Connecting hospitals to the NREN The Danish case story Copenhagen, 15th September 2009 Martin Bech Deputy Director, UNIC

Slides:



Advertisements
Similar presentations
Unified Communications Bill Palmer ADNET Technologies, Inc.
Advertisements

Fall VoN 2000 SIP for IP Communications Jonathan Rosenberg Chief Scientist.
Enabling IPv6 in Corporate Intranet Networks
Security that is... Ergonomic, Economical and Efficient! In every way! Stonesoft SSL VPN SSL VPN.
WSUS Presented by: Nada Abdullah Ahmed.
COS 461 Fall 1997 Networks and Protocols u networks and protocols –definitions –motivation –history u protocol hierarchy –reasons for layering –quick tour.
Tom Sheridan IT Director Gas Technology Institute (GTI)
Chapter 17: Client/Server Computing Business Data Communications, 4e.
Networking Components Chad Benedict – LTEC
INTRANETS DEFINITION (from Cambridge International Dictionary of English) intra- Combining form used to form adjectives meaning 'within' (the stated place.
Firewalls and the Campus Grid: an Overview Bruce Beckles University of Cambridge Computing Service.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Network Topologies.
Presence Applications in the Real World Patrick Ferriter VP of Product Marketing.
Clinic Security and Policy Enforcement in Windows Server 2008.
Networking Components Christopher Biles LTEC Assignment 3.
By N.Gopinath AP/CSE. Why a Data Warehouse Application – Business Perspectives  There are several reasons why organizations consider Data Warehousing.
Intranet, Extranet, Firewall. Intranet and Extranet.
Chapter 5 Networks Communicating and Sharing Resources
Cloud computing is the use of computing resources (hardware and software) that are delivered as a service over the Internet. Cloud is the metaphor for.
NRENs serving the Health Sector - a possibility if we go for it EARNEST Initial Workshop, 23/ Martin Bech, Deputy Director, UNIC
Introduction to Networking Concepts. Introducing TCP/IP Addressing Network address – common portion of the IP address shared by all hosts on a subnet/network.
1 WHY NEED NETWORKING? - Access to remote information - Person-to-person communication - Cooperative work online - Resource sharing.
NORDUnet NORDUnet The Fibre Generation Lars Fischer CTO NORDUnet.
Version 4.0. Objectives Describe how networks impact our daily lives. Describe the role of data networking in the human network. Identify the key components.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Identifying Application Impacts on Network Design Designing and Supporting Computer.
IMPROUVEMENT OF COMPUTER NETWORKS SECURITY BY USING FAULT TOLERANT CLUSTERS Prof. S ERB AUREL Ph. D. Prof. PATRICIU VICTOR-VALERIU Ph. D. Military Technical.
Networks QUME 185 Introduction to Computer Applications.
Internet Engineering Course Network Design. Internet Engineering Course; Sharif University of Technology Contents Define and analyse an organization network.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
 What is intranet What is intranet  FeaturesFeatures  ArchitectureArchitecture  MeritsMerits  applicationsapplications  What is ExtranetWhat is.
Windows Small Business Server 2003 Setting up and Connecting David Overton Partner Technical Specialist.
Real World Case Study KM Summer Institute June Rano Joshi, Vorsite.
Oz – Foundations of Electronic Commerce © 2002 Prentice Hall EDI and the Internet Oz – Foundations of Electronic Commerce © 2002 Prentice Hall.
Creating a national Health Data Network in Denmark and elsewhere… Baltic IT&T 2007 Riga, 19/4-07 Martin Bech, Deputy Director, UNIC
Campus Network Development Network Architecture, Universal Access & Security.
Grow your business... Protect their investment. Property Technologies International, LLC Presentation of PTI’s suite of web-based applications for real.
Chapter 17: Client/Server Computing Business Data Communications, 4e.
9 Systems Analysis and Design in a Changing World, Fourth Edition.
Mario D’Silva National Technology Specialists Unified Communications UNC307.
Production Grid Challenges in Hungary Péter Stefán Ferenc Szalai Gábor Vitéz NIIF/HUNGARNET.
NRENs and Health Care The Danish showcase TNC2007, 15/ Martin Bech, Deputy Director, UNIC
Unleashing the Power of IP Communications™ Calling Across The Boundaries Mike Burkett, VP Products September 2002.
Marv Adams Chief Information Officer November 29, 2001.
NETWORKING FUNDAMENTALS. Network+ Guide to Networks, 4e2.
Security fundamentals Topic 10 Securing the network perimeter.
Network Components David Blakeley LTEC HUB A common connection point for devices in a network. Hubs are commonly used to connect segments of a LAN.
Deploying IPv6, Now Christian Huitema Architect Windows Networking & Communications Microsoft Corporation.
Ministry of Science and Technology Mozambique Research and Education Network - MoRENet Jussi Hinkkanen Ministry of Science and Technology Mozambique.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 4: Planning and Configuring Routing and Switching.
Higher Computing Networking. Networking – Local Area Networks.
Introducing… Conferencing Manager. Agenda Citrix MetaFrame Conferencing Manager Solving business challenges Value to our channel Citrix MetaFrame Conferencing.
G É ANT2 Development Support Activity and the Republic of Moldova 1st RENAM User Conference Chisinau, Republic of Moldova 14-May-2007 Valentino Cavalli.
The overview How the open market works. Players and Bodies  The main players are –The component supplier  Document  Binary –The authorized supplier.
Michael Miller Senior Director Real-Time Collaboration Products Oracle Collaboration Suite 10g Oracle Corporation.
Internet of Things. Creating Our Future Together.
VPN Alex Carr. Overview  Introduction  3 Main Purposes of a VPN  Equipment  Remote-Access VPN  Site-to-Site VPN  Extranet Based  Intranet Based.
2.2 Interfacing Computers MR JOSEPH TAN CHOO KEE TUESDAY 1330 TO 1530
1 Open Discovery Space Overview Argiris Tzikopoulos, Ellinogermaniki Agogi Open Discovery Space [CIP-ICT-PSP ][elearning] A socially-powered and.
COMPUTER NETWORKS Quizzes 5% First practical exam 5% Final practical exam 10% LANGUAGE.
Education Portal Solutions for Higher Education Education portals create a common gateway to the data and services that the people throughout your university.
Security fundamentals
Chapter 7. Identifying Assets and Activities to Be Protected
Securing the Network Perimeter with ISA 2004
Introduction to Networking
Enterprise Application Architecture
09/12/2018 Virtual Networks.
Poul Bernt Jensen Senior Advisor Ministry of IT and Research Denmark
Chapter 17: Client/Server Computing
Presentation transcript:

