On Evolving Network Security for a Research and Enterprise Network

SC15 security technology racks with help from Dell,
Gigamon, Reservoir Labs, Splunk, and Verisign.

With more than 12,000 researchers, students, professionals, and vendors attending the conference on high performance computing, networking, storage and analysis conference, better known as SC, SC’s internet, SCinet, has to be at the forefront of network security research and implementations to stay ahead of the game on viruses, trojans, denial of service and other forms of compromise.

As the backbone of data communications for SC, SCinet supports high-bandwidth demos, HPC workshops, classrooms, and thousands of conference attendees accessing the network at any given point. With network traffic from the exhibit floor, wireless and external network traffic, there are many opportunities for the network to be compromised. SCinet’s Network Security team works to develop novel strategies to protect the integrity of the network.

“The Network Security team has transitioned from using signatures to detect single instances of malicious activity in the network to performing behavioral analytics, which track the overall patterns of security threats,” says Jeff Boote, Technical Staff at Sandia National Laboratories and co-lead for the SCinet Network Security team. “We started using these security algorithms to detect malicious hosts on the network about 2-3 years ago to be more proactive and evolve with the security trends.”

Resevoir Labs staff on SCinet. 

One reason for major changes in the current security strategy is the dramatic increase in network traffic at the conference. Carrie Gates, Chief Security Scientist at Dell Research and Co-lead for the Network Security team, estimates that the amount of traffic that they monitor is two to three orders of magnitude greater than the monitored traffic three years ago.

“We went from 2 10-gigabit taps (20-gigabit aggregate) in 2011, to 31 taps with 580-gigabit aggregate in 2015. With an expected 5000 simultaneous hosts on the Wi-Fi alone, on an open network that is only up for one to two weeks, the Network Security team must find novel ways to prevent malicious activity on the network,” says Gates.

Working with vendors and partners, the SCinet team integrates the technologies to monitor for harmful network traffic, detect and prevent compromised systems, and mitigate the effects of compromised systems.

Over the last three years, SCinet has used Gigamon to help monitor and secure its network operation centers and Internet access gateway. Gigamon acts as a type of mirror, allowing the Network Security team to peer into network traffic and observe a copy of the activity going through the gateway.  This traffic is being analyzed by technologies such as the Dell Firewall Sandwich, which provides high-speed deep packet inspection for malicious security events.

SCinet also serves as a research testbed for the network security.

“Back in 2000, the intrusion detection system, Bro, was being developed by Berkeley Lab and ICSI. SCinet was used as a place to test their technology on a network that is both production and research oriented,” says Gates. “It’s a balance here. SCinet provides the protection grade security of a full production network, while at same time working with technology experts who want to test new features. We’re able to provide both on SCinet. We provide production level network security while allowing for research innovation.”

One SCinet partner, Reservoir Labs, began as a SCinet Sandbox (now called Network Research Exhibition) project and is now an integral part of security architecture. Reservoir uses Bro technology under the covers to both log and analyze activity on the network.  Like Bro, Reservoir used SCinet to test the high-speed analysis features of their product while also providing production-level stability and results.

While SCinet has done behavior-based analysis of security data within a research context for more than a decade, these techniques are becoming ever more popular in day-to-day network operations. To fulfill that role in 2015, SCinet is using Splunk to aggregate the security events from Gigamon, Reservoir, and Dell SonicWALL, along with intelligence data from Verisign’s iDefense, to look for suspicious behaviors in network traffic.

This year, SCinet has over $5,000,000 in vendor loaned technology for network security.

The SC15 SCinet Network Operating Center brining in 1.62 Terabits per second
of network bandwidth.

We want to thank all the vendors and researchers over the years for engaging with SCinet and allowing us to explore the boundaries of security technologies. We look forward to seeing you at SC16!