Best Practices for Science DMZ Security

We suggest for performance reasons you do not deploy a firewall or other device that can impact your data speeds. Instead of a firewall, depending on a risk analysis of the data on your DTNs, we recommend that you deploy some or all of the following on your Science DMZ:

• Router ACLs that only allow traffic to necessary ports and subnets to the DTNs.
• Host port control, via software such as IPTables.  Examples can be found here. 
• Network Intrusion Detection System (NIDS)
• Host Intrusion Detection System (HIDS)
• IDS triggered black hole routing for mitigation (triggered from both network and host IDS)
• Central syslog collector for hosts in the Science DMZ
• Flow Data collection for accountability (e.g.:Netflow, IPFIX, sFlow)
  • Analysis of flow data (e.g.: SiLK, flow-tools)
• SNMP collection for monitoring utilization