Connecting hospitals to the NREN The Danish case story Copenhagen, 15th September 2009 Martin Bech Deputy Director, UNIC

Optical network Backbone in production from the middle of 2009 Access connections are continuously upgraded to optical networking

Metro-ring in the Copenhagen Area National and International connections Risø RUC IHK KVL-T Hørs. ØRESTAD LYNGBY Panum KUA 7 km 2,75 dB 12 km 4 dB 3 km 1,75 dB 12 km 4 dB 23 km 6,75 dB 15 km 4,75 dB 6 km 2,5 dB 16 km 5 dB 6 km 2,5 dB 28 km 8 dB

Lightpaths for production IP AAU-2 LYNGBY ØRESTAD AAU-1 AU-2 -1 SDU GE 8 x 1GE Physical fibre

Moving towards supplying multiple network connections everywhere At every location we now offer: Internet production IP service (as always) Infinite traffic and bandwidth… A connection type appropriate to the need Multiple dedicated network connections for “intranet” and “lambda” use Segregation between the networks are realized by means of a combination of lightpaths, MPLS and even VLANs

University of Aarhus: 23 locations …and the other universities are not much better This means a lot of lightpaths…

Special services for special user groups Network for everyone But on top of that, many of us are involved in serving the needs of special user groups: Supercomputing facilities GRID clusters Facilities for radio astronomy Video and telephony Content portals, databases etc. But what about services for health research and health care?

