UNM SCIENCE DMZ Sean Taylor Senior Network Engineer.

Slides:

Advertisements

Similar presentations

Module 5 - Switches CCNA 3 version 3.0 Cabrillo College.

Advertisements

Multi-Layer Switching Layers 1, 2, and 3. Cisco Hierarchical Model Access Layer –Workgroup –Access layer aggregation and L3/L4 services Distribution Layer.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Lesson 3 – UNDERSTANDING NETWORKING. Network relationship types Network features OSI Networking model Network hardware components OVERVIEW.

Optical Ring Networks Research over MAC protocols for optical ring networks with packet switching. MAC protocols divide the ring bandwidth according to.

Module – 7 network-attached storage (NAS)

KEK Network Qi Fazhi KEK SW L2/L3 Switch for outside connections Central L2/L3 Switch A Netscreen Firewall Super Sinet Router 10GbE 2 x GbE IDS.

CMS Data Transfer Challenges LHCOPN-LHCONE meeting Michigan, Sept 15/16th, 2014 Azher Mughal Caltech.

NETWORKING COMPONENTS By Scott H. Bowers. HUB A hub can be easily mistaken for a switch, physically there are no defining characteristics, both have power.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Identifying Application Impacts on Network Design Designing and Supporting Computer.

Module 4: Designing Routing and Switching Requirements.

SDN based Network Security Monitoring in Dynamic Cloud Networks Xiuzhen CHEN School of Information Security Engineering Shanghai Jiao Tong University,

Research Opportunities Facilitated via UCR’s Network Infrastructure Presented by Charles Rowley AVC Computing and Communications University of California,

INTERNATIONAL NETWORKS At Indiana University Hans Addleman TransPAC Engineer, International Networks University Information Technology Services Indiana.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Identifying Application Impacts on Network Design Designing and Supporting.

UNM RESEARCH NETWORKS Steve Perry CCNP, CCDP, CCNP-V, CCNP-S, CCNP-SP, CCAI, CMNA, CNSS 4013 Director of Networks.

LAN Switching and Wireless – Chapter 1 Vilina Hutter, Instructor

OBJECTIVE: o Describe various network topologies o Discuss the role of network devices o Understand Network Configuration Factors to deploy a new network.

Enabling Technologies (Chapter 1)  Understand the technology and importance of:  Virtualization  Cloud Computing  WAN Acceleration  Deep Packet Inspection.

Cisco 3 - Switch Perrine. J Page 111/6/2015 Chapter 5 At which layer of the 3-layer design component would users with common interests be grouped? 1.Access.

1 Network Measurement Summary ESCC, Feb Joe Metzger ESnet Engineering Group Lawrence Berkeley National Laboratory.

Slide 1 9/29/15 End-to-End Performance Tuning and Best Practices Moderator: Charlie McMahon, Tulane University Jan Cheetham, University of Wisconsin-Madison.

Aaron Gember, Theophilus Benson, Aditya Akella University of Wisconsin-Madison.

1 Root-Cause VoIP Troubleshooting Optimizing the Process Tim Titus CTO, PathSolutions.

QoE Evaluation and Enforcement Framework for Internet Services

CISCO NETWORKING ACADEMY Chabot College ELEC Ethernet Switches.

TCP Traffic Characteristics—Deep buffer Switch

SCIENCE_DMZ NETWORKS STEVE PERRY, DIRECTOR OF NETWORKS UNM PIYASAT NILKAEW, DIRECTOR OF NETWORKS NMSU.

ESnet’s Use of OpenFlow To Facilitate Science Data Mobility Chin Guok Inder Monga, and Eric Pouyoul OGF 36 OpenFlow Workshop Chicago, Il Oct 8, 2012.

Slide 1 E-Science: The Impact of Science DMZs on Research Presenter: Alex Berryman Performance Engineer, OARnet Paul Schopis, Marcio Faerman.

1 Root-Cause Network Troubleshooting Optimizing the Process Tim Titus CTO PathSolutions.

Central Management of 300 Firewalls and Access-Lists Fabian Mauchle TNC 2012 Reykjavík, 21-May-2012.

Denial of Service Mitigation with OpenFlow using SciPass

Instructor Materials Chapter 7: Network Evolution

CompTIA Security+ Study Guide (SY0-401)

Developing IoT endpoints with mbed Client

Network Security Solution

Network Attached Storage Overview

Computing Clusters, Grids and Clouds Globus data service

Network Anti-Spoofing with SDN Data plane Authors:Yehuda Afek et al.

