Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Securing supercomputer networks (without disrupting 60Gbps data flows)

From: InfoSec News <alerts () infosecnews org>
Date: Mon, 2 Jul 2012 05:02:55 -0500 (CDT)
http://arstechnica.com/security/2012/06/science-dmz/

By Dan Goodin
Ars Technica
June 26 2012
Thanks to super-charged networks like the US Department of Energy's ESnet and the consortium known as Internet2, scientists crunching huge bodies of data finally have 10Gbps pipes at the ready to zap that information to their peers anywhere in the world. But what happens when firewalls and other security devices torpedo those blazing speeds?
That's what Joe Breen, assistant director of networking at the University of Utah's Center for High Performance Computing, asked two years ago as he diagnosed the barriers he found on his organization's $262,500-per-year Internet2 backbone connection. The network—used to funnel the raw data used in astronomy, high-energy physics, and genomics—boasted a 10Gbps connection, enough bandwidth in theory to share a terabyte's worth of information in 20 minutes. But there was a problem: "stateful" firewalls—the security appliances administrators use to monitor packets entering and exiting a network and to block those deemed malicious—brought maximum speeds down to just 500Mbps. In fact, it wasn't uncommon for the network to drop all the way to 200Mbps. The degradation was even worse when transfers used IPv6, the next-generation Internet protocol.
"You're impacting work at that point," Breen remembers thinking at the time. "So when you're trying to transport 200 gigabytes up to a terabyte of data, or even several terabytes of data, you can't do it. It becomes faster to FedEx the science than it does to transport it over the network, and we'd like to see the network actually used."
With technologies developed or funded by the National Energy Research Scientific Computing Center, ESnet, the National Science Foundation, and others, the University of Utah set out to find a new security design that wouldn't put a crimp on bandwidth. Called "Science DMZs," the architecture puts the routers and storage systems used in data-intensive computing systems into a "demilitarized zone" that is outside the network firewall and beyond the reach of many of the intrusion detection systems (IDSes) protecting the rest of the campus network. 

[...]


--
Learn how to be a Pen Tester, CISSP, ISSMP, or ISSAP with Expanding Security online.
Come to a free class and see how good and fun the program really is.
http://www.expandingsecurity.com/PainPill
Previous By Date Next
Previous By Thread Next

Current thread: