Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Harvard Network: An Overview of Connectivity and Security

Published byOswin Fisher Modified over 6 years ago

Similar presentations

Presentation on theme: "The Harvard Network: An Overview of Connectivity and Security"— Presentation transcript:

1 The Harvard Network: An Overview of Connectivity and Security
31 Oct 2017

2 Agenda Network overview
8/23/2018 Agenda Network overview Internet connectivity and “built-in” security features Firewalls and School inter-connectivity Medical affiliates Amazon Web Services and CloudShield Supporting research at MGHPCC Challenges Q&A Christian

3 8/23/2018 Purpose Brief the CIO Council on how Harvard’s network “works” at a high level, including what security features are and are not included. Christian

4 8/23/2018 Intended Outcomes CIOs have a high-level understanding of how Harvard’s network works and how the Schools are connected to one another, the Internet and the Amazon Web Services (AWS) cloud. CIOs have an opportunity to ask questions and provide feedback on this topic. Christian

5 8/23/2018 Introduction Utilizing Internet-based technologies, Harvard University IT (HUIT) operates an network backbone that connects the schools to: One another To Internet and Internet2 To Harvard affiliates like the Longwood Medical (LMA) hospitals To HUIT datacenters and hosting facilities at 1 Summer St and 300 Bent To Research Computing assets This network acts as a foundational enabler for sharing research and data both within Harvard and out to other R&E institutions Jefferson

6 What Does the Harvard Network Look Like?
8/23/2018 Jefferson What Does the Harvard Network Look Like?

7 8/23/2018 Jefferson

8 Well, that wasn’t that useful. Try again.
8/23/2018 Jefferson Well, that wasn’t that useful. Try again.

9 Logical Representation of a Campus Network
8/23/2018 Logical Representation of a Campus Network Jefferson

10 That was even more useless. One more time.
8/23/2018 Jefferson That was even more useless. One more time.

11 Overview of the Harvard Campus Network
8/23/2018 Overview of the Harvard Campus Network Border: connects Harvard to NOX, Internet, Internet2 (2x100gb) 20-30 GIGABITS per second border traffic Core: all schools and regions inter-connect via the Harvard Core (4x10g) Plans to add 100gb in future Region: specific parts of campus like River, Yard, Northwest, Law, LMA (2x2x10gb) Allston will be added as a new region “Last Mile”: Building Distribution/Uplink (mostly 2x1gb) Access (100mb or 1gb) Jefferson

12 Harvard Internet Border and Information Security Visibility
8/23/2018 Harvard Internet Border and Information Security Visibility 2 Border routers: 300 Bent 1 Summer 2x100gb to NOX An advanced networking exchange/NREN established in 1999 by Harvard, MIT, BU We also have 3 other Internet connections: Cogent Level 3 CenturyLink Information Security visibility at each border router and AWS Jefferson

13 “Built-in” Security Features
8/23/2018 “Built-in” Security Features Bro intrusion detection system (IDS) and network traffic forensics Network flow data logged to Splunk for correlation and alerting FireEye malware detection BONUS: DMCA violation processing and delivery Robust detection capabilities Very few built in protections Christian

14 Firewalls None at the Internet border
8/23/2018 Firewalls None at the Internet border Though we do coarsely block a few “ports” In front of the data center In front of our AWS presence Many Schools have their own For others, each “VLAN” (individual network) has firewall capabilities Block “Microsoft” ports (445, 3389, etc.) Christian

15 School Inter-connectivity: how does one School impact others?
8/23/2018 School Inter-connectivity: how does one School impact others? It depends… Some Schools have firewalls configured to “protect themselves” from Harvard Others have firewall capabilities on each individual network Defining exactly what is Harvard from a network perspective can be challenging Medical affiliates? Just like the Internet…mostly Christian

16 LMA Net 2 HUIT-operated gateway ASR Routers: 2x10gb to Harvard Border
8/23/2018 LMA Net 2 HUIT-operated gateway ASR Routers: Gordon Hall Dana Farber 2x10gb to Harvard Border Discussions underway for 40gb or 100gb Additional 10gb link to Harvard Core for VoIP traffic InfoSec Taps at each Border capture ingress/egress Not intra-LMA LMA interest in aggregated and shared firewall logs via Splunk Jefferson

17 HUIT Cloud Connectivity and Cloud Shield
8/23/2018 HUIT Cloud Connectivity and Cloud Shield HUIT has multiple 10gb Direct Connect links into AWS 2 Harvard Points of Presence: 1 Summer St in Boston and Equinox Datacenter in VA Can provide private access into AWS VPC’s AWS public peering to S3 and other “front door” services CloudShield Network Security infrastructure Can be extended to other cloud providers in the future Jefferson

