The  Medical  Science  DMZ

Bill  Barne)  Indiana  University  School  of  Medicine  and  Regenstrief  Ins9tute,  with  Eli  

Dart  and  Sean  Peisert,  ESNet    

Richard  Biever  Duke  University  

 

What  is  a  Science  DMZ?

The  term  Science  DMZ  refers  to  ”…a  por9on  of  the  network,  built  at  or  near  the  campus  or  laboratory's  local  network  perimeter  that  is  designed  such  that  the  equipment,  configura9on,  and  security  policies  are  op9mized  for  high-­‐performance  scien9fic  applica9ons  rather  than  for  general-­‐purpose  business  systems  or  'enterprise'  compu9ng."    h)ps://fasterdata.es.net/science-­‐dmz/,  accessed  June  8,  2016    

Why  do  we  care  about  them  in  Health  Care? •  Precision  Medicine  is  Genomic  Medicine,  with  huge  genome  data  

repositories    o  The  1,000  Genomes  Project:  200  Terabytes  o  The  Cancer  Genome  Atlas  (TCGA):    2.5  Petabytes  

•  Cost  of  sequencing  is  dropping  •  Sequencers  are  popping  up  all  over  •  Projects  are  at  100,000  pa9ents  •  PMI  is  targe9ng  1M  pa9ents    The  Data  have  to  get  to  the  cloud    Somehow!  

There  is  already  Network  Capacity  Out  There •  The  Internet2  backbone  runs  

at  100  Gigabits/second  •  It  delivers  high  bandwidth  

data  transport  to  programs  in:  •  High  Energy  Physics  (LHC)  •  Astronomy  (SDSS)  •  Gravita9onal  Waves  

(LIGO)  •  It  is  managed  as  a  single  

network  for  be)er  performance  and  security  

The  Medical  Science  DMZ

A  'Medical  Science  DMZ'  is,  "a  method  or  approach  that  allows  data  flows  at  scale  while  simultaneously  addressing  the  HIPAA  Security  Rule  and  related  regula9ons  governing  biomedical  data.”    

S.  Peisert,  W.  K.  Barne),  E.  Dart,  J.  Cuff,  R.  L.  Grossman,  E.  Balas,  A.  Berman,  A.  Shankar,  and  B.  Tierney,  "The  Medical  Science  DMZ,"  Journal  of  the  American  Medical  Informa;cs  Associa;on  (JAMIA),  May  2,  2016.  

Science  DMZ  Design  PaCern

10GE

10GE

10GE

10GE

10G

Border Router

WAN

Science DMZSwitch/Router

Enterprise Border Router/Firewall

Site / CampusLAN

High performanceData Transfer Node

with high-speed storage

Per-service security policy control points

Clean, High-bandwidth

WAN path

Site / Campus access to Science

DMZ resources

perfSONAR

perfSONAR

perfSONAR

Eli  Dart,  Lauren  Rotman,  Brian  Tierney,  Mary  Hester,  and  Jason  Zurawski,  "The  Science  DMZ:  A  Network  Design  Pa)ern  for  Data-­‐Intensive  Science,"  Proceedings  of  the  IEEE/ACM  Annual  SuperCompu;ng  Conference  (SC13),  Denver  CO,  2013.  

Security  of  Model  For  a  Medical  Science  DMZ • Router  acts  as  non-­‐stateful  packet-­‐filter  firewall  • Router  manages  list  of  trusted  DTNs  •  Flows  approved  by  source  and  des9na9on  IP,  9me,  protocol,  and  applica9on.  • Permissions  purged  when  flow  is  complete  •  IDS  (eg.,  Bro)  monitors  for  policy  infrac9ons  and  hos9le  ac9vity  • perfSONAR  for  performance  

10GE

10GE

10GE

10GE

10G

Border Router

WAN

Science DMZSwitch/Router

Enterprise Border Router/Firewall

Site / CampusLAN

High performanceData Transfer Node

with high-speed storage

Per-service security policy control points

Clean, High-bandwidth

WAN path

Site / Campus access to Science

DMZ resources

perfSONAR

perfSONAR

High Latency WAN Path

Low Latency LAN Path

perfSONAR

Eli  Dart,  Lauren  Rotman,  Brian  Tierney,  Mary  Hester,  and  Jason  Zurawski,  "The  Science  DMZ:  A  Network  Design  Pa)ern  for  Data-­‐Intensive  Science,"  Proceedings  of  the  IEEE/ACM  Annual  SuperCompu;ng  Conference  (SC13),  Denver  CO,  2013.  

