A SECURE SDN SCIENCE DMZ

Similar documents
Secure Science DMZ using Event-Driven SDN. Technical Solutions Cisco

Achieving the Science DMZ

AmLight ExP & AtlanticWave-SDX: new projects supporting Future Internet Research between U.S. & South America

The UniNet Express Lane Services

IPv4 Firewall Rule configuration on Cisco SA540 Security Appliance

SDN AmLight: One Year Later

ESnet s (100G) SDN Testbed

IRNC PI Meeting. Internet2 Global Summit May 6, 2018

Software-Defined Networking (SDN) Overview

Enabling a SuperFacility with Software Defined Networking

Network Testbeds at AmLight: Eight Months Later

Inter-domain SDN Data Plane Validation: Next Steps at AmLight

OpenFlow: What s it Good for?

Politecnico di Torino Network architecture and management. Outline 11/01/2016. Marcello Maggiora, Antonio Lantieri, Marco Ricca

Deployments and Network Topologies

Community College LAN Design Considerations

Enterprise. Nexus 1000V. L2/L3 Fabric WAN/PE. Customer VRF. MPLS Backbone. Service Provider Data Center-1 Customer VRF WAN/PE OTV OTV.

Innovation and Experimentation through SDN and Network Virtualization

Event-Based Software-Defined Networking: Build a Secure Science DMZ

Session objectives and takeaways

AmLight s SDN Looking Glass A Network Monitoring System for SDN Networks

Performing Path Traces

GÉANT L3VPN Service Description. Multi-point, VPN services for NRENs

The following steps should be used when configuring a VLAN on the EdgeXOS platform:

Unified Access Network Design and Considerations

Introduction. Hardware and Software. Test Highlights

WLCG Network Throughput WG

SLIDE 1 - COPYRIGHT 2015 ELEPHANT FLOWS IN THE ROOM: SCIENCEDMZ NATIONALLY DISTRIBUTED

Design and development of the reactive BGP peering in softwaredefined routing exchanges

Community College LAN Deployment Guide

Communication Service Provider

Network Service Description

Resilient Integration of Distributed High-Performance Zones into the BelWue Network Using OpenFlow

"Charting the Course... TSHOOT Troubleshooting and Maintaining Cisco IP Networks Course Summary

Campus network: Looking at the big picture

IRNC Kickoff Meeting

So#ware Defined Networks and OpenFlow

Get the skills to maintain your networks and to diagnose and resolve network problems quickly and effectively.

CompTIA. SY0-401 EXAM CompTIA Security+ Certification Exam. m/ Product: Demo. For More Information:

Stateful Failover Technology White Paper

FROM NETWORK ADMINISTRATOR TO DOMAIN SCIENTIST: CHALLENGES WITH CREATING USABLE HIGH SPEED NETWORKS

IRNC:RXP SDN / SDX Update

A10 SSL INSIGHT & SONICWALL NEXT-GEN FIREWALLS

Top-Down Network Design

Managing Demand Spikes in a highly flexible and agile deployment

Hands-On Troubleshooting IPTV with WireShark

NetScaler for Apps and Desktops CNS-222; 5 Days; Instructor-led

Advance Reservation Access Control Using Software-Defined Networking and Tokens

The Abilene Observatory and Measurement Opportunities

Configuration Example

Benefits of SDN Modeling and Analytics tool for complex Service Provider Network

Public Cloud Connection for R&E Network. Jin Tanaka APAN-JP/KDDI

DEVOPSIFYING NETWORK SECURITY. An AlgoSec Technical Whitepaper

Extending dynamic Layer-2 services to campuses

Pacific Wave: Building an SDN Exchange

IPv6 Best Operational Practices of Network Functions Virtualization (NFV) With Vmware NSX. Jeremy Duncan Tachyon Dynamics

