Presentation is loading. Please wait.

Presentation is loading. Please wait.

Connecting hospitals to the NREN The Danish case story Copenhagen, 15th September 2009 Martin Bech Deputy Director, UNIC

Published byOpal Austin Modified over 8 years ago

Similar presentations

Presentation on theme: "Connecting hospitals to the NREN The Danish case story Copenhagen, 15th September 2009 Martin Bech Deputy Director, UNIC"— Presentation transcript:

1 Connecting hospitals to the NREN The Danish case story Copenhagen, 15th September 2009 Martin Bech Deputy Director, UNIC martin.bech@uni-c.dk

2 Optical network Backbone in production from the middle of 2009 Access connections are continuously upgraded to optical networking

3 Metro-ring in the Copenhagen Area National and International connections Risø RUC IHK KVL-T Hørs. ØRESTAD LYNGBY Panum KUA 7 km 2,75 dB 12 km 4 dB 3 km 1,75 dB 12 km 4 dB 23 km 6,75 dB 15 km 4,75 dB 6 km 2,5 dB 16 km 5 dB 6 km 2,5 dB 28 km 8 dB

4 Lightpaths for production IP AAU-2 LYNGBY ØRESTAD AAU-1 AU-2 -1 SDU-2 -1 10GE 8 x 1GE Physical fibre

5 Moving towards supplying multiple network connections everywhere At every location we now offer: Internet production IP service (as always) Infinite traffic and bandwidth… A connection type appropriate to the need Multiple dedicated network connections for “intranet” and “lambda” use Segregation between the networks are realized by means of a combination of lightpaths, MPLS and even VLANs

6 University of Aarhus: 23 locations …and the other universities are not much better This means a lot of lightpaths…

7 Special services for special user groups Network for everyone But on top of that, many of us are involved in serving the needs of special user groups: Supercomputing facilities GRID clusters Facilities for radio astronomy Video and telephony Content portals, databases etc. But what about services for health research and health care?

8 Why is health research and health care different from our other users? Not just a few large facilities, but also huge numbers of smaller entities/departments Huge numbers of scanners, databases and other facilities They all need their own separate private connections Users are very aware of security constraints, but totally unaware of the services and equipment that implement these constraints Many ad hoc projects and connections

9 We already have the network to support this? Researchers collaborate Researchers communicate - Email - Video Conferences - Web-based services Researchers share resources online - File repositories - Data bases - Microscopes, scanners, mass spectrometers, … - Specialized computing resources OK – we have the internet – where is the problem?

10 Communicating across organizational boundaries LAN FW External network LAN FW LAN FW

11 Online communication between researchers Everybody wants to exchange data (at least ideally!) Every small institute or group of researchers has its own firewall, security administration, access control mechanisms etc Every connection to or from such an entity requires approval, configuration, documentation and subsequently auditing

12 Grids – in practice Not just one grid node inside your network, communicating with ”the grid” – not even close! Some grid applications are accessed with clients to a remote facility (typically on TCP port 21XX) Some grids are operated by logging in with ssh (TCP port 22) to a remote node Some use a resource broker that is contacted first (TCP port 8443) Other use Web/SOAP/XML interfaces In any event: The state of the art today is that most projects and applications are using separate infrastructures

13 The challenge Lab A User A Lab B FW A FW B External Network Firewall rules (A) ------------ User A may access Service B ------------ ----------- Firewall rules (B) ------------ Service B may be accessed by User A ------------ ----------- Service B

14 Setup of a new connection Lab A User A Lab B FW A FW B External Network Firewall rules (A) ------------ User A may access Service B ------------ ----------- Firewall rules (B) ------------ Service B may be accessed by User A ------------ ----------- Service B

15 Expiry of a connection Lab A User A Lab B FW A FW B External Network Firewall rules (A) ------------ User A may access Service B ------------ ----------- Firewall rules (B) ------------ Service B may be accessed by User A ------------ ----------- Service B ? ?

