The Harvard Network: An Overview of Connectivity and Security

Slides:



Advertisements
Similar presentations
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.1 Firewalls.
Advertisements

Barracuda Link Balancer Link Reliability and Bandwidth Optimization.
Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
MUNIS Platform Migration Project WELCOME. Agenda Introductions Tyler Cloud Overview Munis New Features Questions.
Internet Access for Academic Networks in Lorraine TERENA Networking Conference - May 16, 2001 Antalya, Turkey Infrastructure and Services Alexandre SIMON.
The Most Analytical and Comprehensive Defense Network in a Box.
5-Network Defenses Dr. John P. Abraham Professor UTPA.
Module 5: Configuring Access for Remote Clients and Networks.
© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.
Institute of Technology, Sligo Dept of Computing Semester 3, version Semester 3 Chapter 3 VLANs.
Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study
Bandwidth DoS Attacks and Defenses Robert Morris Frans Kaashoek, Hari Balakrishnan, Students MIT LCS.
Mr. Mark Welton.  Three-tiered Architecture  Collapsed core – no distribution  Collapsed core – no distribution or access.
SDN based Network Security Monitoring in Dynamic Cloud Networks Xiuzhen CHEN School of Information Security Engineering Shanghai Jiao Tong University,
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
1 1 Hosted Network Security EarthLink Complete™ Data.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
©2015 EarthLink. All rights reserved Cloud Express ™ Optimize Your Business & Cloud Networks.
AWS Cloud Firewall Review Architecture Decision Group October 6, 2015 – HUIT-Holyoke-CR 561.
April 09, 2008 The Demilitarized Zone as an Information Protection Network, By Parvathy Subramanian 1 The Demilitarized Zone as an Information Protection.
Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.
Network Sniffer Anuj Shah Advisor: Dr. Chung-E Wang Department of Computer Science.
IS3220 Information Technology Infrastructure Security
Chapter 11 – Cloud Application Development. Contents Motivation. Connecting clients to instances through firewalls. Cloud Computing: Theory and Practice.
#SummitNow Alfresco Deployments on AWS Cost-Effective, Scalable & Secure Michael Waldrop Director, Solutions Engineering .
© 2015 MetricStream, Inc. All Rights Reserved. AWS server provisioning © 2015 MetricStream, Inc. All Rights Reserved. By, Srikanth K & Rohit.
CAMPUS LAN DESIGN GUIDE Design Considerations for the High-Performance Campus LAN.
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
SYMANTEC ENDPOINT SECURITY SERVICE PROVIDERS | ALLIANCE PRO IT HYDERABAD (CORPORATE OFFICE) ALLIANCE PRO IT PRIVATE LIMITED, 3A, HYNDAVA TECHNO PARK, TECHNO.
SYMANTEC ENDPOINT SECURITY SERVICE PROVIDERS | ALLIANCE PRO IT HYDERABAD (CORPORATE OFFICE) ALLIANCE PRO IT PRIVATE LIMITED, 3A, HYNDAVA TECHNO PARK, TECHNO.
Kurt Jung – Sr. Research Analyst KEMP Technologies
Security fundamentals
Barracuda NG Firewall ™
DISA Cyclops Program.
IoT Security Part 2, The Malware
Georgia Tech Information Security
CompTIA Security+ Study Guide (SY0-401)
Chapter 6: Securing the Cloud
Instructor Materials Chapter 1: LAN Design
Avenues International Inc.
Barracuda Link Balancer
Security Virtualization
What is it ? …all via a single, proven Platform-as-a-Service.
Barracuda Web Security Flex
Volume Licensing Readiness: Level 200
Volume Licensing Readiness: Level 200
IOT Critical Impact on DC Design
Securing the Network Perimeter with ISA 2004
Protecting your mobile devices away from virus by a cloud-based approach Wei Wu.
Click to edit Master subtitle style
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
Volume Licensing Readiness: Level 200
Welcome To : Group 1 VC Presentation
CompTIA Security+ Study Guide (SY0-401)
Your Business Opportunity
Internet2 Tech Exchange
Why do we need cloud network services? Let’s dig into the content and explore the answer.
By: Tekeste Berhan Habtu Chief Executive Officer Venue: African Union
Sizing …today. T: Here’s how. .
11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
IS4680 Security Auditing for Compliance
Harvard University Information Systems
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 4: Planning and Configuring Routing and Switching.
Firewalls Jiang Long Spring 2002.
Defending high value targets in the cloud using IP Reputation
AT&T Network Based Firewall with NetBond® for Cloud
Cloud Security AWS as an example.
Cloud Security AWS as an example.
AT&T Firewall Battlecard
Global One Communications
Presentation transcript:

The Harvard Network: An Overview of Connectivity and Security 31 Oct 2017

Agenda Network overview 8/23/2018 Agenda Network overview Internet connectivity and “built-in” security features Firewalls and School inter-connectivity Medical affiliates Amazon Web Services and CloudShield Supporting research at MGHPCC Challenges Q&A Christian

8/23/2018 Purpose Brief the CIO Council on how Harvard’s network “works” at a high level, including what security features are and are not included. Christian

8/23/2018 Intended Outcomes CIOs have a high-level understanding of how Harvard’s network works and how the Schools are connected to one another, the Internet and the Amazon Web Services (AWS) cloud. CIOs have an opportunity to ask questions and provide feedback on this topic. Christian

8/23/2018 Introduction Utilizing Internet-based technologies, Harvard University IT (HUIT) operates an network backbone that connects the schools to: One another To Internet and Internet2 To Harvard affiliates like the Longwood Medical (LMA) hospitals To HUIT datacenters and hosting facilities at 1 Summer St and 300 Bent To Research Computing assets This network acts as a foundational enabler for sharing research and data both within Harvard and out to other R&E institutions Jefferson

What Does the Harvard Network Look Like? 8/23/2018 Jefferson What Does the Harvard Network Look Like?

