1 / 36

Connecting hospitals to the NREN The Danish case story

Learn about the implementation of the Connection Agreement System in the Danish Health Data Network, how it simplifies security administration and enables efficient communication across organizational boundaries.

veazey
Download Presentation

Connecting hospitals to the NREN The Danish case story

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Connecting hospitals to the NRENThe Danish case story Copenhagen, 15th September 2009 Martin BechDeputy Director, UNI•C martin.bech@uni-c.dk

  2. Optical network • Backbone in production from the middle of 2009 • Access connections are continuously upgraded to optical networking

  3. Metro-ring in the Copenhagen Area LYNGBY IHK 15 km 4,75 dB 16 km 5 dB 28 km 8 dB Panum 12 km 4 dB Risø National and International connections 6 km 2,5 dB KVL-T 7 km 2,75 dB KUA 3 km 1,75 dB 6 km 2,5 dB ØRESTAD RUC Hørs. 12 km 4 dB 23 km 6,75 dB

  4. Lightpaths for production IP AAU - 2 AAU - 1 LYNGBY AU - 2 AU - 1 ØRESTAD 8 x 1GE SDU - 2 10GE SDU - 1 Physical fibre

  5. Moving towards supplying multiple network connections everywhere At every location we now offer: • Internet production IP service (as always) • Infinite traffic and bandwidth… • A connection type appropriate to the need • Multiple dedicated network connections for “intranet” and “lambda” use • Segregation between the networks are realized by means of a combination of lightpaths, MPLS and even VLANs

  6. University of Aarhus: 23 locations…and the other universities are not much betterThis means a lot of lightpaths…

  7. Special services for special user groups • Network for everyone But on top of that, many of us are involved in serving the needs of special user groups: • Supercomputing facilities • GRID clusters • Facilities for radio astronomy • Video and telephony • Content portals, databases etc. But what about services for health research and health care?

  8. Why is health research and health care different from our other users? • Not just a few large facilities, but also • huge numbers of smaller entities/departments • Huge numbers of scanners, databases and other facilities • They all need their own separate private connections • Users are very aware of security constraints, but totally unaware of the services and equipment that implement these constraints • Many ad hoc projects and connections

  9. Communicating across organizational boundaries LAN LAN FW FW External network FW LAN

  10. The challenge External Network FW A FW B Lab B Lab A Firewall rules (B) ------------ ------------ Service B may be accessed by User A ------------ ----------- Firewall rules (A) ------------ ------------ User A may access Service B ------------ ----------- User A Service B

  11. Setup of a new connection External Network FW A FW B Lab B Lab A Firewall rules (B) ------------ ------------ Service B may be accessed by User A ------------ ----------- Firewall rules (A) ------------ ------------ User A may access Service B ------------ ----------- User A Service B

  12. Expiry of a connection External Network FW A FW B Lab B Lab A Firewall rules (B) ------------ ------------ Service B may be accessed by User A ------------ ----------- Firewall rules (A) ------------ ------------ User A may access Service B ------------ ----------- ? ? User A Service B

  13. Manual administration • No problem for a single example such as this, except that the set-up of each connection typically takes a day • But, if a research project with 20 partners are sharing just 10 common services, the total number of rules are 1.900 • Most firewall administrators can’t say who is responsible for every rule Therefore: We need a system to keep track of all these connections

  14. The Connection agreement system • All groups of users and all services are put into the system by the users • User A finds Service B in a large directory • User A enters a request for a connection to system B • Both User A and the administrator of Service B accepts the connection in the system • The system generates rules which the fírewall administrators put into their firewalls

  15. Using the Connection Agreement System Connection Agreement System FW B FW A VPNgateway Lab B Lab A Firewall rules (B) ------------ ------------ Service B may be accessed by User A ------------ ----------- Firewall rules (A) ------------ ------------ User A may access Service B ------------ ----------- Service B User A

  16. The connection agreement system • Everybody can find the services they need – and each other • Eliminates the need for administering a huge number of VPN tunnels • Establishes documentation of who ordered what connection and how long it is supposed to exist • Simplifies security administration • A simple and inexpensive solution to a problem that is common to most researchers sharing resources

  17. The technology works:In production since 2003! • The nation-wide Danish Health Data Network is based on the Connection Agreement System • The swedish health network, Sjunet, has also decided to use the Connection Agreement System • Several other countries and regions are considering implementing the Connection Agreement System

  18. Number of connections registered

  19. Traffic volumes in the Danish Health Data network Kbytes pr. month

  20. NRENs provide a lot of services…

  21. The Health Data Network provides:

  22. Can we generalize this approach? Mega-science has it all: • Separate λ-connections • Dedicated GRID-clusters • Services hardened to tolerate being directly on the internet

  23. What do researchers with more modest budgets do?

  24. Connecting two research resources Lab B Lab A Analysisequipment Scanner No connection

  25. Connecting two research resources Lab B Lab A Scanner Analysisequipment Too expensive and unflexible

  26. Connecting two research resources Lab B Lab A Analysisequipment Scanner Not safe: Equipment will be hacked and connection is not secure

  27. Connecting two research resources Lab B Lab A Analysisequipment Scanner FW FW Using firewalls: Works, but unflexible and time-consuming to set up each time

  28. Connecting two research resources Lab B Lab A ConnectionAgreement System Analysisequipment Scanner FW FW Using the Connection Agreement System: Flexibility by user configuration

  29. Have we now solved all problems? YES – Once connected, new connections are operational almost immediately YES – We can now manage the increased complexity of the explosion of many types of connections between organizations YES – A light-weight alternative to dedicated lambda connections (no cost, immediate set-up) YES – Local security administrators can let their users do the administration and documentation of their security components NO – Network interoperability does not guarantee working interoperability of services NO – The present system does not offer any means for identity management of users (yet…)

  30. The health sector • Ought to be an integral part of every NREN community • They do research, education and an every-day production • Security constraints on the network usage • Their bandwidth needs are growing rapidly • Today, they are no different from our traditional community Do we want to focus on the needs of the health sector? Why do many NREN not have a health sector strategy?

More Related