The Science DMZ - TERENA · 2013-11-13 · “Science DMZ” may not look discrete • Most of the...
Transcript of The Science DMZ - TERENA · 2013-11-13 · “Science DMZ” may not look discrete • Most of the...
![Page 1: The Science DMZ - TERENA · 2013-11-13 · “Science DMZ” may not look discrete • Most of the network is in the Science DMZ • This is as it should be • Appropriate deployment](https://reader035.fdocuments.net/reader035/viewer/2022070723/5f0209907e708231d40243d5/html5/thumbnails/1.jpg)
The Science DMZ
Eli Dart, Energy Sciences Network (ESnet)
TERENA Network Architects and TF-NOC
Prague, Czech Republic
November 13, 2013
![Page 2: The Science DMZ - TERENA · 2013-11-13 · “Science DMZ” may not look discrete • Most of the network is in the Science DMZ • This is as it should be • Appropriate deployment](https://reader035.fdocuments.net/reader035/viewer/2022070723/5f0209907e708231d40243d5/html5/thumbnails/2.jpg)
Lawrence Berkeley National Laboratory U.S. Department of Energy | Office of Science
Outline
• Motivation
• The Science DMZ Design Pattern
• Security
• Futures
• Wrap
10/31/13 2
![Page 3: The Science DMZ - TERENA · 2013-11-13 · “Science DMZ” may not look discrete • Most of the network is in the Science DMZ • This is as it should be • Appropriate deployment](https://reader035.fdocuments.net/reader035/viewer/2022070723/5f0209907e708231d40243d5/html5/thumbnails/3.jpg)
Lawrence Berkeley National Laboratory U.S. Department of Energy | Office of Science
Motivation
Networks are an essential part of data-intensive science • Connect data sources to data analysis • Connect collaborators to each other • Enable machine-consumable interfaces to data and analysis
resources (e.g. portals), automation, scale
Performance is critical • Exponential data growth • Constant human factors • Data movement and data analysis must keep up
Effective use of wide area networks by scientists has historically been difficult
10/31/13 3
![Page 4: The Science DMZ - TERENA · 2013-11-13 · “Science DMZ” may not look discrete • Most of the network is in the Science DMZ • This is as it should be • Appropriate deployment](https://reader035.fdocuments.net/reader035/viewer/2022070723/5f0209907e708231d40243d5/html5/thumbnails/4.jpg)
Lawrence Berkeley National Laboratory U.S. Department of Energy | Office of Science
The Central Role of the Network
The very structure of modern science assumes science networks exist: high performance, feature rich, global scope
What is important? 1. Correctness 2. Consistency 3. Performance
What is “The Network” anyway? • “The Network” is the set of devices and applications involved in the use of a
remote resource − This is not about supercomputer interconnects − This is about data flow from experiment to analysis, between facilities, etc.
• User interfaces for “The Network” – portal, data transfer tool, workflow engine • Therefore, servers and applications must also be considered
10/31/13 4
![Page 5: The Science DMZ - TERENA · 2013-11-13 · “Science DMZ” may not look discrete • Most of the network is in the Science DMZ • This is as it should be • Appropriate deployment](https://reader035.fdocuments.net/reader035/viewer/2022070723/5f0209907e708231d40243d5/html5/thumbnails/5.jpg)
Lawrence Berkeley National Laboratory U.S. Department of Energy | Office of Science
TCP – Ubiquitous and Fragile
Networks provide connectivity between hosts – how do hosts see the network?