Enter  SoGware  Defined  Networking  (SDN)

Building  Produc9on  Network  

Building  Produc9on  Network  

Network  Transi9on/  Firewall  

SDN  Switch   SDN  Switch  

Server  A   Server  B  Storage  

SDN  Hub  

SDN  Controller  

Tradi&onal  network  switches:  •  control  func9ons  in  local  firmware  •  packet  forwarding  rules  encoded  in  local  config  •  proprietary  

SDN  switches:  •  control  func9ons  decoupled  from  packet  

forwarding      •  controller  can  view  network  “as  a  whole”  •  open  standards  based  (Openflow)    

Why  Implement  an  SDN  architecture? •  Tradi9onal  networks  can  inhibit  transfers:  •  firewalls  •  intrusion  preven9on  systems  •  backups/data  transfers  •  Neilix/Twitch.tv  

•  SDN  is  designed  for  automated  configura9on    •  Self-­‐service  configurable  bypass  network  • Researchers  may  need  access  to  na9onal  backbones  via  Science  DMZ  (e.g.  Open  Science  Grid)  

SDN  at  Duke

Improve  performance  

Network  transi9on  points  

Secure  the  infrastructure  

Controller  interface  

Goal:  How  do  we  more  efficiently  move  large  data  sets  around  the  network?    

Focused  on  the  network  transi,on  bo.lenecks  rather  than  traffic  in  data  center    

•  architecture  &  design  •  secure  the  control  plane  •  authoriza9on  for  routes  •  tes9ng  for  vulnerabili9es    

control  plane  

REST  configura9on  commands  

data  plane  

user  requests  network  config  changes    

authoriza9on/approvals   Switchboard  

SDN  Controller  (Ryu  REST  router)  

SDN  Switch  

SDN  Switch  

SDN  Switch  

Controlling  the  Network

Switchboard  (Controlling  the  Controller)

•  Simplifies  SDN  controller/switch  configura&on  and  tracks  changes  •  who  is  authorized  to  enable  a  bypass/link  •  status  of  requests  •  update  SDN  controller  based  on  approved  requests  •  rollback/restore  SDN  controller  state  •  audit  log  of  state  of  network  configura&on  

SDN  to  Science  DMZ

SDN  has  the  ability  to  flexibly  apply  policy  to  network  traffic  

Well-­‐suited  for  managing  data  flows  to/from  a  Science  DMZ  

Similar  security  challenges  

What’s  an  approach  to  geong  started?  

•  the  ability  to  control  or  monitor  how  routes  are  created  •  the  ability  to  control  what  nodes  are  added  •  the  ability  to  audit  routes  and  traffic  flows  •  the  ability  to  detect  when  something  malicious  enters  or  

exits  the  network  (can  be  done  via  SDN  flows  sent  to  an  IDS)  

Architecture  overview  (phase  1)

SDN  Hub  

Physics    (SDN  Switch)  

Physics    Host  

Physics  Storage  

Internet  

Edge-­‐gw1   Edge-­‐gw2  

Campus  Core  

IPS/FW  

AL2S  

SDN  Bypass  

10  GB  Links  

Architecture  overview  (phase  2)

Physics  Storage  

Internet  

Edge-­‐gw1   Edge-­‐gw2  

Campus  Core  

IPS/FW  SDN

 Bypass  

Change  AL2S  to  Internet  link  and  connect  to  Edge  

Connect  Internet  edge  to  SDN  hub  

DTN  Transfer  Node  1  

File  sharing  protocol  

Add  Data  Transfer  Node  

Science  DMZ  

SDN  Hub  

Physics    (SDN  Switch)  

Bro  IDS  

Switchboard  

Internet  

Edge-­‐gw1   Edge-­‐gw2  

Campus  Core  

IPS/FW  

Science  DMZ  

Research  Compu9ng  UCS  

OSG  Storage  

Research  Compu9ng  FI  

Duke  Storage  

Duke  VM  OSG  VM  

Research  Compu9ng  (SDN  Switch)  

Bro  IDS  

Switchboard  

SDN  Hub  

AL2S  

Conclusions

• We  must  be  able  to  efficiently  move  large  data  sets  between  internal  systems/networks  or  between  organiza9ons.  • How  do  we  accomplish  without  sacrificing  the  security  of  sensi9ve  data  •  Interdisciplinary  effort  between  IT  (security,  network,  research  compute)  and  research  teams  to  design  a  solu9on  that  combines:  •  high-­‐throughput  transfers  •  detec9on  of  security  issues  •  authoriza9on  for  use  of  network  with  sensi9ve  data