Why is health research and health care different from our other users? Not just a few large facilities, but also huge numbers of smaller entities/departments Huge numbers of scanners, databases and other facilities They all need their own separate private connections Users are very aware of security constraints, but totally unaware of the services and equipment that implement these constraints Many ad hoc projects and connections

We already have the network to support this? Researchers collaborate Researchers communicate - - Video Conferences - Web-based services Researchers share resources online - File repositories - Data bases - Microscopes, scanners, mass spectrometers, … - Specialized computing resources OK – we have the internet – where is the problem?

Communicating across organizational boundaries LAN FW External network LAN FW LAN FW

Online communication between researchers Everybody wants to exchange data (at least ideally!) Every small institute or group of researchers has its own firewall, security administration, access control mechanisms etc Every connection to or from such an entity requires approval, configuration, documentation and subsequently auditing

Grids – in practice Not just one grid node inside your network, communicating with ”the grid” – not even close! Some grid applications are accessed with clients to a remote facility (typically on TCP port 21XX) Some grids are operated by logging in with ssh (TCP port 22) to a remote node Some use a resource broker that is contacted first (TCP port 8443) Other use Web/SOAP/XML interfaces In any event: The state of the art today is that most projects and applications are using separate infrastructures

The challenge Lab A User A Lab B FW A FW B External Network Firewall rules (A) User A may access Service B Firewall rules (B) Service B may be accessed by User A Service B

Setup of a new connection Lab A User A Lab B FW A FW B External Network Firewall rules (A) User A may access Service B Firewall rules (B) Service B may be accessed by User A Service B

Expiry of a connection Lab A User A Lab B FW A FW B External Network Firewall rules (A) User A may access Service B Firewall rules (B) Service B may be accessed by User A Service B ? ?

Manual administration No problem for a single example such as this, except that the set-up of each connection typically takes a day But, if a research project with 20 partners are sharing just 10 common services, the total number of rules are Most firewall administrators can’t say who is responsible for every rule Therefore: We need a system to keep track of all these connections

The Connection agreement system All groups of users and all services are put into the system by the users User A finds Service B in a large directory User A enters a request for a connection to system B Both User A and the administrator of Service B accepts the connection in the system The system generates rules which the fírewall administrators put into their firewalls

Using the Connection Agreement System Lab A User A Lab B FW A FW B Firewall rules (A) User A may access Service B Firewall rules (B) Service B may be accessed by User A Service B Connection Agreement System VPN gateway

The connection agreement system Everybody can find the services they need – and each other Eliminates the need for administering a huge number of VPN tunnels Establishes documentation of who ordered what connection and how long it is supposed to exist Simplifies security administration A simple and inexpensive solution to a problem that is common to most researchers sharing resources

The technology works: In production since 2003! The nation-wide Danish Health Data Network is based on the Connection Agreement System The swedish health network, Sjunet, has also decided to use the Connection Agreement System Several other countries and regions are considering implementing the Connection Agreement System

Number of connections registered

Traffic volumes in the Danish Health Data network Kbytes pr. month

NRENs provide a lot of services… Universities and research institutions Hospitals Basic Internet connectivityYes Video conferencingYes Collaboration toolsYes Lambda networkingYes IPv6Yes (but no use) Roaming servicesYes CERT and securityYes GRID and Scientific ComputingYes Media LibrariesYes

The Health Data Network provides: Hospitals Basic Internet connectivityNo Video conferencingYes Collaboration toolsYes Lambda networkingNot yet IPv6If needed Roaming servicesYes CERT and securityYes GRID and Scientific ComputingYes Media LibrariesYes

Internet project: Services Web accesss Teleconsultation Videoconference National Health Portal Collaboration Platform

Direct benefits for the health sector The price of passing EDI and XML messages by VANS operators dropped from € 0,30 to € 0,03 within the first year The national health portal is based on this network A lot of the barriers inhibiting collaboration are gone Cheaper, safer, more secure and better documented network usage A more efficient market for service providers The network compensates for shortage of specialists

Works on top of different network architectures Where all traffic passes a central hub (Denmark) Where there is a separate network for the whole health sector (Sweden) Where the network is a cluster of clusters (Norway) It may also be applied when connecting remote hospitals (Lithuania, Estonia, Slesvig)

Can we generalize this approach? Mega-science has it all: Separate λ-connections Dedicated GRID-clusters Services hardened to tolerate being directly on the internet

What do researchers with more modest budgets do?