16 Manual administration No problem for a single example such as this, except that the set-up of each connection typically takes a day But, if a research project with 20 partners are sharing just 10 common services, the total number of rules are 1.900 Most firewall administrators can’t say who is responsible for every rule Therefore: We need a system to keep track of all these connections

17 The Connection agreement system All groups of users and all services are put into the system by the users User A finds Service B in a large directory User A enters a request for a connection to system B Both User A and the administrator of Service B accepts the connection in the system The system generates rules which the fírewall administrators put into their firewalls

18 Using the Connection Agreement System Lab A User A Lab B FW A FW B Firewall rules (A) ------------ User A may access Service B ------------ ----------- Firewall rules (B) ------------ Service B may be accessed by User A ------------ ----------- Service B Connection Agreement System VPN gateway

19 The connection agreement system Everybody can find the services they need – and each other Eliminates the need for administering a huge number of VPN tunnels Establishes documentation of who ordered what connection and how long it is supposed to exist Simplifies security administration A simple and inexpensive solution to a problem that is common to most researchers sharing resources

20 The technology works: In production since 2003! The nation-wide Danish Health Data Network is based on the Connection Agreement System The swedish health network, Sjunet, has also decided to use the Connection Agreement System Several other countries and regions are considering implementing the Connection Agreement System

21

22

23

24

25 Number of connections registered

26 Traffic volumes in the Danish Health Data network Kbytes pr. month

27 NRENs provide a lot of services… Universities and research institutions Hospitals Basic Internet connectivityYes Video conferencingYes Collaboration toolsYes Lambda networkingYes IPv6Yes (but no use) Roaming servicesYes CERT and securityYes GRID and Scientific ComputingYes Media LibrariesYes

28 The Health Data Network provides: Hospitals Basic Internet connectivityNo Video conferencingYes Collaboration toolsYes Lambda networkingNot yet IPv6If needed Roaming servicesYes CERT and securityYes GRID and Scientific ComputingYes Media LibrariesYes

29

30

31 Internet project: Services Web accesss Teleconsultation Videoconference National Health Portal Collaboration Platform

32

33 Direct benefits for the health sector The price of passing EDI and XML messages by VANS operators dropped from € 0,30 to € 0,03 within the first year The national health portal is based on this network A lot of the barriers inhibiting collaboration are gone Cheaper, safer, more secure and better documented network usage A more efficient market for service providers The network compensates for shortage of specialists

34 Works on top of different network architectures Where all traffic passes a central hub (Denmark) Where there is a separate network for the whole health sector (Sweden) Where the network is a cluster of clusters (Norway) It may also be applied when connecting remote hospitals (Lithuania, Estonia, Slesvig)

35

36 Can we generalize this approach? Mega-science has it all: Separate λ-connections Dedicated GRID-clusters Services hardened to tolerate being directly on the internet

37 What do researchers with more modest budgets do?

38

39

40 Connecting two research resources Lab A Lab B Analysis equipment Scanner No connection

41 Connecting two research resources Lab A Lab B Analysis equipment Scanner Too expensive and unflexible

42 Connecting two research resources Lab A Lab B Analysis equipment Scanner Not safe: Equipment will be hacked and connection is not secure

43 Connecting two research resources Lab A Lab B Analysis equipment Scanner Using firewalls: Works, but unflexible and time-consuming to set up each time FW

44 Connecting two research resources Lab A Lab B Analysis equipment Scanner Using the Connection Agreement System: Flexibility by user configuration FW Connection Agreement System

45 Have we now solved all problems? YES – Once connected, new connections are operational almost immediately YES – We can now manage the increased complexity of the explosion of many types of connections between organizations YES – A light-weight alternative to dedicated lambda connections (no cost, immediate set-up) YES – Local security administrators can let their users do the administration and documentation of their security components NO – Network interoperability does not guarantee working interoperability of services NO – The present system does not offer any means for identity management of users (yet…)

46 What will it take to do this in other countries? The national or regional health authority must sign an agreement with MedCom, in order to get the connection agreement system for free It is written using open source tools and documented in english Equipment for € 20.000 (some servers and routers) Adaptation to the local health care network architecture (in the order of € 100.000 ) A national team supporting and proliferating the network

47 An opportunity for NRENs in Europe NRENs have the skills and the attitude Still a bit too complicated for a telco and too big for many system integrators This can be generalized to all handle all sorts of private connections through your network and other networks - ”ultra-lightweight lambdas” The main growth in network traffic will not happen on the open internet It we wait too long, someone else will do it! And they will not be using our network and our services

48 The connection agreement system can also be used by the user community in general as a precursor for lambdas Defining a point-to-point closed connection Is not a lambda Only runs IP May not even have fixed QoS But Helps users test and demonstrate a need for real lambdas It exists today, is simple to deploy and generates connections within the hour As a future development, the connection agreement system can even be used as a user interface for users to define lambda connections themselves.

