSDT function away from the traditional campus security perimeter. However, insufficient attention has been paid thus far as to how the Science DMZ fits into a larger strategy of risk­-based segmentation and functional maximization of campus networks.

This presentation examines typical risk­ and control­-based security approaches and proposes a framework in which the Science DMZ, combined with a larger segmentation approach, actually improves the security of valuable campus information assets, while still maximizing LSDT function and security. It concludes with some examples as to how the security of the research enterprise can be vastly improved with a Science DMZ deployment that is carefully aligned with a segmentation strategy.

This talk is presented by Energy Science Network's (ESnet) Michael Sinatra.