themedicalsciencedmz - nchica · science dmz switch/router enterprise border router/firewall site /...
TRANSCRIPT
The Medical Science DMZ
Bill Barne) Indiana University School of Medicine and Regenstrief Ins9tute, with Eli
Dart and Sean Peisert, ESNet
Richard Biever Duke University
What is a Science DMZ?
The term Science DMZ refers to ”…a por9on of the network, built at or near the campus or laboratory's local network perimeter that is designed such that the equipment, configura9on, and security policies are op9mized for high-‐performance scien9fic applica9ons rather than for general-‐purpose business systems or 'enterprise' compu9ng." h)ps://fasterdata.es.net/science-‐dmz/, accessed June 8, 2016
Why do we care about them in Health Care? • Precision Medicine is Genomic Medicine, with huge genome data
repositories o The 1,000 Genomes Project: 200 Terabytes o The Cancer Genome Atlas (TCGA): 2.5 Petabytes
• Cost of sequencing is dropping • Sequencers are popping up all over • Projects are at 100,000 pa9ents • PMI is targe9ng 1M pa9ents The Data have to get to the cloud Somehow!
There is already Network Capacity Out There • The Internet2 backbone runs
at 100 Gigabits/second • It delivers high bandwidth
data transport to programs in: • High Energy Physics (LHC) • Astronomy (SDSS) • Gravita9onal Waves
(LIGO) • It is managed as a single
network for be)er performance and security
The Medical Science DMZ
A 'Medical Science DMZ' is, "a method or approach that allows data flows at scale while simultaneously addressing the HIPAA Security Rule and related regula9ons governing biomedical data.”
S. Peisert, W. K. Barne), E. Dart, J. Cuff, R. L. Grossman, E. Balas, A. Berman, A. Shankar, and B. Tierney, "The Medical Science DMZ," Journal of the American Medical Informa;cs Associa;on (JAMIA), May 2, 2016.
Science DMZ Design PaCern
10GE
10GE
10GE
10GE
10G
Border Router
WAN
Science DMZSwitch/Router
Enterprise Border Router/Firewall
Site / CampusLAN
High performanceData Transfer Node
with high-speed storage
Per-service security policy control points
Clean, High-bandwidth
WAN path
Site / Campus access to Science
DMZ resources
perfSONAR
perfSONAR
perfSONAR
Eli Dart, Lauren Rotman, Brian Tierney, Mary Hester, and Jason Zurawski, "The Science DMZ: A Network Design Pa)ern for Data-‐Intensive Science," Proceedings of the IEEE/ACM Annual SuperCompu;ng Conference (SC13), Denver CO, 2013.
Security of Model For a Medical Science DMZ • Router acts as non-‐stateful packet-‐filter firewall • Router manages list of trusted DTNs • Flows approved by source and des9na9on IP, 9me, protocol, and applica9on. • Permissions purged when flow is complete • IDS (eg., Bro) monitors for policy infrac9ons and hos9le ac9vity • perfSONAR for performance
10GE
10GE
10GE
10GE
10G
Border Router
WAN
Science DMZSwitch/Router
Enterprise Border Router/Firewall
Site / CampusLAN
High performanceData Transfer Node
with high-speed storage
Per-service security policy control points
Clean, High-bandwidth
WAN path
Site / Campus access to Science
DMZ resources
perfSONAR
perfSONAR
High Latency WAN Path
Low Latency LAN Path
perfSONAR
Eli Dart, Lauren Rotman, Brian Tierney, Mary Hester, and Jason Zurawski, "The Science DMZ: A Network Design Pa)ern for Data-‐Intensive Science," Proceedings of the IEEE/ACM Annual SuperCompu;ng Conference (SC13), Denver CO, 2013.
Enter SoGware Defined Networking (SDN)
Building Produc9on Network
Building Produc9on Network
Network Transi9on/ Firewall
SDN Switch SDN Switch
Server A Server B Storage
SDN Hub
SDN Controller
Tradi&onal network switches: • control func9ons in local firmware • packet forwarding rules encoded in local config • proprietary
SDN switches: • control func9ons decoupled from packet
forwarding • controller can view network “as a whole” • open standards based (Openflow)
Why Implement an SDN architecture? • Tradi9onal networks can inhibit transfers: • firewalls • intrusion preven9on systems • backups/data transfers • Neilix/Twitch.tv
• SDN is designed for automated configura9on • Self-‐service configurable bypass network • Researchers may need access to na9onal backbones via Science DMZ (e.g. Open Science Grid)
SDN at Duke
Improve performance
Network transi9on points
Secure the infrastructure
Controller interface
Goal: How do we more efficiently move large data sets around the network?
Focused on the network transi,on bo.lenecks rather than traffic in data center
• architecture & design • secure the control plane • authoriza9on for routes • tes9ng for vulnerabili9es
control plane
REST configura9on commands
data plane
user requests network config changes
authoriza9on/approvals Switchboard
SDN Controller (Ryu REST router)
SDN Switch
SDN Switch
SDN Switch
Controlling the Network
Switchboard (Controlling the Controller)
• Simplifies SDN controller/switch configura&on and tracks changes • who is authorized to enable a bypass/link • status of requests • update SDN controller based on approved requests • rollback/restore SDN controller state • audit log of state of network configura&on
SDN to Science DMZ
SDN has the ability to flexibly apply policy to network traffic
Well-‐suited for managing data flows to/from a Science DMZ
Similar security challenges
What’s an approach to geong started?
• the ability to control or monitor how routes are created • the ability to control what nodes are added • the ability to audit routes and traffic flows • the ability to detect when something malicious enters or
exits the network (can be done via SDN flows sent to an IDS)
Architecture overview (phase 1)
SDN Hub
Physics (SDN Switch)
Physics Host
Physics Storage
Internet
Edge-‐gw1 Edge-‐gw2
Campus Core
IPS/FW
AL2S
SDN Bypass
10 GB Links
Architecture overview (phase 2)
Physics Storage
Internet
Edge-‐gw1 Edge-‐gw2
Campus Core
IPS/FW SDN
Bypass
Change AL2S to Internet link and connect to Edge
Connect Internet edge to SDN hub
DTN Transfer Node 1
File sharing protocol
Add Data Transfer Node
Science DMZ
SDN Hub
Physics (SDN Switch)
Bro IDS
Switchboard
Internet
Edge-‐gw1 Edge-‐gw2
Campus Core
IPS/FW
Science DMZ
Research Compu9ng UCS
OSG Storage
Research Compu9ng FI
Duke Storage
Duke VM OSG VM
Research Compu9ng (SDN Switch)
Bro IDS
Switchboard
SDN Hub
AL2S
Conclusions
• We must be able to efficiently move large data sets between internal systems/networks or between organiza9ons. • How do we accomplish without sacrificing the security of sensi9ve data • Interdisciplinary effort between IT (security, network, research compute) and research teams to design a solu9on that combines: • high-‐throughput transfers • detec9on of security issues • authoriza9on for use of network with sensi9ve data