Data Center Configuration. 1. Configuring VXLAN

Network-Level High Availability

Prerequisites CNS-220 Citrix NetScaler Essentials and Traffic Management

Experience of the RISE Testbed Deployment

Fully Scalable Networking with MidoNet

The Next Opportunity in the Data Centre

Introduction to BGP ISP/IXP Workshops

Service Graph Design with Cisco Application Centric Infrastructure

Campus Network Design. 2003, Cisco Systems, Inc. All rights reserved. 2-1

Network+ Guide to Networks 6 th Edition

COURSE PROJECT SEM ATTENTION ALL ADVANCED DIPLOMA & BACHELOR STUDENTS

Campus Network Design

SDN Use-Cases. internet exchange, home networks. TELE4642: Week8. Materials from Prof. Nick Feamster is gratefully acknowledged

Layer 4 to Layer 7 Design

BigData Express: Toward Predictable, Schedulable, and High-Performance Data Transfer. BigData Express Research Team November 10, 2018

Borderless Campus Design and Deployment Models

Software-Defined Networking (Continued)

This solution is fully reproducible and has been deployed in live environments.

WHITE PAPER A10 SSL INSIGHT & FIREWALL LOAD BALANCING WITH SONICWALL NEXT-GEN FIREWALLS

VNF Chain Allocation and Management at Data Center Scale

Communication Networks

CompTIA Network+ Study Guide Table of Contents

Developing Applications with Networking Capabilities via End-to-End Software Defined Networking (DANCES)

2Wire IG 2700 ADSL Router. RJ45 connecting cable

Globus Research Data Management: Campus Deployment and Configuration. Steve Tuecke Vas Vasiliadis

VXLAN EVPN Fabric and automation using Ansible

Integrating WX WAN Optimization with Netscreen Firewall/VPN

Chapter 10: Review and Preparation for Troubleshooting Complex Enterprise Networks

Quick Note. Configure an IPSec VPN tunnel between a Digi TransPort LR router and a Digi Connect gateway. Digi Technical Support 20 September 2016

Agenda. Networking Intro MPLS Tech MPBN WAN MPBN Functionality Security Monitoring

Objective. Set out to reverse engineer SDN implementations and secure the entire thing.

Cisco Next Generation Firewall and IPS. Dragan Novakovic Security Consulting Systems Engineer

This course prepares candidates for the CompTIA Network+ examination (2018 Objectives) N

GÉANT IP Service Description. High Performance IP Services to Support Advanced Research

H3C S9800 Switch Series

Course Objectives In this course, students can expect to learn how to:

Deploying VMware Validated Design Using OSPF Dynamic Routing. Technical Note 9 NOV 2017 VMware Validated Design 4.1 VMware Validated Design 4.

Computer Science 461 Midterm Exam March 14, :00-10:50am

2Wire IG 2700 ADSL Router. RJ45 connecting cable

ProgrammableFlow: OpenFlow Network Fabric

A Brief Overview of the Science DMZ

TOC: Switching & Forwarding

TOC: Switching & Forwarding

Introduction to IP Routing. Geoff Huston

Transcription:

A SECURE SDN SCIENCE DMZ Indiana University Yuri Kolomiyets Solutions Architect, Corsa Technology

A Secure SDN Science DMZ CONTENTS The Approach The Setup The Trial [ 2 ]

A Secure SDN Science DMZ The Goal Looking for a Science DMZ design that is Easy to understand Relatively easy to deploy Without compromising security (i.e., keeps the CISO happy), and Enhances data transfer performance NREN Internet DTN Sci DMZ Campus [ 3 ]

A Secure SDN Science DMZ The Approach Add an SDN Science DMZ Gateway Don't change the (logical) topology Maintain existing IP peering relationships Maintain the traffic pattern that secures the campus network NREN SDN GW Internet Configure static L2 connections SDN gateway acts as "bump in the wire" Or two bumps No change to routing topology DTN Sci DMZ Campus [ 4 ]

A Secure SDN Science DMZ Selective Routing Improve throughput for high volume data transfers NREN Internet Selectively route authorized data transfer flows directly to the DMZ Bypass border router and firewall SDN datapath controls SDN GW Recognize authorized data transfer flows and install per-flow routing Packet headers rewritten as though they passed through router/firewall DTN Sci DMZ Campus [ 5 ]

