Brookhaven Science Associates U.S. Department of Energy 1 Network Services BNL USATLAS Tier 1 / Tier 2 Meeting John Bigrow December 14, 2005.

Slides:

Advertisements

Similar presentations

Network Security Essentials Chapter 11

Advertisements

T1-NREN Luca dell’Agnello CCR, 21-Ottobre The problem Computing for LHC experiments –Multi tier model (MONARC) –LHC computing based on grid –Experiment.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Introduction to IPv4 Introduction to Networks.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

FNAL Site Perspective on LHCOPN & LHCONE Future Directions Phil DeMar (FNAL) February 10, 2014.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.

Washington School District Computer Network System Threaded Case Study Jim, Jeff, Pete, Adam, Chris  100X LAN Growth  2X WAN Growth  1.0 Mbps to any.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.

WXES2106 Network Technology Semester /2005 Chapter 10 Access Control Lists CCNA2: Module 11.

Standard, Extended and Named ACL.  In this lesson, you will learn: ◦ Purpose of ACLs  Its application to an enterprise network ◦ How ACLs are used to.

Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.

1 © 2004 Cisco Systems, Inc. All rights reserved. CCNA 2 v3.1 Module 11 Access Control Lists (ACLs)

Network Monitoring for Internet Traffic Engineering Jennifer Rexford AT&T Labs – Research Florham Park, NJ 07932

CS335 Networking & Network Administration Tuesday April 27, 2010.

CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control Non e0e1 s server.

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—7-1 Integrating Internet Access with MPLS VPNs Implementing Internet Access as a Separate VPN.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

NJEDge.Net Regional Meeting Jim Stankiewicz Network Operations October 20, 2006 Jim Stankiewicz Network Operations October 20, 2006.

Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.

Questionaire answers D. Petravick P. Demar FNAL. 7/14/05 DLP -- GDB2 FNAL/T1 issues In interpreting the T0/T1 document how do the T1s foresee to connect.

Network Security Essentials Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.

TCOM 515 Lecture 6.

© 2002, Cisco Systems, Inc. All rights reserved..

Introduction to Network Address Translation

1. 2 Device management refers to the IDS Sensor's ability to dynamically reconfigure the filters and access control lists (ACL) on a router, switch, and.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.

Access Control List ACL. Access Control List ACL.

Windows 7 Firewall.

Access Control Lists (ACLs)

1 © 2004 Cisco Systems, Inc. All rights reserved. CCNA 2 v3.1 Module 11 Access Control Lists (ACLs)

Access Control List (ACL)

1 Chapter 7: NAT in Internet and Intranet Designs Designs That Include NAT Essential NAT Design Concepts Data Protection in NAT Designs NAT Design Optimization.

US LHC Tier-1 WAN Data Movement Security Architectures Phil DeMar (FNAL); Scott Bradley (BNL)

Access-Lists Securing Your Router and Protecting Your Network.

Access Control List ACL’s 5/26/ What Is an ACL? An ACL is a sequential collection of permit or deny statements that apply to addresses or upper-layer.

Semester 3 Chapter 6 ACLs. Overview Router can provide basic traffic filtering capability Access Control Lists can prevent packets from passing through.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.

Access Control Lists Accessing the WAN – Chapter 5.

TeraPaths TeraPaths: Establishing End-to-End QoS Paths through L2 and L3 WAN Connections Presented by Presented by Dimitrios Katramatos, BNL Dimitrios.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 6 City College.

Washington School District Project. General Requirements: Functional =7-10 Years 100X Growth in LAN 2X Growth in WAN 10X Growth in Internet Connectivity.

Firewalls & Network Monitoring Advanced Registry Operations Curriculum.

Connect. Communicate. Collaborate perfSONAR MDM Service for LHC OPN Loukik Kudarimoti DANTE.

Network to and at CERN Getting ready for LHC networking Jean-Michel Jouanigot and Paolo Moroni CERN/IT/CS.

Firewalls and proxies Unit objectives

ACCESS CONTROL LIST.

Security fundamentals Topic 10 Securing the network perimeter.

Chapter 4: Implementing Firewall Technologies

BNL PDN Enhancements. Perimeter Load Balancers Scaleable Performance Fault Tolerance Server Maintainability User Convenience Perimeter Security.

Brookhaven Science Associates U.S. Department of Energy USATLAS Tier 1 & 2 Networking Meeting Scott Bradley Manager, Network Services 14 December 2005.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—6-1 Scaling Service Provider Networks Scaling IGP and BGP in Service Provider Networks.

Wild Stuff ExtendedACLGeneralACLStandardACL Got the Right Number?

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—3-1 Module Summary The multihomed customer network must exchange BGP information with both ISP.

CCNA4 Perrine / Brierley Page 12/20/2016 Chapter 05 Access Control Non e0e1 s server.

Brookhaven Science Associates U.S. Department of Energy 1 Network Services LHC OPN Networking at BNL Summer 2006 Internet 2 Joint Techs John Bigrow July.

Access Control List (ACL) W.lilakiatsakun. Transport Layer Review (1) TCP (Transmission Control Protocol) – HTTP (Web) – SMTP (Mail) UDP (User Datagram.

