Trusted CI Webinar: Automated Building and Deploy Testing — Using Zeek as an example, Monday July 22nd @ 11am Eastern

ESnet's Michael Dopheide is presenting the talk, Automated Building and Deploy Testing — Using Zeek as an example, on July 22nd at 11am Eastern time.

Please register here.

At ESnet, we pride ourselves on being cutting-edge, even if it causes a few scratches. Every new branch of Zeek is automatically built and tested in Gitlab CI. Then, every night, the latest successful 'master' build is deployed, along with all of our packages and scripts, to a test system via Ansible. As time permits, we roll out the latest build, in production, to over 40 servers.

 

Through this process we've both been able to provide early feedback to the Zeek project about potential bugs and give ourselves an early warning system when changes impact our production plugins and scripts.

Zeek is an open source network security monitoring tool.  This does not focus on the use of Zeek itself, but rather the care and feeding of our installation footprint.

Speaker Bio: Michael “Dop” Dopheide has spent the majority of his career working in the R&E community specializing in systems engineering, security research, incident response, and network intrusion detection. He especially enjoys helping coworkers debug problems at the packet and protocol levels. In addition to his operational security role, Dop helps support the open source Zeek community and volunteers every year to beta test the SANS Holiday Hack challenge.

---

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Trusted CI Webinar April 23rd at 11am ET: Toward Security-Managed Virtual Science Networks

Duke University's Jeff Chase and RENCI's Paul Ruth are presenting the talk, "Toward Security-Managed Virtual Science Networks" on April 23rd at 11am (Eastern).

Please register here. Be sure to check spam/junk folder for registration confirmation email.

Data-intensive science collaborations increasingly provision dedicated network circuits to share and exchange datasets securely at high speed, leveraging national-footprint research fabrics such as ESnet or I2/AL2S.   This talk first gives an overview of new features to automate circuit interconnection of science resources across campuses and in network cloud testbeds, such as GENI (e.g., ExoGENI) and NSFCloud (e.g., Chameleon).    Taken together, these tools can enable science teams to deploy secure bandwidth-provisioned virtual science networks that link multiple campuses and/or virtual testbed slices, with integrated in-network processing on virtual cloud servers.

Next, we outline a software framework to address security issues arising in these virtual science networks.   We show how to deploy virtual science networks with integrated security management programmatically, using software-defined networking and network function virtualization (SDN/NFV).   As an example, we describe a prototype virtual Network Service Provider that implements SDX-like functionality for policy-based interconnection of its customers, and incorporates out-of-band monitoring of permitted flows using Bro intrusion detection instances hosted on cloud VMs.  We also describe how to use a new logical trust system called SAFE to express and enforce access policies for edge peering and permitted flows, and to validate IP prefix ownership and routing authority (modeling RPKI and BGPSEC protocols) in virtual science networks.

This material is based upon work supported by the National Science Foundation under Grants No. (ACI-1642140, ACI-1642142, CNS-1330659, CNS-1243315) and through the Global Environment for Network Innovations (GENI) program.  Any opinions, findings, and conclusions or recommendations do not necessarily reflect the views of NSF.

Jeffrey S. Chase is a Professor of Computer Science at Duke University.  He joined Duke in 1995 after receiving his PhD in Computer Science from the University of Washington (Seattle).    He was an early leader in automated management for cluster services, cloud hosting systems, and server energy management.   He served as an architect in NSF’s GENI project and is a principal of ExoGENI, a multi-campus networked cloud testbed.

Paul Ruth is a Senior Research Scientist at RENCI-UNC Chapel Hill.  He received his PhD in Computer Science from Purdue University in 2007.  He has been a primary contributor to the ExoGENI testbed since 2011 and is currently the networking lead for the NSF Chameleon testbed.

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Open Science Cyber Risk Profile Published

In a culmination of efforts, the Center for Trustworthy Scientific Cyberinfrastructure, the NSF Cybersecurity Center of Excellence, and the Department  of Energy’s Energy Sciences Network (ESnet), along with research and education community leaders have published version 1.2 of the Open Science Cyber Risk Profile (OSCRP) -- a living document designed to help principal investigators and their supporting information technology professionals assess cybersecurity risks related to open science projects. A PDF of the OSCRP can be found at https://scholarworks.iu.edu/dspace/handle/2022/21259.

CCoE Webinar Jan. 23rd 11am EST: Open Science Cyber Risk Profile

Our first webinar for the year will be a team presentation on the Open Science Cyber Risk Profile (OSCRP), on January 23rd at 11am (EST) by Von Welch and Sean Peisert.

Please register here. Be sure to check spam/junk folder for registration confirmation with attached calendar file. 