49 Why could the connection agreement system be relevant in your context? Even if your network is closed and covers all relevant parties, a network of your size must have some firewalls internally Management of internal firewalls within the network There are always some parties that are external, and yet they still need to be connected: Private hospitals, GPs, service providers, independent labs, home care, … Managing connections abroad Generating network and security documentation … ? Despite my limited knowledge about your networks, I dare speculate…

50 Health Sector: What’s in it for you? A structured approach to creating a national/regional network if you don’t have one already Removing the barriers for more collaboration A unique opportunity to have the security infrastructure of your network documented Creating a more effeicient market for service providers Creating a self-financing structure that will be an enabler for more IT-based services (prescriptions, lab reports etc)

51 NREN: What’s in it for you? Provide network services for the whole of the health sector instead of just university hospitals Move some of the growth in network traffic in the health sector onto the NREN infrastructure A service in the grey zone between telcos and application service providing – thus suited ideally for most NRENs A precursor for the Lambda-net movement

52 UNIC and MedCom: What’s in it for us? Together, we have made a small and practical invention We want to see the concept proliferated… If a common system is used by most European regions, the benefits experienced nationally, may also apply to international connections A larger community has far more power to invest in further development of the system Not for profit (per se)

53 The health sector Ought to be an integral part of every NREN community They do research, education and an every-day production Security constraints on the network usage Their bandwidth needs are growing rapidly Today, they are no different from our traditional community Do we want to focus on the needs of the health sector? Why do many NREN not have a health sector strategy?

Download ppt "Connecting hospitals to the NREN The Danish case story Copenhagen, 15th September 2009 Martin Bech Deputy Director, UNIC"

Similar presentations

Unified Communications Bill Palmer ADNET Technologies, Inc.

Unified Communications Bill Palmer ADNET Technologies, Inc.
www.dynamicsoft.com Fall VoN 2000 SIP for IP Communications Jonathan Rosenberg Chief Scientist.

Fall VoN 2000 SIP for IP Communications Jonathan Rosenberg Chief Scientist.
Enabling IPv6 in Corporate Intranet Networks

Enabling IPv6 in Corporate Intranet Networks
Security that is... Ergonomic, Economical and Efficient! In every way! Stonesoft SSL VPN SSL VPN.

Security that is... Ergonomic, Economical and Efficient! In every way! Stonesoft SSL VPN SSL VPN.
WSUS Presented by: Nada Abdullah Ahmed.

WSUS Presented by: Nada Abdullah Ahmed.
COS 461 Fall 1997 Networks and Protocols u networks and protocols –definitions –motivation –history u protocol hierarchy –reasons for layering –quick tour.

COS 461 Fall 1997 Networks and Protocols u networks and protocols –definitions –motivation –history u protocol hierarchy –reasons for layering –quick tour.
Tom Sheridan IT Director Gas Technology Institute (GTI)

Tom Sheridan IT Director Gas Technology Institute (GTI)
Chapter 17: Client/Server Computing Business Data Communications, 4e.

Chapter 17: Client/Server Computing Business Data Communications, 4e.
Networking Components Chad Benedict – LTEC 4550 1.

Networking Components Chad Benedict – LTEC
INTRANETS DEFINITION (from Cambridge International Dictionary of English) intra- Combining form used to form adjectives meaning 'within' (the stated place.

INTRANETS DEFINITION (from Cambridge International Dictionary of English) intra- Combining form used to form adjectives meaning 'within' (the stated place.
Firewalls and the Campus Grid: an Overview Bruce Beckles University of Cambridge Computing Service.

Firewalls and the Campus Grid: an Overview Bruce Beckles University of Cambridge Computing Service.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Network Topologies.

Network Topologies.
Presence Applications in the Real World Patrick Ferriter VP of Product Marketing.

Presence Applications in the Real World Patrick Ferriter VP of Product Marketing.
Clinic Security and Policy Enforcement in Windows Server 2008.

Clinic Security and Policy Enforcement in Windows Server 2008.
Networking Components Christopher Biles LTEC4550.020 Assignment 3.

Networking Components Christopher Biles LTEC Assignment 3.
By N.Gopinath AP/CSE. Why a Data Warehouse Application – Business Perspectives  There are several reasons why organizations consider Data Warehousing.

By N.Gopinath AP/CSE. Why a Data Warehouse Application – Business Perspectives  There are several reasons why organizations consider Data Warehousing.
Intranet, Extranet, Firewall. Intranet and Extranet.

Intranet, Extranet, Firewall. Intranet and Extranet.
Chapter 5 Networks Communicating and Sharing Resources

Chapter 5 Networks Communicating and Sharing Resources
Cloud computing is the use of computing resources (hardware and software) that are delivered as a service over the Internet. Cloud is the metaphor for.

Cloud computing is the use of computing resources (hardware and software) that are delivered as a service over the Internet. Cloud is the metaphor for.

Similar presentations

Ads by Google