8/23/2018 Jefferson

Well, that wasn’t that useful. Try again. 8/23/2018 Jefferson Well, that wasn’t that useful. Try again.

Logical Representation of a Campus Network 8/23/2018 Logical Representation of a Campus Network Jefferson

That was even more useless. One more time. 8/23/2018 Jefferson That was even more useless. One more time.

Overview of the Harvard Campus Network 8/23/2018 Overview of the Harvard Campus Network Border: connects Harvard to NOX, Internet, Internet2 (2x100gb) 20-30 GIGABITS per second border traffic Core: all schools and regions inter-connect via the Harvard Core (4x10g) Plans to add 100gb in future Region: specific parts of campus like River, Yard, Northwest, Law, LMA (2x2x10gb) Allston will be added as a new region “Last Mile”: Building Distribution/Uplink (mostly 2x1gb) Access (100mb or 1gb) Jefferson

Harvard Internet Border and Information Security Visibility 8/23/2018 Harvard Internet Border and Information Security Visibility 2 Border routers: 300 Bent 1 Summer 2x100gb to NOX An advanced networking exchange/NREN established in 1999 by Harvard, MIT, BU We also have 3 other Internet connections: Cogent Level 3 CenturyLink Information Security visibility at each border router and AWS Jefferson

“Built-in” Security Features 8/23/2018 “Built-in” Security Features Bro intrusion detection system (IDS) and network traffic forensics Network flow data logged to Splunk for correlation and alerting FireEye malware detection BONUS: DMCA violation processing and delivery Robust detection capabilities Very few built in protections Christian

Firewalls None at the Internet border 8/23/2018 Firewalls None at the Internet border Though we do coarsely block a few “ports” In front of the data center In front of our AWS presence Many Schools have their own For others, each “VLAN” (individual network) has firewall capabilities Block “Microsoft” ports (445, 3389, etc.) Christian

School Inter-connectivity: how does one School impact others? 8/23/2018 School Inter-connectivity: how does one School impact others? It depends… Some Schools have firewalls configured to “protect themselves” from Harvard Others have firewall capabilities on each individual network Defining exactly what is Harvard from a network perspective can be challenging Medical affiliates? Just like the Internet…mostly Christian

LMA Net 2 HUIT-operated gateway ASR Routers: 2x10gb to Harvard Border 8/23/2018 LMA Net 2 HUIT-operated gateway ASR Routers: Gordon Hall Dana Farber 2x10gb to Harvard Border Discussions underway for 40gb or 100gb Additional 10gb link to Harvard Core for VoIP traffic InfoSec Taps at each Border capture ingress/egress Not intra-LMA LMA interest in aggregated and shared firewall logs via Splunk       Jefferson

HUIT Cloud Connectivity and Cloud Shield 8/23/2018 HUIT Cloud Connectivity and Cloud Shield HUIT has multiple 10gb Direct Connect links into AWS 2 Harvard Points of Presence: 1 Summer St in Boston and Equinox Datacenter in VA Can provide private access into AWS VPC’s AWS public peering to S3 and other “front door” services CloudShield Network Security infrastructure Can be extended to other cloud providers in the future Jefferson

HUIT Cloud Connectivity and Cloud Shield 8/23/2018 HUIT Cloud Connectivity and Cloud Shield ”Next-Generation” Fortinet Firewalls 1 Virtual Firewall per AWS VPC Inbound and outbound traffic enforcement Intrusion detection and prevention Implicit outbound Web Proxy Load balancing Can be extended to include other cloud providers Network traffic sent to central information security complex and processed by same tools for further intrusion detection and network forensics Christian

MGHPCC Close partnership with FAS RC on network access 8/23/2018 MGHPCC Close partnership with FAS RC on network access Leveraging MIT’s optical network, we have 2 diverse connections to MGHPCC 20gb in each direction Short Path: faster, default path (2.9ms RTT) Long path: adds DR resiliency, increased latency due to distance (10.2ms RTT via NYC) Jefferson

8/23/2018 Challenges Duplicate 10.x networks at HMS and HUIT Infrastructure means these networks can’t easily “talk to each other” (without complex configuration) Students not currently meaningfully separated from faculty or staff in a scalable way from a network perspective Some “bleed” between what we consider HMS networks and the smaller medical affiliate networks Without a true firewall at the Internet border, we don’t have a way to block attacks from the Internet University-wide (other than a very coarse set of filters we can apply) Rapidly changing landscape for security in the Cloud Traditional security monitoring and enforcement methods more challenging (or more expensive) at 100gb+ Christian/Jefferson?

8/23/2018 Questions

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.