Embed Size (px)
DESCRIPTION
Metro-ring in the Copenhagen Area National and International connections Risø RUC IHK KVL-T Hørs. ØRESTAD LYNGBY Panum KUA 7 km 2,75 dB 12 km 4 dB 3 km 1,75 dB 12 km 4 dB 23 km 6,75 dB 15 km 4,75 dB 6 km 2,5 dB 16 km 5 dB 6 km 2,5 dB 28 km 8 dB
Citation preview
Connecting hospitals to the NRENThe Danish case story
Copenhagen, 15th September 2009
Martin BechDeputy Director, UNI•[email protected]
Optical network
• Backbone in production from the middle of 2009
• Access connections are continuously upgraded to optical networking
Metro-ring in the Copenhagen Area
National and International connections
Risø
RUC
IHK
KVL-T
Hørs. ØRESTAD
LYNGBY
Panum
KUA7 km2,75 dB
12 km4 dB
3 km1,75 dB
12 km4 dB
23 km6,75 dB
15 km4,75 dB
6 km2,5 dB
16 km5 dB
6 km2,5 dB
28 km8 dB
Lightpaths for production IPAAU-2
LYNGBY
ØRESTAD
AAU-1
AU-2
AU-1
SDU-2
SDU-1 10GE8 x 1GE
Physical fibre
Moving towards supplying multiple network connections everywhere
At every location we now offer:• Internet production IP service (as always)• Infinite traffic and bandwidth…• A connection type appropriate to the need• Multiple dedicated network connections for “intranet”
and “lambda” use• Segregation between the networks are realized by
means of a combination of lightpaths, MPLS and even VLANs
University of Aarhus: 23 locations
…and the other universities are not much better
This means a lot of lightpaths…
Special services for special user groups• Network for everyoneBut on top of that, many of us are involved in serving the
needs of special user groups:• Supercomputing facilities• GRID clusters• Facilities for radio astronomy• Video and telephony• Content portals, databases etc.
But what about services for health research and health care?
Why is health research and health care different from our other users?• Not just a few large facilities, but also • huge numbers of smaller entities/departments• Huge numbers of scanners, databases and other
facilities• They all need their own separate private connections• Users are very aware of security constraints, but totally
unaware of the services and equipment that implement these constraints
• Many ad hoc projects and connections
Communicating across organizational boundaries
LAN
FW
External network
LAN
FW
LANFW
The challenge
Lab A
User A
Lab B
FW A FW B
External Network
Firewall rules (A)
------------------------
User A may accessService B-----------------------
Firewall rules (B)
------------------------
Service B may be accessed by User A
----------------------- Service B
Setup of a new connection
Lab A
User A
Lab B
FW A FW B
External Network
Firewall rules (A)
------------------------
User A may accessService B-----------------------
Firewall rules (B)
------------------------
Service B may be accessed by User A
----------------------- Service B
Expiry of a connection
Lab A
User A
Lab B
FW A FW B
External Network
Firewall rules (A)
------------------------
User A may accessService B-----------------------
Firewall rules (B)
------------------------
Service B may be accessed by User A
----------------------- Service B
??
Manual administration
• No problem for a single example such as this, except that the set-up of each connection typically takes a day
• But, if a research project with 20 partners are sharing just 10 common services, the total number of rules are 1.900
• Most firewall administrators can’t say who is responsible for every rule
Therefore: We need a system to keep track of all these connections
The Connection agreement system• All groups of users and all services are put into
the system by the users• User A finds Service B in a large directory• User A enters a request for a connection to
system B• Both User A and the administrator of Service B
accepts the connection in the system• The system generates rules which the fírewall
administrators put into their firewalls
Using the Connection Agreement System
Lab A
User A
Lab B
FW A FW B
Firewall rules (A)
------------------------
User A may accessService B-----------------------
Firewall rules (B)
------------------------
Service B may be accessed by User A
----------------------- Service B
Connection Agreement System
VPNgateway
The connection agreement system• Everybody can find the services they need – and
each other• Eliminates the need for administering a huge
number of VPN tunnels• Establishes documentation of who ordered what
connection and how long it is supposed to exist• Simplifies security administration• A simple and inexpensive solution to a problem
that is common to most researchers sharing resources
The technology works:In production since 2003!
• The nation-wide Danish Health Data Network is based on the Connection Agreement System
• The swedish health network, Sjunet, has also decided to use the Connection Agreement System
• Several other countries and regions are considering implementing the Connection Agreement System
Number of connections registered
Traffic volumes in the Danish Health Data network
Kbytes pr. month
NRENs provide a lot of services…Universities and research institutions
Hospitals
Basic Internet connectivity Yes YesVideo conferencing YesCollaboration tools YesLambda networking YesIPv6 Yes (but no use)
Roaming services YesCERT and security YesGRID and Scientific Computing
Yes
Media Libraries Yes
The Health Data Network provides:Hospitals
Basic Internet connectivity NoVideo conferencing YesCollaboration tools YesLambda networking Not yetIPv6 If neededRoaming services YesCERT and security YesGRID and Scientific Computing
Yes
Media Libraries Yes
Can we generalize this approach?
Mega-science has it all:• Separate λ-connections • Dedicated GRID-clusters• Services hardened to tolerate being directly on
the internet
What do researchers with more modest budgets do?
Connecting two research resourcesLab A Lab B
Analysisequipment Scanner
No connection
Connecting two research resourcesLab A Lab B
Analysisequipment
Scanner
Too expensive and unflexible
Connecting two research resourcesLab A Lab B
Analysisequipment Scanner
Not safe: Equipment will be hacked and connection is not secure
Connecting two research resourcesLab A Lab B
Analysisequipment Scanner
Using firewalls: Works, but unflexible and time-consuming to set up each time
FW FW
Connecting two research resourcesLab A Lab B
Analysisequipment Scanner
Using the Connection Agreement System: Flexibility by user configuration
FW FW
ConnectionAgreement System
Have we now solved all problems?YES – Once connected, new connections are operational
almost immediatelyYES – We can now manage the increased complexity of the
explosion of many types of connections between organizations
YES – A light-weight alternative to dedicated lambda connections (no cost, immediate set-up)
YES – Local security administrators can let their users do the administration and documentation of their security components
NO – Network interoperability does not guarantee working interoperability of services
NO – The present system does not offer any means for identity management of users (yet…)
The health sector
• Ought to be an integral part of every NREN community• They do research, education and an every-day production• Security constraints on the network usage• Their bandwidth needs are growing rapidly• Today, they are no different from our traditional community
Do we want to focus on the needs of the health sector?
Why do many NREN not have a health sector strategy?