CONNECTING TO THE INTERNET

Semester 4 - Chapter 3 – WAN Design

Planning and Troubleshooting Routing and Switching

Network Performance - Theory

Establishing End-to-End Guaranteed Bandwidth Network Paths Across Multiple Administrative Domains The DOE-funded TeraPaths project at Brookhaven National.

Wide Area Network.

Addressing: Router Design

Introduction to Networking

Oracle Solaris Zones Study Purpose Only

University of Technology

IS3120 Network Communications Infrastructure

CompTIA Security+ Study Guide (SY0-401)

Firewalls at UNM 11/8/2018 Chad VanPelt Sean Taylor.

ONOS Drake Release September 2015.

Module 5 - Switches CCNA 3 version 3.0.

DDoS Attack Detection under SDN Context

An Introduction to Computer Networking

i-Path : Network Transparency Project

ESnet and Science DMZs: an update from the US

COMMON LAYER 2 DEVICES AND FUNCTIONALITIES.

File Transfer Issues with TCP Acceleration with FileCatalyst

Big-Data around the world

Discovering Problems Network Anomalies can occur anytime, anyplace for a wide variety of reasons 3:09pm 20% Packet loss due to duplex mismatch 2:36pm Over-utilized.

Chapter 3 VLANs Chaffee County Academy

Computer Networking A computer network, often simply referred to as a network, is a collection of computers and devices connected by communications channels.

Computer Networking A computer network, often simply referred to as a network, is a collection of computers and devices connected by communications channels.

Protocols & Packet Switching

Chapter-6 Access Network Design.

OpenSec：Policy-Based Security Using Software-Defined Networking

Multicasting Unicast.

Presentation transcript:

UNM SCIENCE DMZ Sean Taylor Senior Network Engineer

Overview Why Research Specific Networks? Production Network/ScienceDMZ Design Basics ScienceDMZ Components Tools Used UNM CCIIE Grant/Researchers Requirements UNM Design

Possibilities??

Design Considerations 1. Type of R&E traffic – TCP –based, microburst traffic that can quickly consume entire available bandwidth a. Subject to TCP Global Synchronization 2. TCP traffic needs deep buffer on ports when congestion occurs. 3. No commercially available security devices can sit in- path with line-rate process speed Gbps backbone across continental US 5. The general rule of thumb is that you need 50ms of line- rate output queue buffer for a 10G port, so there should be around 60MB of buffer. UNM Infrastructure has 256MB or 153 MB depending on model.

Research Network: Science DMZ A network optimized for business is not designed or capable of supporting data intensive science.  Universities will always need to support security features that protect organizational financial and personnel data.  Solution: create separate data intensive science network, external to university enterprise network  Design formalized by ESnet, based on traditional network DMZ paradigm

Basic Science DMZ Science DMZ: (1) dedicated access to high-performance WAN, (2) high-performance switching infrastructure (large buffer memory), (3) dedicated data transfer nodes

ScienceDMZ Components DTNs (Data Transfer Nodes—Originator/Responder) High capacity servers capable of wire speed 10Gbps Transfer Globus GridFTP Application tuned for large data transfers Large Buffer capable network devices to smooth TCP drops Must have 60MB per port buffer space Must be Openflow capable PerfSONAR measurement nodes at each location Bro IDS (IDS versus IPS, to minimize deep packet inspection) Brocade SDN Controller Globus for Researchers Supporting Staff

Managing by Measurement Off campus / On campus data points Service tuning - Dedicated PerfSonars in DMZ Beyond UNM – Connectivity to other research institutions

Globus for the User Easy to use File Transfer Interface Existing Data Transfer Nodes at UNM Parallel transferring via GridFTP to utilize full 10G throughput

SDN for the DMZ Brocade SDN Controller Bro IDS Communication between these for event based responses automatically

How To Secure it? Use Bro to monitor it out of line IDS, not an IPS Requires full understanding of Bro libraries and expertise in TCP/IP stacks SDN Policies applied to DMZ Routers Flows describe TCP/IP traffic between two hosts. SDN controls these flows via Openflow 1.3 IPTables at the Data Transfer Nodes ACLs on Router interfaces and Unix files

CC*IIE Grant NSF Grant awarded to UNM Collaborative amongst researchers/IT Initial funding to build out the basic network Hope to apply for additional grants as available

UNM Design

Summary Why Research Specific Networks? Production Network/ScienceDMZ Design Basics ScienceDMZ Components Tools Used UNM Design

That’s So Cool! When can my department or myself join this network? This is a funding based network that requires listed Personal Investigators and funding for installation To be considered for inclusion into the round of grant funding contact Steve Perry and Elaine Rising at