Network Security & Assurance
Securing Petabytes at 100Gbps+: High-Performance Defense Without Throughput Loss.
The 100Gbps Security Paradox
In HPC, you need to move petabytes of data at extreme speeds (open pipes) while blocking sophisticated threats (inspection). Traditional Next-Gen Firewalls fail because Deep Packet Inspection (DPI) introduces latency that crushes scientific throughput. Our strategy secures the network by separating data flows from management planes.
1. The Science DMZ Architecture
The Science DMZ acknowledges that scientific data flows cannot be treated like standard web traffic. It creates a dedicated path for high-volume transfers that bypasses the enterprise firewall bottleneck.
- Bypass: High-speed DTNs use Access Control Lists (ACLs) instead of inline DPI.
- Hardened Nodes: DTNs run minimal services and are heavily monitored.
The "Clean Pipe" Benefit
By moving heavy science traffic to the DMZ, the standard enterprise firewall performs better for office tasks, while research data moves at wire speed.
2. Securing the "Invisible" Fabric
P_Key Partitioning (VLANs for InfiniBand)
High-speed fabrics like InfiniBand are often assumed to be safe because they are internal. However, a compromised node can use RDMA to attack other nodes' memory directly, bypassing the OS kernel.
We implement Partition Keys (P_Keys) via the Subnet Manager (OpenSM) to isolate jobs. Job A cannot communicate with Job B on the fabric level, ensuring true multi-tenant security.
3. High-Speed Intrusion Detection
Optical Taps
We use passive optical taps to split light from 100Gbps links, sending copies to monitoring stacks without adding a single nanosecond of latency to the primary path.
Behavioral Analysis with Zeek
Using Zeek (Bro) clusters to analyze metadata. We look for behavioral anomalies: "Why is this DTN initiating an SSH connection on port 443?"
Network Assurance Control Matrix
| Layer | Assurance Action | Control Tool |
|---|---|---|
| Edge Router | Verify ACLs drop bogons and malicious subnets. | Border ACLs / Cymru Feeds |
| Fabric (IB) | Verify P_Key isolation is active and enforced. | OpenSM partitions.conf |
| Management | Isolate IPMI/BMC ports on non-routable OOB network. | Dedicated OOB Switch |
| Verification | Continuous external nmap and throughput testing. | PerfSONAR / Nmap |
Continuous Automated Verification
Daily Nmap Scans
Automated scans from external IPs against your public range to alert on any unauthorized open ports or service changes.
PerfSONAR Monitoring
Monitoring throughput metrics; a sudden drop often indicates a DDoS attack or a misconfigured firewall rule dropping packets.
Secure Your Fabric Today
Download our "Science DMZ Design Guide" to learn how to build a 100Gbps secure research network.
Download Network Security Guide (.docx)