Menu
Home » Science DMZ » Security
Science DMZ

Science DMZ Security - Firewalls vs. Router ACLs

January 15, 2025

Summary

It is our suggestion that firewalls not be used to protect science DMZs due to the negative impact they have on performance. Instead router ACLs and other security best practices be used. This may seem a controversial statement and hence we explain our stance in the remainder of this page.

The defense of information systems is an essential function of a modern enterprise.  This is true whether the information systems are used for human resources and other business applications, scientific discovery, or any other function.  One of the great workhorses of network security is the stateful firewall appliance, and firewalls work well for standard business applications - this is the primary purposed for which they are designed.  However, many scientific applications require very high network performance - not just in link speed, but in throughput delivered to the application. 

One great advantage of the Science DMZ model is that it allows network and security architects to optimize the tools and technologies employed in the defense of science-critical systems. In the Science DMZ model, ACLs are used to defend high-performance scientific applications, and institutional or departmental firewalls are used to defend business and end-user systems - just as they are today.  Since ACLs are usually implemented in the router's forwarding hardware, they typically do not compromise the performance of high-performance applications. 

Security for a data-intensive science environment located on the Science DMZ can be tailored for the data transfer systems on the Science DMZ. These hosts typically run a well-defined and limited set of special-purpose applications rather than the usual array of user applications. Since the Science DMZ resources are assumed to interact with external systems and are isolated from, or have carefully managed access to, internal systems, the security policy for the Science DMZ is tailored for these functions rather than to protect in interior of the general site LAN.

While new high-end firewalls such as the Cisco 4245, PA 7500, and Forinet 4801 can all handle 100G flows at line rate, these all can easily cost over $1M. This is money much better spent elsewhere in the case of a Science DMZ.