360 likes | 372 Views
Learn about the implementation of the Connection Agreement System in the Danish Health Data Network, how it simplifies security administration and enables efficient communication across organizational boundaries.
E N D
Connecting hospitals to the NRENThe Danish case story Copenhagen, 15th September 2009 Martin BechDeputy Director, UNI•C martin.bech@uni-c.dk
Optical network • Backbone in production from the middle of 2009 • Access connections are continuously upgraded to optical networking
Metro-ring in the Copenhagen Area LYNGBY IHK 15 km 4,75 dB 16 km 5 dB 28 km 8 dB Panum 12 km 4 dB Risø National and International connections 6 km 2,5 dB KVL-T 7 km 2,75 dB KUA 3 km 1,75 dB 6 km 2,5 dB ØRESTAD RUC Hørs. 12 km 4 dB 23 km 6,75 dB
Lightpaths for production IP AAU - 2 AAU - 1 LYNGBY AU - 2 AU - 1 ØRESTAD 8 x 1GE SDU - 2 10GE SDU - 1 Physical fibre
Moving towards supplying multiple network connections everywhere At every location we now offer: • Internet production IP service (as always) • Infinite traffic and bandwidth… • A connection type appropriate to the need • Multiple dedicated network connections for “intranet” and “lambda” use • Segregation between the networks are realized by means of a combination of lightpaths, MPLS and even VLANs
University of Aarhus: 23 locations…and the other universities are not much betterThis means a lot of lightpaths…
Special services for special user groups • Network for everyone But on top of that, many of us are involved in serving the needs of special user groups: • Supercomputing facilities • GRID clusters • Facilities for radio astronomy • Video and telephony • Content portals, databases etc. But what about services for health research and health care?
Why is health research and health care different from our other users? • Not just a few large facilities, but also • huge numbers of smaller entities/departments • Huge numbers of scanners, databases and other facilities • They all need their own separate private connections • Users are very aware of security constraints, but totally unaware of the services and equipment that implement these constraints • Many ad hoc projects and connections
Communicating across organizational boundaries LAN LAN FW FW External network FW LAN
The challenge External Network FW A FW B Lab B Lab A Firewall rules (B) ------------ ------------ Service B may be accessed by User A ------------ ----------- Firewall rules (A) ------------ ------------ User A may access Service B ------------ ----------- User A Service B
Setup of a new connection External Network FW A FW B Lab B Lab A Firewall rules (B) ------------ ------------ Service B may be accessed by User A ------------ ----------- Firewall rules (A) ------------ ------------ User A may access Service B ------------ ----------- User A Service B
Expiry of a connection External Network FW A FW B Lab B Lab A Firewall rules (B) ------------ ------------ Service B may be accessed by User A ------------ ----------- Firewall rules (A) ------------ ------------ User A may access Service B ------------ ----------- ? ? User A Service B
Manual administration • No problem for a single example such as this, except that the set-up of each connection typically takes a day • But, if a research project with 20 partners are sharing just 10 common services, the total number of rules are 1.900 • Most firewall administrators can’t say who is responsible for every rule Therefore: We need a system to keep track of all these connections
The Connection agreement system • All groups of users and all services are put into the system by the users • User A finds Service B in a large directory • User A enters a request for a connection to system B • Both User A and the administrator of Service B accepts the connection in the system • The system generates rules which the fírewall administrators put into their firewalls
Using the Connection Agreement System Connection Agreement System FW B FW A VPNgateway Lab B Lab A Firewall rules (B) ------------ ------------ Service B may be accessed by User A ------------ ----------- Firewall rules (A) ------------ ------------ User A may access Service B ------------ ----------- Service B User A
The connection agreement system • Everybody can find the services they need – and each other • Eliminates the need for administering a huge number of VPN tunnels • Establishes documentation of who ordered what connection and how long it is supposed to exist • Simplifies security administration • A simple and inexpensive solution to a problem that is common to most researchers sharing resources
The technology works:In production since 2003! • The nation-wide Danish Health Data Network is based on the Connection Agreement System • The swedish health network, Sjunet, has also decided to use the Connection Agreement System • Several other countries and regions are considering implementing the Connection Agreement System
Traffic volumes in the Danish Health Data network Kbytes pr. month
Can we generalize this approach? Mega-science has it all: • Separate λ-connections • Dedicated GRID-clusters • Services hardened to tolerate being directly on the internet
Connecting two research resources Lab B Lab A Analysisequipment Scanner No connection
Connecting two research resources Lab B Lab A Scanner Analysisequipment Too expensive and unflexible
Connecting two research resources Lab B Lab A Analysisequipment Scanner Not safe: Equipment will be hacked and connection is not secure
Connecting two research resources Lab B Lab A Analysisequipment Scanner FW FW Using firewalls: Works, but unflexible and time-consuming to set up each time
Connecting two research resources Lab B Lab A ConnectionAgreement System Analysisequipment Scanner FW FW Using the Connection Agreement System: Flexibility by user configuration
Have we now solved all problems? YES – Once connected, new connections are operational almost immediately YES – We can now manage the increased complexity of the explosion of many types of connections between organizations YES – A light-weight alternative to dedicated lambda connections (no cost, immediate set-up) YES – Local security administrators can let their users do the administration and documentation of their security components NO – Network interoperability does not guarantee working interoperability of services NO – The present system does not offer any means for identity management of users (yet…)
The health sector • Ought to be an integral part of every NREN community • They do research, education and an every-day production • Security constraints on the network usage • Their bandwidth needs are growing rapidly • Today, they are no different from our traditional community Do we want to focus on the needs of the health sector? Why do many NREN not have a health sector strategy?