[ISN] Securing supercomputer networks (without disrupting 60Gbps data flows)

From: InfoSec News <alerts_at_private>
Date: Mon, 2 Jul 2012 05:02:55 -0500 (CDT)
http://arstechnica.com/security/2012/06/science-dmz/

By Dan Goodin
Ars Technica
June 26 2012

Thanks to super-charged networks like the US Department of Energy's 
ESnet and the consortium known as Internet2, scientists crunching huge 
bodies of data finally have 10Gbps pipes at the ready to zap that 
information to their peers anywhere in the world. But what happens when 
firewalls and other security devices torpedo those blazing speeds?

That's what Joe Breen, assistant director of networking at the 
University of Utah's Center for High Performance Computing, asked two 
years ago as he diagnosed the barriers he found on his organization's 
$262,500-per-year Internet2 backbone connection. The network—used to 
funnel the raw data used in astronomy, high-energy physics, and 
genomics—boasted a 10Gbps connection, enough bandwidth in theory to 
share a terabyte's worth of information in 20 minutes. But there was a 
problem: "stateful" firewalls—the security appliances administrators use 
to monitor packets entering and exiting a network and to block those 
deemed malicious—brought maximum speeds down to just 500Mbps. In fact, 
it wasn't uncommon for the network to drop all the way to 200Mbps. The 
degradation was even worse when transfers used IPv6, the next-generation 
Internet protocol.

"You're impacting work at that point," Breen remembers thinking at the 
time. "So when you're trying to transport 200 gigabytes up to a terabyte 
of data, or even several terabytes of data, you can't do it. It becomes 
faster to FedEx the science than it does to transport it over the 
network, and we'd like to see the network actually used."

With technologies developed or funded by the National Energy Research 
Scientific Computing Center, ESnet, the National Science Foundation, and 
others, the University of Utah set out to find a new security design 
that wouldn't put a crimp on bandwidth. Called "Science DMZs," the 
architecture puts the routers and storage systems used in data-intensive 
computing systems into a "demilitarized zone" that is outside the 
network firewall and beyond the reach of many of the intrusion detection 
systems (IDSes) protecting the rest of the campus network.

[...]


--
Learn how to be a Pen Tester, CISSP, ISSMP, or ISSAP with Expanding Security online.
Come to a free class and see how good and fun the program really is.
http://www.expandingsecurity.com/PainPill
Received on Mon Jul 02 2012 - 03:02:55 PDT

This archive was generated by hypermail 2.2.0 : Mon Jul 02 2012 - 03:44:35 PDT