Apr 2018: Toward Security-Managed Virtual Science Networks
Data-intensive science collaborations increasingly provision dedicated network circuits to share and exchange datasets securely at high speed, leveraging national-footprint research fabrics such as ESnet or I2/AL2S. This talk first gives an overview of new features to automate circuit interconnection of science resources across campuses and in network cloud testbeds, such as GENI (e.g., ExoGENI) and NSFCloud (e.g., Chameleon). Taken together, these tools can enable science teams to deploy secure bandwidth-provisioned virtual science networks that link multiple campuses and/or virtual testbed slices, with integrated in-network processing on virtual cloud servers.
Next, we outline a software framework to address security issues arising in these virtual science networks. We show how to deploy virtual science networks with integrated security management programmatically, using software-defined networking and network function virtualization (SDN/NFV). As an example, we describe a prototype virtual Network Service Provider that implements SDX-like functionality for policy-based interconnection of its customers, and incorporates out-of-band monitoring of permitted flows using Bro intrusion detection instances hosted on cloud VMs. We also describe how to use a new logical trust system called SAFE to express and enforce access policies for edge peering and permitted flows, and to validate IP prefix ownership and routing authority (modeling RPKI and BGPSEC protocols) in virtual science networks.
This material is based upon work supported by the National Science Foundation under Grants No. (ACI-1642140, ACI-1642142, CNS-1330659, CNS-1243315) and through the Global Environment for Network Innovations (GENI) program. Any opinions, findings, and conclusions or recommendations do not necessarily reflect the views of NSF.
Speaker Bios:
Jeffrey S. Chase is a Professor of Computer Science at Duke University. He joined Duke in 1995 after receiving his PhD in Computer Science from the University of Washington (Seattle). He was an early leader in automated management for cluster services, cloud hosting systems, and server energy management. He served as an architect in NSF’s GENI project and is a principal of ExoGENI, a multi-campus networked cloud testbed.
Paul Ruth is a Senior Research Scientist at RENCI-UNC Chapel Hill. He received his PhD in Computer Science from Purdue University in 2007. He has been a primary contributor to the ExoGENI testbed since 2011 and is currently the networking lead for the NSF Chameleon testbed.