• From an application’s perspective, the interface to “the other end” is a socket
• Communication is between applications – mostly over TCP
TCP – the fragile workhorse • TCP is (for very good reasons) timid – packet loss is interpreted
as congestion • Packet loss in conjunction with latency is a performance killer • Like it or not, TCP is used for the vast majority of data transfer
applications
![Page 6: The Science DMZ - TERENA · 2013-11-13 · “Science DMZ” may not look discrete • Most of the network is in the Science DMZ • This is as it should be • Appropriate deployment](https://reader035.fdocuments.net/reader035/viewer/2022070723/5f0209907e708231d40243d5/html5/thumbnails/6.jpg)
Lawrence Berkeley National Laboratory U.S. Department of Energy | Office of Science
A small amount of packet loss makes a huge difference in TCP performance
11/11/13
Metro Area
Local (LAN)
Regional
Continental
International
Measured (TCP Reno) Measured (HTCP) Theoretical (TCP Reno) Measured (no loss)
With loss, high performance beyond metro distances is essentially impossible
![Page 7: The Science DMZ - TERENA · 2013-11-13 · “Science DMZ” may not look discrete • Most of the network is in the Science DMZ • This is as it should be • Appropriate deployment](https://reader035.fdocuments.net/reader035/viewer/2022070723/5f0209907e708231d40243d5/html5/thumbnails/7.jpg)
Lawrence Berkeley National Laboratory U.S. Department of Energy | Office of Science
Working With TCP In Practice
Far easier to support TCP than to fix TCP • People have been trying to fix TCP for years – limited success • Like it or not we’re stuck with TCP in the general case
Pragmatically speaking, we must accommodate TCP • Sufficient bandwidth to avoid congestion • Zero packet loss • Verifiable infrastructure − Must be able to prove a network device or path is functioning
correctly − Small footprint is a huge win – small number of devices so that
problem isolation is tractable
![Page 8: The Science DMZ - TERENA · 2013-11-13 · “Science DMZ” may not look discrete • Most of the network is in the Science DMZ • This is as it should be • Appropriate deployment](https://reader035.fdocuments.net/reader035/viewer/2022070723/5f0209907e708231d40243d5/html5/thumbnails/8.jpg)
Lawrence Berkeley National Laboratory U.S. Department of Energy | Office of Science
The Science DMZ Design Pattern
Effective support for TCP-based data transfer • Designed for correct, consistent, high-performance operation • Easy to troubleshoot • Cybersecurity – defensible without compromising performance
Borrow ideas from traditional network security • Traditional DMZ – separate enclave at network perimeter
(“Demilitarized Zone”) − For WAN-facing services − Clean policies − Well-supported by proper hardware
• Do the same thing for science – Science DMZ
11/11/13 8
![Page 9: The Science DMZ - TERENA · 2013-11-13 · “Science DMZ” may not look discrete • Most of the network is in the Science DMZ • This is as it should be • Appropriate deployment](https://reader035.fdocuments.net/reader035/viewer/2022070723/5f0209907e708231d40243d5/html5/thumbnails/9.jpg)
Lawrence Berkeley National Laboratory U.S. Department of Energy | Office of Science
Science DMZ Design Pattern Components
11/12/13 9
Dedicated Systems for
Data Transfer
Network Architecture
Performance Testing &
Measurement
Data Transfer Node • High performance • Configured specifically
for data transfer • Proper tools
Science DMZ • Dedicated location for
Data Transfer Node • Appropriate security • Easy to deploy - no
need to redesign the whole network
perfSONAR • Enables fault isolation • Verify correct operation • Widely deployed in
ESnet and other networks, as well as sites and facilities
![Page 10: The Science DMZ - TERENA · 2013-11-13 · “Science DMZ” may not look discrete • Most of the network is in the Science DMZ • This is as it should be • Appropriate deployment](https://reader035.fdocuments.net/reader035/viewer/2022070723/5f0209907e708231d40243d5/html5/thumbnails/10.jpg)
Lawrence Berkeley National Laboratory U.S. Department of Energy | Office of Science
Science DMZ – Network Architecture
11/11/13 10
Dedicated Systems for
Data Transfer