18 HUIT Cloud Connectivity and Cloud Shield
8/23/2018 HUIT Cloud Connectivity and Cloud Shield ”Next-Generation” Fortinet Firewalls 1 Virtual Firewall per AWS VPC Inbound and outbound traffic enforcement Intrusion detection and prevention Implicit outbound Web Proxy Load balancing Can be extended to include other cloud providers Network traffic sent to central information security complex and processed by same tools for further intrusion detection and network forensics Christian

19 MGHPCC Close partnership with FAS RC on network access
8/23/2018 MGHPCC Close partnership with FAS RC on network access Leveraging MIT’s optical network, we have 2 diverse connections to MGHPCC 20gb in each direction Short Path: faster, default path (2.9ms RTT) Long path: adds DR resiliency, increased latency due to distance (10.2ms RTT via NYC) Jefferson

20 8/23/2018 Challenges Duplicate 10.x networks at HMS and HUIT Infrastructure means these networks can’t easily “talk to each other” (without complex configuration) Students not currently meaningfully separated from faculty or staff in a scalable way from a network perspective Some “bleed” between what we consider HMS networks and the smaller medical affiliate networks Without a true firewall at the Internet border, we don’t have a way to block attacks from the Internet University-wide (other than a very coarse set of filters we can apply) Rapidly changing landscape for security in the Cloud Traditional security monitoring and enforcement methods more challenging (or more expensive) at 100gb+ Christian/Jefferson?

21 8/23/2018 Questions

Download ppt "The Harvard Network: An Overview of Connectivity and Security"

Similar presentations

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.1 Firewalls.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.1 Firewalls.
Barracuda Link Balancer Link Reliability and Bandwidth Optimization.

Barracuda Link Balancer Link Reliability and Bandwidth Optimization.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
MUNIS Platform Migration Project WELCOME. Agenda Introductions Tyler Cloud Overview Munis New Features Questions.

MUNIS Platform Migration Project WELCOME. Agenda Introductions Tyler Cloud Overview Munis New Features Questions.
Internet Access for Academic Networks in Lorraine TERENA Networking Conference - May 16, 2001 Antalya, Turkey Infrastructure and Services Alexandre SIMON.

Internet Access for Academic Networks in Lorraine TERENA Networking Conference - May 16, 2001 Antalya, Turkey Infrastructure and Services Alexandre SIMON.
The Most Analytical and Comprehensive Defense Network in a Box.

The Most Analytical and Comprehensive Defense Network in a Box.
5-Network Defenses Dr. John P. Abraham Professor UTPA.

5-Network Defenses Dr. John P. Abraham Professor UTPA.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.

© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.
Institute of Technology, Sligo Dept of Computing Semester 3, version 2.1.3 Semester 3 Chapter 3 VLANs.

Institute of Technology, Sligo Dept of Computing Semester 3, version Semester 3 Chapter 3 VLANs.
Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study

Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study
Bandwidth DoS Attacks and Defenses Robert Morris Frans Kaashoek, Hari Balakrishnan, Students MIT LCS.

Bandwidth DoS Attacks and Defenses Robert Morris Frans Kaashoek, Hari Balakrishnan, Students MIT LCS.
Mr. Mark Welton.  Three-tiered Architecture  Collapsed core – no distribution  Collapsed core – no distribution or access.

Mr. Mark Welton.  Three-tiered Architecture  Collapsed core – no distribution  Collapsed core – no distribution or access.
2016-5-261 SDN based Network Security Monitoring in Dynamic Cloud Networks Xiuzhen CHEN School of Information Security Engineering Shanghai Jiao Tong University,

SDN based Network Security Monitoring in Dynamic Cloud Networks Xiuzhen CHEN School of Information Security Engineering Shanghai Jiao Tong University,
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.

11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
1 1 Hosted Network Security EarthLink Complete™ Data.

1 1 Hosted Network Security EarthLink Complete™ Data.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.

Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
©2015 EarthLink. All rights reserved. 1071-07640 Cloud Express ™ Optimize Your Business & Cloud Networks.

©2015 EarthLink. All rights reserved Cloud Express ™ Optimize Your Business & Cloud Networks.
AWS Cloud Firewall Review Architecture Decision Group October 6, 2015 – HUIT-Holyoke-CR 561.

AWS Cloud Firewall Review Architecture Decision Group October 6, 2015 – HUIT-Holyoke-CR 561.
April 09, 2008 The Demilitarized Zone as an Information Protection Network, By Parvathy Subramanian 1 The Demilitarized Zone as an Information Protection.

April 09, 2008 The Demilitarized Zone as an Information Protection Network, By Parvathy Subramanian 1 The Demilitarized Zone as an Information Protection.

Similar presentations

Ads by Google