Elements of the PRP Philip Papadopoulos. DMZ 1 DMZ 2 DMZ 3 DMZ 4 Pacific Research Platform Traffic flows freely within the PRP Traffic can be impeded.

Slides:

Advertisements

Similar presentations

Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.

Advertisements

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 High-performance Gigabit Ethernet ports rapidly transfer large files supporting.

FIREWALLS Chapter 11.

OpenFlow Costin Raiciu Using slides from Brandon Heller and Nick McKeown.

Internet2 and AL2S Eric Boyd Senior Director of Strategic Projects

Module 5 - Switches CCNA 3 version 3.0 Cabrillo College.

OpenFlow : Enabling Innovation in Campus Networks SIGCOMM 2008 Nick McKeown, Tom Anderson, et el. Stanford University California, USA Presented.

Title or Title Event/Date Presenter, PresenterTitle, Internet2 Network Virtualization & the Internet2 Innovation Platform To keep our community at the.

Multi-Layer Switching Layers 1, 2, and 3. Cisco Hierarchical Model Access Layer –Workgroup –Access layer aggregation and L3/L4 services Distribution Layer.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 Routing Working at a Small-to-Medium Business or ISP – Chapter 6.

Internet2 Network: Convergence of Innovation, SDN, and Cloud Computing Eric Boyd Senior Director of Strategic Projects.

Network Innovation using OpenFlow: A Survey

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) SriramGopinath( )

Mini Introduction to BGP Michalis Faloutsos. What Is BGP?  Border Gateway Protocol BGP-4  The de-facto interdomain routing protocol  BGP enables policy.

Ch.6 - Switches CCNA 3 version 3.0.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

TCP/IP Addressing Design. Objectives Choose an appropriate IP addressing scheme based on business and technical requirements Identify IP addressing problems.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

And how they are used. Hubs send data to all of the devices that are plugged into them. They have no ability to send packets to the correct ports. Cost~$35.

Networking Components

Data Center Network Redesign using SDN

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Using Routing and Tunnelling to Combat DoS Attacks Adam Greenhalgh, Mark Handley, Felipe Huici Dept. of Computer Science University College London

Chapter 6: Packet Filtering

Network Components: Assignment Three

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Repeaters and Hubs Repeaters: simplest type of connectivity devices that regenerate a digital signal Operate in Physical layer Cannot improve or correct.

11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

N ETWORKING C OMPONENTS A-3 LTEC 4550 by Joe Garcia.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 4: Addressing in an Enterprise Network Introducing Routing and Switching in the.

David Wetherall Professor of Computer Science & Engineering Introduction to Computer Networks Hierarchical Routing (§5.2.6)

Vytautas Valancius, Nick Feamster, Akihiro Nakao, and Jennifer Rexford.

Cisco 3 - Switch Perrine. J Page 111/6/2015 Chapter 5 At which layer of the 3-layer design component would users with common interests be grouped? 1.Access.

Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.

Secure Wired Local Area Network( LAN ) By Sentuya Francis Derrick ID Module code:CT3P50N BSc Computer Networking London Metropolitan University.

Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.

Components of wireless LAN & Its connection to the Internet

A machine that acts as the central relay between computers on a network Low cost, low function machine usually operating at Layer 1 Ties together the.

CS 4396 Computer Networks Lab BGP. Inter-AS routing in the Internet: (BGP)

SDN Management Layer DESIGN REQUIREMENTS AND FUTURE DIRECTION NO OF SLIDES : 26 1.

IPv6. Why IPv6? Running out of IPv4 addresses Internet Assigned Numbers Authority allocated the last 5 /8 blocks on 3 Feb 2011 Internet Assigned Numbers.

Networking Components WILLIAM NELSON LTEC HUB  Device that operated on Layer 1 of the OSI stack.  All I/O flows out all other ports besides the.

UCSD’s Distributed Science DMZ

Brocade Flow Optimizer

Shadow MACs: Scalable Label- switching for Commodity Ethernet Author: Kanak Agarwal, John Carter, Eric Rozner and Colin Dixon Publisher: HotSDN 2014 Presenter:

IPSec – IP Security Protocol By Archis Raje. What is IPSec IP Security – set of extensions developed by IETF to provide privacy and authentication to.

Company LOGO Network Architecture By Dr. Shadi Masadeh 1.

SYSTEM ADMINISTRATION Chapter 10 Public vs. Private Networks.

Fabric: A Retrospective on Evolving SDN Presented by: Tarek Elgamal.

Atrium Router Project Proposal Subhas Mondal, Manoj Nair, Subhash Singh.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 Routing Working at a Small-to-Medium Business or ISP – Chapter 6.

WIRELESS GATEWAYS FOR HOME USE AND ENTERPRISE USE NOR HANANI BINTI SAHARUDIN TSK 1.

Thomas Hutton – SDSC/Cailit2, University of California, San Diego

IBM Tivoli Provisioning Manager IPv6 Enablement

Working at a Small-to-Medium Business or ISP – Chapter 6

Switches – routers in disguise

Multi-layer software defined networking in GÉANT

Support for Flow bindings in MIPv6 and NEMO

Establishing End-to-End Guaranteed Bandwidth Network Paths Across Multiple Administrative Domains The DOE-funded TeraPaths project at Brookhaven National.

Module 5 - Switches CCNA 3 version 3.0.

DDoS Attack Detection under SDN Context

PRPv1 Discussion topics

Professional Network Services

Working at a Small-to-Medium Business or ISP – Chapter 6

Network Architecture By Dr. Shadi Masadeh 1.

Presentation transcript:

Elements of the PRP Philip Papadopoulos

DMZ 1 DMZ 2 DMZ 3 DMZ 4 Pacific Research Platform Traffic flows freely within the PRP Traffic can be impeded in/out of the PRP PRP Knits together DMZs Basic Tenets Within PRP, Traffic flows freely In/Out of PRP, traffic CAN be impeded Everybody has a different DMZ implementation. Solutions need to work for everybody Need to pay attention as to how much people time a “solution” requires

DMZ 1 DMZ 2 DMZ 3 DMZ 4 CRG 1 CRG 2 CRG 3 Pacific Research Platform Collaborating Research Groups - CRGs PRP Constructed with Specific Science Drivers Some of these groups need to “protect” their traffic Likely sharing modes that we need to support Share only within the group Share with anyone in PRP Share with anyone on Internet2 Share to the world

DMZ 1 vlan1-4 DMZ 2 DMZ 3 DMZ 4 vlan2-4 vlan4-3 vlan1-2 DMZ-to-DMZ implemented with VLANs R vlan2-3 vlan1-3 Each Site Border Router Knows All other VLANs R R R Traffic can be impeded in/out of PRP Pacific Research Platform Peering VLANs – Not Scalable We can build it this way, but take Frank W.’s comment about PRP is only 3 FTEs to heart.  We will need to develop mechanics to enable each site easily determine: Is the source/destination on the PRP? Is the source/destination a “partner” destination?

What are the mechanisms for managing PRP access? (and Monitoring Performance) Route advertisments? BGP has many control features (I’m not an expert in this area) My external view is that much of the “routing” security required can be accomplished with BGP, but it very very time intensive. A system similar to SciPass ? Identify “good” traffic and reroute around firewalls Is there anything inherent/clever that we could do with IPv6 addresses to identify something as “part of the PRP”? Can SDN (e.g. Openflow-enabled) hardware be of utility?

DMZ 1 DMZ 2 DMZ 3 DMZ 4 DMZ-to-DMZ implemented as v6-to-v6 Routing R Traffic can be impeded in/out of dDMZ IPv6 routing R R R Pacific Research Platform PRPv2 will be IPv6 ARIN ran out of v4 address blocks, last month. equest/ipv4_countdown.html equest/ipv4_countdown.html This is going to be hard transition for many software components. We (as a community) have to move to v6. Proposal is for PRPv2 to be IPv6 only.

DMZ Subnets and Hosts Rtr openflow SW FW Allowed List Flow Controller All DMZ-bound v6 Traffic Allowed Subnets updated from PRP registry Per Site Template for PRPv2 with flow-based firewall implemented with OpenFlow One idea: for Openflow-based firewall A PRP-allowed resources place an openflow Switch between their local DMZ and border router. A central (PRP-wide) registry identifies ALL PRP subnets Each site can upload (cryptographically secure) a list of their local PRP-enabled resources Local Flow controller can use a combination of central registry and local policy to decide on pass/fail of a particular flow Decision can be made on a per- flow basis, not a per packet basis.