Network Architecture
Performance Testing &
Measurement
Data Transfer Node • High performance • Configured specifically
for data transfer • Proper tools
Science DMZ • Dedicated location for
Data Transfer Node • Appropriate security • Easy to deploy - no
need to redesign the whole network
perfSONAR • Enables fault isolation • Verify correct operation • Widely deployed in
ESnet and other networks, as well as sites and facilities
![Page 11: The Science DMZ - TERENA · 2013-11-13 · “Science DMZ” may not look discrete • Most of the network is in the Science DMZ • This is as it should be • Appropriate deployment](https://reader035.fdocuments.net/reader035/viewer/2022070723/5f0209907e708231d40243d5/html5/thumbnails/11.jpg)
Lawrence Berkeley National Laboratory U.S. Department of Energy | Office of Science
Science DMZ Design Pattern (Abstract)
11/7/13 11
10GE
10GE
10GE
10GE
10G
Border Router
WAN
Science DMZSwitch/Router
Enterprise Border Router/Firewall
Site / CampusLAN
High performanceData Transfer Node
with high-speed storage
Per-service security policy control points
Clean, High-bandwidth
WAN path
Site / Campus access to Science
DMZ resources
perfSONAR
perfSONAR
perfSONAR
![Page 12: The Science DMZ - TERENA · 2013-11-13 · “Science DMZ” may not look discrete • Most of the network is in the Science DMZ • This is as it should be • Appropriate deployment](https://reader035.fdocuments.net/reader035/viewer/2022070723/5f0209907e708231d40243d5/html5/thumbnails/12.jpg)
Lawrence Berkeley National Laboratory U.S. Department of Energy | Office of Science
Local And Wide Area Data Flows
11/11/13 12
10GE
10GE
10GE
10GE
10G
Border Router
WAN
Science DMZSwitch/Router
Enterprise Border Router/Firewall
Site / CampusLAN
High performanceData Transfer Node
with high-speed storage
Per-service security policy control points
Clean, High-bandwidth
WAN path
Site / Campus access to Science
DMZ resources
perfSONAR
perfSONAR
High Latency WAN Path
Low Latency LAN Path
perfSONAR
![Page 13: The Science DMZ - TERENA · 2013-11-13 · “Science DMZ” may not look discrete • Most of the network is in the Science DMZ • This is as it should be • Appropriate deployment](https://reader035.fdocuments.net/reader035/viewer/2022070723/5f0209907e708231d40243d5/html5/thumbnails/13.jpg)
Lawrence Berkeley National Laboratory U.S. Department of Energy | Office of Science
Supercomputer Center Deployment
High-performance networking is assumed in this environment • Data flows between systems, between systems and storage, wide
area, etc. • Global filesystem often ties resources together − Portions of this may not run over Ethernet (e.g. IB) − Implications for Data Transfer Nodes
“Science DMZ” may not look discrete • Most of the network is in the Science DMZ • This is as it should be • Appropriate deployment of tools, configuration, policy control, etc.
Office networks can look like an afterthought, but they aren’t • Deployed with appropriate security controls • Office infrastructure need not be sized for science traffic
![Page 14: The Science DMZ - TERENA · 2013-11-13 · “Science DMZ” may not look discrete • Most of the network is in the Science DMZ • This is as it should be • Appropriate deployment](https://reader035.fdocuments.net/reader035/viewer/2022070723/5f0209907e708231d40243d5/html5/thumbnails/14.jpg)
Lawrence Berkeley National Laboratory U.S. Department of Energy | Office of Science
Supercomputer Center
VirtualCircuit
Routed
Border Router
WAN
Core Switch/Router
Firewall
Offices
perfSONAR
perfSONAR
perfSONAR
Supercomputer
Parallel Filesystem
Front endswitch
Data Transfer Nodes
Front endswitch
11/11/13 14
![Page 15: The Science DMZ - TERENA · 2013-11-13 · “Science DMZ” may not look discrete • Most of the network is in the Science DMZ • This is as it should be • Appropriate deployment](https://reader035.fdocuments.net/reader035/viewer/2022070723/5f0209907e708231d40243d5/html5/thumbnails/15.jpg)
Lawrence Berkeley National Laboratory U.S. Department of Energy | Office of Science
Supercomputer Center Data Path
VirtualCircuit
Routed
Border Router
WAN
Core Switch/Router
Firewall
Offices
perfSONAR
perfSONAR
perfSONAR
Supercomputer
Parallel Filesystem
