http://arstechnica.com/security/2012/06/science-dmz/
By Dan Goodin
Ars Technica
June 26 2012
Thanks to super-charged networks like the US Department of Energy's
ESnet and the consortium known as Internet2, scientists crunching huge
bodies of data finally have 10Gbps pipes at the ready to zap that
information to their peers anywhere in the world. But what happens when
firewalls and other security devices torpedo those blazing speeds?
That's what Joe Breen, assistant director of networking at the
University of Utah's Center for High Performance Computing, asked two
years ago as he diagnosed the barriers he found on his organization's
$262,500-per-year Internet2 backbone connection. The network—used to
funnel the raw data used in astronomy, high-energy physics, and
genomics—boasted a 10Gbps connection, enough bandwidth in theory to
share a terabyte's worth of information in 20 minutes. But there was a
problem: "stateful" firewalls—the security appliances administrators use
to monitor packets entering and exiting a network and to block those
deemed malicious—brought maximum speeds down to just 500Mbps. In fact,
it wasn't uncommon for the network to drop all the way to 200Mbps. The
degradation was even worse when transfers used IPv6, the next-generation
Internet protocol.
"You're impacting work at that point," Breen remembers thinking at the
time. "So when you're trying to transport 200 gigabytes up to a terabyte
of data, or even several terabytes of data, you can't do it. It becomes
faster to FedEx the science than it does to transport it over the
network, and we'd like to see the network actually used."
With technologies developed or funded by the National Energy Research
Scientific Computing Center, ESnet, the National Science Foundation, and
others, the University of Utah set out to find a new security design
that wouldn't put a crimp on bandwidth. Called "Science DMZs," the
architecture puts the routers and storage systems used in data-intensive
computing systems into a "demilitarized zone" that is outside the
network firewall and beyond the reach of many of the intrusion detection
systems (IDSes) protecting the rest of the campus network.
[...]
--
Learn how to be a Pen Tester, CISSP, ISSMP, or ISSAP with Expanding Security
online.
Come to a free class and see how good and fun the program really is.
http://www.expandingsecurity.com/PainPill