Connecting two research resources Lab A Lab B Analysis equipment Scanner No connection

Connecting two research resources Lab A Lab B Analysis equipment Scanner Too expensive and unflexible

Connecting two research resources Lab A Lab B Analysis equipment Scanner Not safe: Equipment will be hacked and connection is not secure

Connecting two research resources Lab A Lab B Analysis equipment Scanner Using firewalls: Works, but unflexible and time-consuming to set up each time FW

Connecting two research resources Lab A Lab B Analysis equipment Scanner Using the Connection Agreement System: Flexibility by user configuration FW Connection Agreement System

Have we now solved all problems? YES – Once connected, new connections are operational almost immediately YES – We can now manage the increased complexity of the explosion of many types of connections between organizations YES – A light-weight alternative to dedicated lambda connections (no cost, immediate set-up) YES – Local security administrators can let their users do the administration and documentation of their security components NO – Network interoperability does not guarantee working interoperability of services NO – The present system does not offer any means for identity management of users (yet…)

What will it take to do this in other countries? The national or regional health authority must sign an agreement with MedCom, in order to get the connection agreement system for free It is written using open source tools and documented in english Equipment for € (some servers and routers) Adaptation to the local health care network architecture (in the order of € ) A national team supporting and proliferating the network

An opportunity for NRENs in Europe NRENs have the skills and the attitude Still a bit too complicated for a telco and too big for many system integrators This can be generalized to all handle all sorts of private connections through your network and other networks - ”ultra-lightweight lambdas” The main growth in network traffic will not happen on the open internet It we wait too long, someone else will do it! And they will not be using our network and our services

The connection agreement system can also be used by the user community in general as a precursor for lambdas Defining a point-to-point closed connection Is not a lambda Only runs IP May not even have fixed QoS But Helps users test and demonstrate a need for real lambdas It exists today, is simple to deploy and generates connections within the hour As a future development, the connection agreement system can even be used as a user interface for users to define lambda connections themselves.

Why could the connection agreement system be relevant in your context? Even if your network is closed and covers all relevant parties, a network of your size must have some firewalls internally Management of internal firewalls within the network There are always some parties that are external, and yet they still need to be connected: Private hospitals, GPs, service providers, independent labs, home care, … Managing connections abroad Generating network and security documentation … ? Despite my limited knowledge about your networks, I dare speculate…

Health Sector: What’s in it for you? A structured approach to creating a national/regional network if you don’t have one already Removing the barriers for more collaboration A unique opportunity to have the security infrastructure of your network documented Creating a more effeicient market for service providers Creating a self-financing structure that will be an enabler for more IT-based services (prescriptions, lab reports etc)

NREN: What’s in it for you? Provide network services for the whole of the health sector instead of just university hospitals Move some of the growth in network traffic in the health sector onto the NREN infrastructure A service in the grey zone between telcos and application service providing – thus suited ideally for most NRENs A precursor for the Lambda-net movement

UNIC and MedCom: What’s in it for us? Together, we have made a small and practical invention We want to see the concept proliferated… If a common system is used by most European regions, the benefits experienced nationally, may also apply to international connections A larger community has far more power to invest in further development of the system Not for profit (per se)

The health sector Ought to be an integral part of every NREN community They do research, education and an every-day production Security constraints on the network usage Their bandwidth needs are growing rapidly Today, they are no different from our traditional community Do we want to focus on the needs of the health sector? Why do many NREN not have a health sector strategy?