Safe or Performant? We Want Both!
Time 12/11/19 09:00AM-09:50AM
Room Grand Chenier (5th)
Advanced research and education networks nowadays represent the top existing infrastructures delivering the highest quality, bandwidth, speed and reliability. They enable a set of services in the real time communication area which are just impossible to deploy on other networks, and among them we can mention LoLa, ultra grid, MVTP etc. Furthermore there are other top demanding services which ask for multi-gigabit capability and full end to end interaction among applications. While NRENs backbones easily support these features, when we come to local campuses, the quality of delivered network services is often storgly degraded due to the need to protect local users and services from security threats, and this is s=sually done by using "barriers" like firewalls and similar objects.In our experience it happens too many times that we need to debate for long time with the local campus security staff and their security policy makers in order to enable advanced services to run correctly, explaining technical solutions which can deliver the needed performance to the applications which need it, while keeping the campus safe. Just blindly applying the concept "inside the campus" and "out there" is inappropriate in the NRENs environment, but most current security h/w, s/w and polices apply this inappropriate paradigm, still. DMZ can come to help in many cases, but still there is a limited knowledge on how to implement it or similar concepts, or in many cases it is just "not in the options" allowed by the running policy. We will present a set of cases, coming from real experiences, on how to approach the problem in a way which will assure both security and performance at the same time, from logically or physically configures DMZ-like services, up to the results on how you can configure some security hardware in order to "keep quality and performance" with a reasonalble high level service, in case you really cannot avoid it. The presentation also aims to stimulate a debate with Security Administrators, enabling them to understand how to approach correctly requests which comes from users who need to deploy applications and services demanding high level network services. An ongoing aresearch activity inside GEANT backbone, intended to ensure the best possible low latency path to real time applications may also lead to additional safe solutions to enable end to end unperturbated connections.
Speaker Claudio Allocchio Consortium GARR
Primary track Cloud Architecture
Secondary tracks Information Security