1. SCIENCE_DMZ NETWORKS STEVE PERRY, DIRECTOR OF NETWORKS UNM PIYASAT NILKAEW, DIRECTOR OF NETWORKS NMSU

2. OVERVIEW WHY RESEARCH SPECIFIC NETWORKS? PRODUCTION NETWORK/SCIENCE_DMZ DESIGN BASICS SCIENCE_DMZ COMPONENTS CCIIE GRANT/RESEARCHERS REQUIREMENTS UNM DESIGN

3. POSSIBILITIES??

4. DESIGN CONSIDERATIONS 1. TYPE OF R&E TRAFFIC – TCP –BASED, MICROBURST TRAFFIC THAT CAN QUICKLY CONSUME ENTIRE AVAILABLE BANDWIDTH A. SUBJECT TO TCP GLOBAL SYNCHRONIZATION 2. TCP TRAFFIC NEEDS DEEP BUFFER ON PORTS WHEN CONGESTION OCCURS. 3. NO COMMERCIALLY AVAILABLE SECURITY DEVICES CAN SIT IN-PATH WITH LINE- RATE PROCESS SPEED 4. 100 GBPS BACKBONE ACROSS CONTINENTAL US 5. THE GENERAL RULE OF THUMB IS THAT YOU NEED 50MS OF LINE-RATE OUTPUT QUEUE BUFFER FOR A 10G PORT, SO THERE SHOULD BE AROUND 60MB OF BUFFER.

5. RESEARCH NETWORK: SCIENCE DMZ A NETWORK OPTIMIZED FOR BUSINESS IS NOT DESIGNED OR CAPABLE OF SUPPORTING DATA INTENSIVE SCIENCE.  Universities will always need to support security features that protect organizational financial and personnel data.  Solution: create separate data intensive science network, external to university enterprise network  Design formalized by ESnet, based on traditional network DMZ paradigm

6. BASIC SCIENCE DMZ SCIENCE DMZ: (1) DEDICATED ACCESS TO HIGH-PERFORMANCE WAN, (2) HIGH- PERFORMANCE SWITCHING INFRASTRUCTURE (LARGE BUFFER MEMORY), (3) DEDICATED DATA TRANSFER NODES

7. SCIENCE_DMZ COMPONENTS DTN (DATA TRANSFER NODES—ORIGINATOR/RESPONDER) HIGH CAPACITY SERVERS CAPABLE OF WIRE SPEED 10GBPS TRANSFER GLOBUS GRIDFTP APPLICATION TUNED FOR LARGE DATA TRANSFERS LARGE BUFFER CAPABLE SWITCHES TO SMOOTH TCP DROPS MUST HAVE 60MB PER PORT BUFFER SPACE MUST BE SDN CAPABLE PERFSONAR MEASUREMENT NODES AT EACH LOCATION BRO IDS (IDS VERSUS IPS, TO MINIMIZE DEEP PACKET INSPECTION) OPEN DAYLIGHT SDN CONTROLLER SUPPORTING STAFF

8. MANAGING BY MEASURING--PERFSONAR OFF CAMPUS / ON CAMPUS SERVICE TUNING - DEDICATED PERFSONAR BEYOND UNM / NMSU HTTPS://PAS.NET.INTERNET2.EDU/MADDASH-WEBUI/ HTTP://PS-DASHBOARD.ES.NET/

9. HOW TO SECURE IT? USE BRO TO MONITOR IT OUT OF LINE IDS, NOT AN IPS REQUIRES FULL UNDERSTANDING OF BRO LIBRARIES AND EXPERTISE IN APPLICATION STACKS ROUTER ACL OR SDN POLICY ON KEY SWITCHES FOR TRAFFIC ENGINEERING IPTABLES AT THE BOXES

10. CC*IIE GRANT NSF GRANT AWARDED TO UNM COLLABORATIVE AMONGST RESEARCHERS/IT INITIAL FUNDING TO BUILD OUT THE BASIC NETWORK HOPE TO APPLY FOR ADDITIONAL GRANTS AS AVAILABLE

11. UNM DESIGN

12. I2 / AL2S via RGON SDN Cluster Leaf: N9396PX Spine: N9336PQ Nexus or Catalyst Access Layer 2 EPG 40G Fabric 10G Access/L2 100G L2 x 2 Layer 2 EPG ASR 9010 10G University Campus Science DMZ Smaller Institutions via MOE 10G MOE 100G L2 Science DMZ SDN NMSU DESIGN

13. SUMMARY WHY RESEARCH SPECIFIC NETWORKS? PRODUCTION NETWORK/SCIENCEDMZ DESIGN BASICS SCIENCEDMZ COMPONENTS UNM CCIIE GRANT/RESEARCHERS REQUIREMENTS UNM DESIGN