U.S. ATLAS Tier 1 Networking Bruce G. Gibbard LCG T0/1 Network Meeting CERN 19 July 2005.

1 Pertemuan 25 Access Control Lists (ACLs). Discussion Topics Standard ACLs Extended ACLs Named ACLs Placing ACLs Firewalls Restricting virtual terminal.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Access Control Lists.

Brookhaven Science Associates U.S. Department of Energy 1 n BNL –8 OSCARS provisioned circuits for ATLAS. Includes CERN primary and secondary to LHCNET,

Secure High Performance Networking at BNL Winter 2013 ESCC Meeting John Bigrow Honolulu Hawaii.

VSNL Sify /24 / 24 / 24 /24 Internal Network / Default gateway is

Establishing End-to-End Guaranteed Bandwidth Network Paths Across Multiple Administrative Domains The DOE-funded TeraPaths project at Brookhaven National.

Firewall – Survey Purpose of a Firewall Characteristic of a firewall

Module Summary BGP is a path-vector routing protocol that allows routing policy decisions at the AS level to be enforced. BGP is a policy-based routing.

BGP Overview BGP concepts and operation.

Firewalls Purpose of a Firewall Characteristic of a firewall

Presentation transcript:

Brookhaven Science Associates U.S. Department of Energy 1 Network Services BNL USATLAS Tier 1 / Tier 2 Meeting John Bigrow December 14, 2005

Brookhaven Science Associates U.S. Department of Energy 2 Network Services n BNL LHC Overview Preliminary Network and Security Architecture IP Address space allocations Performance Monitoring

Brookhaven Science Associates U.S. Department of Energy 3 n Network Security Limitations Current firewall Architecture –6 virtual 1 Gb/Sec EtherChannel to backplane –Rated total throughput of 5 Gb/Sec -EtherChannel Overhead Loss –Single 1 Gb/Sec flow / interface Network Services

Brookhaven Science Associates U.S. Department of Energy 4 n Network Security Limitations (Continued) Current Router Architecture –Single Access Control List (ACL) / interface -1 inbound and 1 outbound -Default behavior Implicit deny –A single ACL can become unwieldy in a complex WAN environment Network Services

Brookhaven Science Associates U.S. Department of Energy 5 n Network Security Limitations (Continued) Network Services …………. access-list 109 deny ip host any access-list 109 remark Block IPs per ticket 160,729 1 Month 12/8 access-list 109 deny ip host any access-list 109 deny ip host any access-list 109 deny ip host any access-list 109 deny ip host any access-list 109 remark ********************* Allow ************************* access-list 109 remark permit all before implicit deny access-list 109 permit ip any any

Brookhaven Science Associates U.S. Department of Energy 6 Network Services

Brookhaven Science Associates U.S. Department of Energy 7 n IP Address Allocation Tier 0 to Tier 1 (BNL - CERN) Requires routable IP Address space Direct BGP peering with CERN to / from BNL Limited route advertisements between T0 and T1 –For the LHC OPN Circuit BNL will use /24 Network Services

Brookhaven Science Associates U.S. Department of Energy 8 n IP Address Allocation Tier 1 to Tier X (BNL - Internet) Requires routable IP Address space Direct BGP peering with ES Net from BNL Full Internet route advertisements –ES Net CIDR IP Address Space –For the Internet circuit BNL will use /24 –3 additional class C networks available Network Services

Brookhaven Science Associates U.S. Department of Energy 9 n IP Address Allocation Tier 1 to Tier X (Continued) DNS Fully Qualified Domain Hostname Accessible ONLY from ES Net –No other path to get to BNL for LHC / Atlas Network Services

Brookhaven Science Associates U.S. Department of Energy 10 Network Services

Brookhaven Science Associates U.S. Department of Energy 11 n Future BNL LHC OPN Enhancements Dedicated Cisco Firewall Service Modules when available –Eliminate router ACL Functionality / Maintenance –Connection Logging –Each FWSM circuit will not impede the 10 Gb/Sec. –Stateful FWSM redundancy IDS / IPS when available Network Services

Brookhaven Science Associates U.S. Department of Energy 12 Network Services

Brookhaven Science Associates U.S. Department of Energy 13 Network Services n Mon browser-based IP service monitor n Internet-centric WAN based monitor application n Interrogates essential BNL network services

Brookhaven Science Associates U.S. Department of Energy 14

Brookhaven Science Associates U.S. Department of Energy 15 Network Services n MonaLisa Java based SNMP monitoring tool n External WAN based monitor n Tracks BNL EtherChannel OC-48 n Firewall Service Module n 10 Gb/Sec. Uplink to the BNL core

Brookhaven Science Associates U.S. Department of Energy 16 Network Services

Brookhaven Science Associates U.S. Department of Energy 17 Network Services

Brookhaven Science Associates U.S. Department of Energy 18 n Summary Tier 2 traffic dependant on Internet connectivity –Path to BNL via ES Net only –Initial router ACL based access to BNL –BNL provides DNS hostname for Internet resolution Network Services

Brookhaven Science Associates U.S. Department of Energy 19 Questions/Comments ??? Network Services

Brookhaven Science Associates U.S. Department of Energy 20 BNL Points of Contact n Scott Bradley, Manager of Network Services , n John Bigrow, Senior Network Architect , Network Services