Front endswitch
Data Transfer Nodes
Front endswitch
High Latency WAN Path
Low Latency LAN Path
High Latency VC Path
11/11/13 15
![Page 16: The Science DMZ - TERENA · 2013-11-13 · “Science DMZ” may not look discrete • Most of the network is in the Science DMZ • This is as it should be • Appropriate deployment](https://reader035.fdocuments.net/reader035/viewer/2022070723/5f0209907e708231d40243d5/html5/thumbnails/16.jpg)
Lawrence Berkeley National Laboratory U.S. Department of Energy | Office of Science
Major Data Site Deployment
In some cases, large scale data service is the major driver • Huge volumes of data – ingest, export • Big infrastructure investment
Single-pipe deployments don’t work • Everything is parallel − Networks (Nx10G LAGs, soon to be Nx100G) − Hosts – data transfer clusters, sets of DTNs − WAN connections – multiple entry, redundant equipment
• Any choke point (e.g. firewall) causes problems
![Page 17: The Science DMZ - TERENA · 2013-11-13 · “Science DMZ” may not look discrete • Most of the network is in the Science DMZ • This is as it should be • Appropriate deployment](https://reader035.fdocuments.net/reader035/viewer/2022070723/5f0209907e708231d40243d5/html5/thumbnails/17.jpg)
Lawrence Berkeley National Laboratory U.S. Department of Energy | Office of Science
Data Site – Architecture
11/11/13 17
VCVirtualCircuit
BorderRoutersWAN HA
Firewalls
Site/CampusLAN
perfSONAR
perfSONAR
perfSONAR
Data ServiceSwitch Plane
Provider EdgeRouters
VirtualCircuit
VC
Data Transfer Cluster
![Page 18: The Science DMZ - TERENA · 2013-11-13 · “Science DMZ” may not look discrete • Most of the network is in the Science DMZ • This is as it should be • Appropriate deployment](https://reader035.fdocuments.net/reader035/viewer/2022070723/5f0209907e708231d40243d5/html5/thumbnails/18.jpg)
Lawrence Berkeley National Laboratory U.S. Department of Energy | Office of Science
Data Site – Data Path
11/11/13 18
VCVirtualCircuit
BorderRoutersWAN HA
Firewalls
Site/CampusLAN
perfSONAR
perfSONAR
perfSONAR
Data ServiceSwitch Plane
Provider EdgeRouters
VirtualCircuit
VC
Data Transfer Cluster
![Page 19: The Science DMZ - TERENA · 2013-11-13 · “Science DMZ” may not look discrete • Most of the network is in the Science DMZ • This is as it should be • Appropriate deployment](https://reader035.fdocuments.net/reader035/viewer/2022070723/5f0209907e708231d40243d5/html5/thumbnails/19.jpg)
Lawrence Berkeley National Laboratory U.S. Department of Energy | Office of Science
Common Threads
Two common threads exist in all these examples Accommodation of TCP
• Wide area portion of data transfers traverses purpose-built path • High performance devices that don’t drop packets
Ability to test and verify • When problems arise (and they always will), they can be solved if
the infrastructure is built correctly • Small device count makes it easier to find issues • Multiple test and measurement hosts provide multiple views of the
data path − perfSONAR nodes at the site and in the WAN − perfSONAR nodes at the remote site
11/11/13 19
![Page 20: The Science DMZ - TERENA · 2013-11-13 · “Science DMZ” may not look discrete • Most of the network is in the Science DMZ • This is as it should be • Appropriate deployment](https://reader035.fdocuments.net/reader035/viewer/2022070723/5f0209907e708231d40243d5/html5/thumbnails/20.jpg)
Lawrence Berkeley National Laboratory U.S. Department of Energy | Office of Science
Science DMZ – Test and Measurement
11/12/13 20
Dedicated Systems for
Data Transfer
Network Architecture
Performance Testing &
Measurement
Data Transfer Node • High performance • Configured for data
transfer • Proper tools
perfSONAR • Enables fault isolation • Verify correct operation • Widely deployed in
ESnet and other networks, as well as sites and facilities
Science DMZ • Dedicated location for DTN • Proper security • Easy to deploy - no need to
redesign the whole network • Additional info:
http://fasterdata.es.net/
![Page 21: The Science DMZ - TERENA · 2013-11-13 · “Science DMZ” may not look discrete • Most of the network is in the Science DMZ • This is as it should be • Appropriate deployment](https://reader035.fdocuments.net/reader035/viewer/2022070723/5f0209907e708231d40243d5/html5/thumbnails/21.jpg)
