Best Practices for Science DMZ Security
We suggest for performance reasons you do not deploy a firewall or other device that can impact your data speeds. Instead of a firewall, depending on a risk analysis of the data on your DTNs, we recommend that you deploy some or all of the following on your Science DMZ:
- Router ACLs that only allow traffic to necessary ports and subnets to the DTNs.
- Host port control, via software such as IPTables. Examples can be found here.
- Network Intrusion Detection System (NIDS)
- Host Intrusion Detection System (HIDS)
- IDS triggered black hole routing for mitigation (triggered from both network and host IDS)
- Central syslog collector for hosts in the Science DMZ
- Flow Data collection for accountability (e.g.:Netflow, IPFIX, sFlow)
- Analysis of flow data (e.g.: SiLK, flow-tools)
- SNMP collection for monitoring utilization