The Open Science Cyber Risk Profile (OSCRP) is a joint project of the Center for Trustworthy Scientific Cyberinfrastructure, the NSF Cybersecurity Center of Excellence, and the Department of Energy’s Energy Sciences Network (ESnet). Over the course of 2016, the CTSC and ESnet organized a working group of research and education community leaders to develop a risk profile for open science. The risk profile is a categorization of scientific assets and their common risks to science to greatly expedite risk management for open science projects and improve their cybersecurity. The working group released the a draft of the OSCRP for public comment in late 2016.

More information about this presentation is on the event page.
Presentations are recorded and include time for questions with the audience.

Join CTSC's discuss mailing list for information about upcoming events. To submit topics or requests to present, contact us here. Archived presentations are available on our site under "Past Events."

 

Other upcoming webinar(s) of potential interest

• XSEDE Science Gateway webinar on January 11th at 1pm EST. 
• Topic: An overview of SGCI services, see original post for more information
•  NSF's WATCH webcast on August 18th at 12pm EDT
• Topic: Mapping Interconnection Connectivity and Congestion, see event page for more information

Working Group on Open Science Cybersecurity Risks Releases First Document Draft for Public Comment

Over the past several months, ESnet and the NSF Cybersecurity Center of Excellence collaborated with research and education community leaders to develop a risk profile for open science to formally capture and benchmark this expertise, allowing other organizations to apply these best practices more broadly.

Today, the group is releasing its draft Open Science Cyber Risk Profile (OSCRP) and inviting comment from the research community. The OSCRP is designed to help principal investigators and their supporting information technology professionals assess cybersecurity risks related to open science projects. The draft document, along with information on how to comment, can be found at http://trustedci.github.io/OSCRP/.

Managing the security risks to scientific instruments, data and cyberinfrastructure is a priority   for creating a trustworthy environment for science. Assessing, understanding and managing concerns of open science to explicitly capture risks to its integrity and availability, and sometimes also privacy issues, involves making judgments on the likelihood and consequences of risks. Deep experience in understanding cybersecurity and the science being supported is needed to achieve these goals.

The group invites comments on the document prior to final publication in early 2017.  Longer-term, the document is intended to be a living, community document, being updated as open science computing evolves, and also as new approaches to security arise.  

About the OSCRP Working Group

Organized by Sean Peisert and Michael Dopheide from ESnet, and Von Welch and Andrew Adams from the NSF Cybersecurity Center of Excellence, the working group consists of: RuthAnne Bevier (Caltech), Rich LeDuc (Northwestern), Pascal Meunier (HUBzero), Stephen Schwab (USC Information Sciences Institute) and Karen Stocks (Scripps Institution of Oceanography), Ilkay Altintas (San Diego Supercomputer Center), James Cuff (Harvard), Reagan Moore (iRods), and Warren Raquel (NCSA/UIUC). To follow the activities of the working group, please follow http://blog.trustedci.org/.

About the NSF Cybersecurity Center of Excellence • trustedci.org  

The Center for Trustworthy Scientific Cyberinfrastructure (CTSC) is funded as the National Science Foundation’s Cybersecurity Center of Excellence. The mission of CTSC is to improve the cybersecurity of NSF science and engineering projects, allowing those projects to focus on their science endeavors. This mission is accomplished through one-on-one engagements with projects to address their specific challenges; education, outreach, and training to raise the state of security practice across the scientific enterprise; and leadership on bringing the best and most relevant cybersecurity research to bear on the NSF cyberinfrastructure research community.

About ESnet • www.es.net

The Energy Sciences Network (ESnet) is an international, high-performance, unclassified network built to support scientific research. Funded by the U.S. Department of Energy’s Office of Science (SC) and managed by Lawrence Berkeley National Laboratory, ESnet provides services to more than 40 DOE research sites, including the entire National Laboratory system, its supercomputing facilities, and its major scientific instruments. ESnet also connects to over 140 research and commercial networks, permitting DOE-funded scientists to collaborate productively with partners around the world.

CCoE Webinar August 22nd 11am EDT: The Science DMZ as a Security Architecture

Energy Science Network's (ESnet) Michael Sinatra will be presenting the webinar, "The Science DMZ as a Security Architecture," on August 22nd at 11am (EDT). This webinar is an encore presentation of a talk that Sinatra will be presenting at the NSF Cybersecurity Summit earlier in the month. If you are unable to attend the summit, here is your opportunity to see one of the talks.

Please register here.

The Science DMZ architecture proposes a novel method of design for network segments optimized for large­ scale data transfer (LSDT) functionality. LSDT has special requirements, both in the security and functional arenas. Attempts to incorporate LSDT functionality into a more traditional perimeter security model can cause problems both with LSDT functionality, as well as weaken overall campus security. The Science DMZ attempts to solve this problem by segmenting the LSDT function away from the traditional campus security perimeter. However, insufficient attention has been paid thus far as to how the Science DMZ fits into a larger strategy of risk­-based segmentation and functional maximization of campus networks.

This presentation examines typical risk­ and control­-based security approaches and proposes a framework in which the Science DMZ, combined with a larger segmentation approach, actually improves the security of valuable campus information assets, while still maximizing LSDT function and security. It concludes with some examples as to how the security of the research enterprise can be vastly improved with a Science DMZ deployment that is carefully aligned with a segmentation strategy.

More information about this presentation and speaker bio are on the event page.

Presentations will be recorded and include time for questions with the audience.

Join CTSC's discuss mailing list for information about upcoming events. To submit topics or requests to present, contact us here. Archived presentations are available on our site under "Past Events."

NSF Cybersecurity Center of Excellence, ESnet Organize Working Group on Open Science Threats

Managing the security risks to scientific instruments, data and cyberinfrastructure is a priority for creating a trustworthy environment for science. Assessing and managing the risks to the integrity and availability of science, and sometimes also privacy issues, involves making judgments on the likelihood and consequences of threats. Deep experience in understanding  cybersecurity and the science being supported is needed to achieve these goals. As a result, ESnet and the NSF Cybersecurity Center of Excellence are collaborating with research and education community leaders to develop a threat profile for open science to formally capture and benchmark this expertise, allowing other organizations to apply these best practices more broadly.

“Finding the expertise and experience to do risk assessments in the context of science is difficult for many open science projects,” said Von Welch, director of the NSF Cybersecurity Center of Excellence.“  We believe this collaboration will be a valuable, and more importantly, a scalable asset for the community as they look to apply appropriate cybersecurity measures at their science facilities and institutions.”

Organized by Sean Peisert and Michael Dopheide from ESnet and Von Welch and Susan Sons from the NSF Cybersecurity Center of Excellence, a working group of nine scientists and cybersecurity leaders from across the country has been formed to tackle developing the threat profile: Ilkay Altintas (San Diego Supercomputer Center), RuthAnne Bevier (Caltech), James Cuff (Harvard), Rich LeDuc (Northwestern), Pascal Meunier (HUBzero), Reagan Moore (iRods), Stephen Schwab (USC Information Sciences Institute) and Karen Stocks (Scripps Institution of Oceanography).

“Several government and academic organizations involved in cybersecurity policy have built a solid foundation for risk management, but it still takes expert judgment to assess risks for the assets found in the open science community,” said Sean Peisert. “The goal of this effort is to provide tailored guidance to the science community on the threats to science assets and the consequences of those threats to the science mission. This information will provide a basic knowledge framework to expedite managing those threats for the wide portfolio  of open science projects.”

The need for a threat profile is a key component of the NSF solicitation which recently funded the NSF’s Cybersecurity Center of Excellence. “Cybersecurity for science is different than in many other domains. For example, integrity is as important to scientific datasets as confidentiality,” said Anita Nikolich, cybersecurity program director at the NSF's advanced cyberinfrastructure division. “Having a shared, documented understanding of these threats will be a substantial step forward for the NSF community.”

“As the Department of Energy’s network for research and collaboration, ESnet connects so many large DOE experimental and HPC facilities which are producing the datasets that researchers around the world need access to for their research,” Peisert said. “We believe it is a moral imperative to be a part of this effort so the community can have greater assurance that their data and network-connected scientific instruments are secure.”

More information about the working group can be found at http://trustedci.github.io/OSCRP/ or you can follow http://blog.trustedci.org/ for updates.

[Edited Oct 26, 2016: The WG subsequently renamed itself to the Open Science Cyber Risk Profile working group. URLs in this article have been updated to reflect that change.]

About the NSF Cybersecurity Center of Excellence • trustedci.org

The Center for Trustworthy Scientific Cyberinfrastructure (CTSC) is funded as the National Science Foundation’s Cybersecurity Center of Excellence. The mission of CTSC is to improve the cybersecurity of NSF science and engineering projects, allowing those projects to focus on their science endeavors. This mission is accomplished through one-on-one engagements with projects to address their specific challenges; education, outreach, and training to raise the state of security practice across the scientific enterprise; and leadership on bringing the best and most relevant cybersecurity research to bear on the NSF cyberinfrastructure research community.

About ESnet • www.es.net

The Energy Sciences Network (ESnet) is an international, high-performance, unclassified network built to support scientific research. Funded by the U.S. Department of Energy’s Office of Science (SC) and managed by Lawrence Berkeley National Laboratory, ESnet provides services to more than 40 DOE research sites, including the entire National Laboratory system, its supercomputing facilities, and its major scientific instruments. ESnet also connects to over 140 research and commercial networks, permitting DOE-funded scientists to collaborate productively with partners around the world.