Lawrence Berkeley National Laboratory U.S. Department of Energy | Office of Science
Performance Monitoring
The wide area network, the Science DMZ, and all its systems may be functioning perfectly
Eventually something is going to break • Networks and systems are complex • Bugs, mistakes, … • Sometimes things just break – this is why we buy
support contracts
Must be able to find and fix problems when they occur
11/12/13 21
![Page 22: The Science DMZ - TERENA · 2013-11-13 · “Science DMZ” may not look discrete • Most of the network is in the Science DMZ • This is as it should be • Appropriate deployment](https://reader035.fdocuments.net/reader035/viewer/2022070723/5f0209907e708231d40243d5/html5/thumbnails/22.jpg)
Lawrence Berkeley National Laboratory U.S. Department of Energy | Office of Science
Soft Network Failures – Hidden Problems
“Soft failures” result in degraded capability • Connectivity exists • Performance impacted • Typically something in the path is functioning, but not well
Hard failures are easy to detect • Link down, server down, software crash • Traditional network/system monitoring tools designed to quickly find
hard failures
Soft failures are hard to detect with traditional methods • No link down event • Sometimes no error counters
Independent testing is the only way to reliably find soft failures
1/29/12 22
![Page 23: The Science DMZ - TERENA · 2013-11-13 · “Science DMZ” may not look discrete • Most of the network is in the Science DMZ • This is as it should be • Appropriate deployment](https://reader035.fdocuments.net/reader035/viewer/2022070723/5f0209907e708231d40243d5/html5/thumbnails/23.jpg)
Lawrence Berkeley National Laboratory U.S. Department of Energy | Office of Science
Sample Results: Finding/Fixing soft failures
Rebooted router that was process switching after route table overload
Gradual failure of optical line card
1/29/12 23
![Page 24: The Science DMZ - TERENA · 2013-11-13 · “Science DMZ” may not look discrete • Most of the network is in the Science DMZ • This is as it should be • Appropriate deployment](https://reader035.fdocuments.net/reader035/viewer/2022070723/5f0209907e708231d40243d5/html5/thumbnails/24.jpg)
Lawrence Berkeley National Laboratory U.S. Department of Energy | Office of Science
Testing Infrastructure – perfSONAR
perfSONAR is: • A widely-deployed test and measurement infrastructure − ESnet, Internet2, US regional networks, international networks − Laboratories, supercomputer centers, universities
• A suite of test and measurement tools • A collaboration that builds and maintains the toolkit
By installing perfSONAR, a site can leverage over 900 test servers deployed around the world
perfSONAR is ideal for finding soft failures • Alert to existence of problems • Fault isolation • Verification of correct operation
11/12/13 24
![Page 25: The Science DMZ - TERENA · 2013-11-13 · “Science DMZ” may not look discrete • Most of the network is in the Science DMZ • This is as it should be • Appropriate deployment](https://reader035.fdocuments.net/reader035/viewer/2022070723/5f0209907e708231d40243d5/html5/thumbnails/25.jpg)
Lawrence Berkeley National Laboratory U.S. Department of Energy | Office of Science
Science DMZ – Data Transfer Systems
11/12/13 25
Dedicated Systems for
Data Transfer
Network Architecture
Performance Testing &
Measurement
Data Transfer Node • High performance • Configured for data
transfer • Proper tools
perfSONAR • Enables fault isolation • Verify correct operation • Widely deployed in
ESnet and other networks, as well as sites and facilities
Science DMZ • Dedicated location for DTN • Proper security • Easy to deploy - no need to
redesign the whole network • Additional info:
http://fasterdata.es.net/
![Page 26: The Science DMZ - TERENA · 2013-11-13 · “Science DMZ” may not look discrete • Most of the network is in the Science DMZ • This is as it should be • Appropriate deployment](https://reader035.fdocuments.net/reader035/viewer/2022070723/5f0209907e708231d40243d5/html5/thumbnails/26.jpg)
Lawrence Berkeley National Laboratory U.S. Department of Energy | Office of Science