A Secure SDN Science DMZ The Approach (alternate) Add an SDN Science DMZ Gateway NREN Internet Don't change the (logical) topology Maintain existing IP peering relationships Maintain the traffic pattern that secures the campus network Configure static L2 connections SDN gateway acts as "bump in the wire" Similar to SciPass developed at IU, but without the IDS load balancer SDN GW DTN Sci DMZ Campus [ 6 ]

A Secure SDN Science DMZ Authorizing Flows Recognize authorizied data transfers Method depends on policy NREN Internet Learn flows using DTN source address Recognize transfer control protocol Integrate with transfer control system Globus/gridftp integration SDN GW Callout functions at key points in data transfer process, for example Globus Toolkit Integration post_connect() or post_accept() install bypass flows post_close() - remove bypass flows DTN Sci DMZ Campus [ 7 ]

Setting up an SDN Science DMZ Goal: Provide configuration guidance and automate as much as possible Switch installation, cabling and commissioning (as usual) Configuration of DTNs As usual, plus (optional) configuration of VLAN interfaces Install and start SDN Controller Configure interface/vid roles (WAN, Campus WAN-side, Campus DMZ-side, DMZ) Controller provisions baseline connectivity (e.g., VLAN connections) Configure secure connectivity to DTNs (e.g., for Globus integration) SDN Operation Automated selective routing for authorized data transfers Potential for coordination with other SDN Controllers (e.g., OESS) WAN SDN GW DMZ DTN WAN-side Campus DMZ-side [ 8 ]

Setting up an SDN Science DMZ Extras As with many networking solutions, there are opportunities for enhancement Potential for BGP integration if there are multiple routes to WAN Integration with fault recovery strategies "Bump in the wire" approach intended to simplify this, but There may be benefit in other approaches Integration with OESS to use dynamic AL2S circuits [ 9 ]

The Trial Goal: Investigate SDN Science DMZ configuration and performance We are setting up SDN switches, with attached DTNs, on three campuses University of Utah (Joe Breen) Florida International University (Jeronimo Bezera) Indiana University (Uwe Dahlmann) Develop and test configuration automation Evaluate effectiveness of traffic management tools (e.g., flow shaping) Testbed for software integration [ 10 ]

Trial Configuration DTN configuration Internet2 CentOS image Ansible playbook for additional configuration (Globus, VLAN subinterfaces) Switch configuration Corsa SDX pipeline with flow entries implementing default L2 connectivity Simple Ryu controller to capture performance data (on-switch VM) Internet2 configuration Utah-to-FIU AL2S connections to test high volume transfer performance and traffic management Loopbacks for testing campus connectivity to Internet2 (regional network) [ 11 ]

Trials (and tribulations) Baseline testing Ansible playbooks to do local campus testing and end-to-end testing Initial tests being done with bwctl/iperf3 Loading measurement data into InfluxDB, viewing with Grafana Working toward a stable baseline Default DTN configuration achieves roughly 2.5Gbps transfer rate with 60ms RTT Challenge to achieve this performance in both directions between Utah and FIU Challenge to test campus to Internet2 (AL2S loopback problems) [ 12 ]

Trials (and tribulations) Fairly clean transfer Utah-to-FIU, but negligible rate FIU-to-Utah Negligible rate Utah-to-FIU, choppy transfer rate FIU-to-Utah [ 13 ]

Trials (and tribulations) Local test between DTNs at one campus Stable transfer rate Same campus test looped at Internet2 Packet retransmission every few sec What is causing this? [ 14 ]

The Ongoing Trial Goal: Investigate SDN Science DMZ configuration and performance Upgrade campus switches More comprehensive measurement capabilities More advanced traffic management functions Develop and test configuration automation Evaluate effectiveness of traffic management tools (e.g., flow shaping) Testbed for software integration [ 15 ]

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback