Security for Research Networks
The attacks against several supercomputers in spring 2020 have shown that hacker do not only target commercial enterprises. Scientific networks also need to be secured - after all, they contain irretrievable research data and countless personal information. The European GÉANT project has a separate work package dealing with security.
The GÉANT project series aims to link national research networks and provide services for a global scientific community. The first GÉANT project to link the NRENs (National Research and Education Networks) was launched in 2000. The LRZ has accompanied GÉANT for about 15 years as a partner of DFN, the German research network. Today, GÉANT no longer deals only with networking, but also offers numerous international and pan-European services for research and education. One example is eduroam (education roaming), an almost worldwide network for WLAN use at universities. In the coverage area of the LRZ alone, almost 43,000 devices are registered daily at peak times.
Currently, the project series GÉANT 4 Phase 3 (GN4-3) is underway, which started in early 2019 and is planned to run through 2023. In addition to further improving existing services, the current project focuses on security. For this purpose, there are various initiatives in GN4-3, include:
- Trust & Identity: For the security and confidentiality of data and services, identity management and trustworthiness of all components are essential. GÉANT develops and operates services in this area in cooperation with the NRENs.
- Security Operation Center (SOC): In order to coordinate the monitoring of security-relevant incidents and alarms across NRENs and to enable faster reactions, a central SOC is to be established.
- Security Baselining: In order to harmonize the security precautions of all participating NRENs, security baselines have been defined as a deliverable in GN4-3, which formulate organizational, technological and structural measures and provide support for their implementation.
Trust & Identity are a central component within GÉANT. Uniform workflows and standards are required to link the authentication technologies of the various national research networks and industry partners. "Within the network, a distinction is made between service providers and identity providers," says Stefan Metzger, deputy departmental lead for communication networks at the LRZ. If a user of the LRZ accesses a resource of an external service provider, the authentication of the user takes place via the LRZ as identity provider. No local account at the service provider is necessary for the user. Mechanisms of the federated identity management (FIM) are realized by a central metadata service and the interaction of service and identity providers based on it.
In addition, the procedure must mediate between two different authentication methods: On the one hand, universities usually prefer SAML (Security Assertion Markup Language), an XML framework for the exchange of authentication and authorization data. On the other hand, the decentralized authentication system OpenID Connect for web-based services is widely used in industry.
Secure authentication alone is of course not enough to make networks secure. There are also numerous technical and organizational measures. Besides the obligatory standards like firewalls to protect the networks against denial of service attacks, vulnerability management plays a major role in GN4-3. Here, a Europe-wide service is being established to check systems for vulnerabilities. "In vulnerability scans, the external view of the systems, the 'attack surface', plays a major role," says Metzger. "If the infrastructure operators do this completely themselves, this perspective of a potential attacker is usually lost. These are important questions that need to be decided: Which technologies will be used? When and how long should scans be performed? And where are the scanners ideally placed? A similar approach is also being planned for the central monitoring of infrastructures in the form of a Europe-wide Security Operations Center (SOCs). Metzger welcomes this step: "It would be good if, in addition to the Network Operation Center, there were also a SOC that would be responsible for monitoring, alerting and the like on a European, NREN-wide level".
But one thing is clear: technologies alone do not make networks and infrastructures secure. Security is to a large extent also a question of organizations and the people involved. To structure the multitude of security approaches, the project team has developed a security guide. It describes the minimum standards that an NREN should meet in any case. These are graded according to three levels of maturity - depending on the size of an NREN and the criticality of the services provided. The security baseline comprises the areas "Policy", "People", "Threats" and "Operations".
With GN4-3, the security efforts within the project series have been significantly expanded. New approaches like the SOC are not only interesting within the project, but also for the operation of the LRZ and the operation of the universities and colleges in Bavaria. "Ideally, research and operation should cross-fertilise each other", explains Metzger. "A SOC that works in productive operation would also be an enrichment for the LRZ and its customers.
Read on about the details in GEANT's Security Baseline for NRENs.