Dedicated Systems – The Data Transfer Node
The DTN is dedicated to data transfer
Set up specifically for high-performance data movement • System internals (BIOS, firmware, interrupts, etc.) • Network stack • Storage (global filesystem, Fibrechannel, local RAID, etc.) • Tools
Limitation of scope and function is actually powerful • No conflicts with configuration for other tasks • Small application set makes cybersecurity easier
11/12/13 26
![Page 27: The Science DMZ - TERENA · 2013-11-13 · “Science DMZ” may not look discrete • Most of the network is in the Science DMZ • This is as it should be • Appropriate deployment](https://reader035.fdocuments.net/reader035/viewer/2022070723/5f0209907e708231d40243d5/html5/thumbnails/27.jpg)
Lawrence Berkeley National Laboratory U.S. Department of Energy | Office of Science
Data Transfer Tools For DTNs
Parallelism is key • It is much easier to achieve a given performance level with four
parallel connections than one connection • Several tools offer parallel transfers, including GridFTP/Globus
Online
Latency interaction is critical • Wide area data transfers have much higher latency than LAN
transfers • Many tools and protocols assume a LAN • Examples: SCP/SFTP, HPSS mover protocol
Workflow integration is important
1/29/12 27
![Page 28: The Science DMZ - TERENA · 2013-11-13 · “Science DMZ” may not look discrete • Most of the network is in the Science DMZ • This is as it should be • Appropriate deployment](https://reader035.fdocuments.net/reader035/viewer/2022070723/5f0209907e708231d40243d5/html5/thumbnails/28.jpg)
Lawrence Berkeley National Laboratory U.S. Department of Energy | Office of Science
Science DMZ Security
Goal – disentangle security policy and enforcement for science flows from security for business systems
Rationale • Science data traffic is simple from a security perspective • Narrow application set on Science DMZ − Data transfer, data streaming packages − No printers, document readers, web browsers, building control
systems, financial databases, staff desktops, etc. • Security controls that are typically implemented to protect
business resources often cause performance problems
Separation allows each to be optimized 11/12/13 28
![Page 29: The Science DMZ - TERENA · 2013-11-13 · “Science DMZ” may not look discrete • Most of the network is in the Science DMZ • This is as it should be • Appropriate deployment](https://reader035.fdocuments.net/reader035/viewer/2022070723/5f0209907e708231d40243d5/html5/thumbnails/29.jpg)
Lawrence Berkeley National Laboratory U.S. Department of Energy | Office of Science
Performance Is A Core Requirement
Core information security principles • Confidentiality, Integrity, Availability (CIA) • Often, CIA and risk mitigation result in compromised performance
In data-intensive science, performance is an additional core mission requirement
• CIA principles are important, but if the performance isn’t there the science mission fails
• Not about “how much” security you have, but how the security is implemented
• Must be able to appropriately secure systems in a way that does not compromise performance or limit advanced services
![Page 30: The Science DMZ - TERENA · 2013-11-13 · “Science DMZ” may not look discrete • Most of the network is in the Science DMZ • This is as it should be • Appropriate deployment](https://reader035.fdocuments.net/reader035/viewer/2022070723/5f0209907e708231d40243d5/html5/thumbnails/30.jpg)
Lawrence Berkeley National Laboratory U.S. Department of Energy | Office of Science
Placement Outside the Firewall
The Science DMZ resources are placed outside the enterprise firewall for performance reasons
• The meaning of this is specific – Science DMZ traffic does not traverse the firewall data plane
• This has nothing to do with whether packet filtering is part of the security enforcement toolkit
Lots of heartburn over this, especially from the perspective of a conventional firewall manager
• Lots of organizational policy directives mandating firewalls • Firewalls are designed to protect converged enterprise networks • Why would you put critical assets outside the firewall???
