Risk Analysis
One of the key components of Science DMZ security that many folks overlook is the limitation of the set of applications which are installed on systems in the Science DMZ.
- In order to have a capability in computing or networking, one must permit the tools which provide that capability to run. In a network security context that typically means that the packet filtering policy is such that the traffic associated with the tools which provide the necessary capability is permitted by the packet filtering policy. So, for example, if we're going to run a Globus DTN, then our packet filtering policy must allow the traffic associated with the Globus application to pass to and from the DTN.
- Commercial firewalls typically do not provide any application-layer intelligence for data transfer applications. Therefore, commercial firewalls provide little to no security advantage over layer 3/4 ACLs when implementing a packet filtering policy to defend a DTN in a Science DMZ. Note well that the Science DMZ does not imply a default-allow ACL policy. In fact, the segmentation of DTN services away from other enterprise services makes it easier to implement default-deny policies on both the enterprise application segments and the Science DMZ segment; such tight policies can better maximize both network function and security at the same time.
- Enterprise applications are where the bulk of today's security threat space is. Therefore, it is critical that an organization defend the systems which run enterprise applications with the proper tools. Commercial firewalls *do* provide application-layer intelligence for many enterprise applications (web, email, document readers, etc). So, most organizations deploy commercial firewalls to defend their enterprise applications and the machines that run them.
- By limiting the set of applications which run in the Science DMZ to the set of applications for which commercial firewalls provide no value over ACLs, we can significantly reduce the risks associated with moving DTNs to a place in the network where they can actually perform as required (and therefore actually serve the science mission of the research institution in an effective way). However, this means that the policy which governs the set of applications installed on the DTN is part of the security policy for the Science DMZ.
- it's important to note that by separating and segmenting DTNs into their own security perimeter, the security of other enterprise applications and services can actually be improved. Because the DTN service has a very different risk profile, removing it from the enterprise path allows for much tighter security controls to be applied to firewalls and ACLs protecting the enterprise side, since no holes need to be poked into enterprise firewalls for DTN services like Globus. In this respect, the Science DMZ is a security architecture, plain and simple. It allows for better segmentation of services, which is increasingly being identified as a critical security control.