The answer is that firewalls are typically a poor fit for high-performance science applications
11/12/13 30
![Page 31: The Science DMZ - TERENA · 2013-11-13 · “Science DMZ” may not look discrete • Most of the network is in the Science DMZ • This is as it should be • Appropriate deployment](https://reader035.fdocuments.net/reader035/viewer/2022070723/5f0209907e708231d40243d5/html5/thumbnails/31.jpg)
Lawrence Berkeley National Laboratory U.S. Department of Energy | Office of Science
Security Without Firewalls
Data intensive science traffic interacts poorly with firewalls Does this mean we ignore security? NO!
• We must protect our systems • Just do security without preventing science
Key point – security policies and mechanisms that protect the Science DMZ should be implemented so that they do not compromise performance
Example – firewall rules for science traffic use address/port • Implement that filtering on a high-performance router • Science wins – increased performance • Business network wins – no need to size the firewall for
science data deluge
11/12/13 31
![Page 32: The Science DMZ - TERENA · 2013-11-13 · “Science DMZ” may not look discrete • Most of the network is in the Science DMZ • This is as it should be • Appropriate deployment](https://reader035.fdocuments.net/reader035/viewer/2022070723/5f0209907e708231d40243d5/html5/thumbnails/32.jpg)
Lawrence Berkeley National Laboratory U.S. Department of Energy | Office of Science
Futures
The Science DMZ design pattern is highly adaptable to new technologies
• Software Defined Networking (SDN) • Non-IP protocols (RDMA over Ethernet)
Deploying new technologies in a Science DMZ is straightforward • The basic elements are the same − Capable infrastructure designed for the task − Test and measurement to verify correct operation − Security policy well-matched to the environment, application set
strictly limited to reduce risk • Change footprint is small – often just a single router or switch • The rest of the infrastructure need not change
11/12/13 32
![Page 33: The Science DMZ - TERENA · 2013-11-13 · “Science DMZ” may not look discrete • Most of the network is in the Science DMZ • This is as it should be • Appropriate deployment](https://reader035.fdocuments.net/reader035/viewer/2022070723/5f0209907e708231d40243d5/html5/thumbnails/33.jpg)
Lawrence Berkeley National Laboratory U.S. Department of Energy | Office of Science
Wrapup
The Science DMZ design pattern provides a flexible model for supporting high-performance data transfers and workflows
Key elements: • Accommodation of TCP − Sufficient bandwidth to avoid congestion − Loss-free IP service
• Location – near the site perimeter if possible • Test and measurement • Dedicated systems • Appropriate security
Support for advanced capabilities (e.g. SDN) is much easier with a Science DMZ
10/31/13 33
![Page 34: The Science DMZ - TERENA · 2013-11-13 · “Science DMZ” may not look discrete • Most of the network is in the Science DMZ • This is as it should be • Appropriate deployment](https://reader035.fdocuments.net/reader035/viewer/2022070723/5f0209907e708231d40243d5/html5/thumbnails/34.jpg)
Lawrence Berkeley National Laboratory U.S. Department of Energy | Office of Science
Links
• ESnet fasterdata knowledge base − http://fasterdata.es.net/
• Science DMZ paper − http://www.es.net/assets/pubs_presos/sc13sciDMZ-final.pdf
• Science DMZ email list − https://gab.es.net/mailman/listinfo/sciencedmz
• perfSONAR − http://fasterdata.es.net/performance-testing/perfsonar/ − http://www.perfsonar.net/
• Additional material − http://fasterdata.es.net/science-dmz/ − http://fasterdata.es.net/host-tuning/
11/12/13 34