The Medical Science DMZ

The Medical Science DMZ
Bill Barne) Indiana University School of Medicine and Regenstrief Ins9tute, with Eli Dart and Sean Peisert, ESNet Richard Biever Duke University What is a Science DMZ?
The term Science DMZ refers to ”…a por9on of the network, built at or near the campus or laboratory's local network perimeter that is designed such that the equipment, configura9on, and security policies are op9mized for high-­‐performance scien9fic applica9ons rather than for general-­‐purpose business systems or 'enterprise' compu9ng." h)ps://fasterdata.es.net/science-­‐dmz/, accessed June 8, 2016 Why do we care about them in Health Care?
•  Precision Medicine is Genomic Medicine, with huge genome data repositories o  The 1,000 Genomes Project: 200 Terabytes o  The Cancer Genome Atlas (TCGA): 2.5 Petabytes •  Cost of sequencing is dropping •  Sequencers are popping up all over •  Projects are at 100,000 pa9ents •  PMI is targe9ng 1M pa9ents The Data have to get to the cloud Somehow! There is already Network Capacity Out There
•  The Internet2 backbone runs at 100 Gigabits/second •  It delivers high bandwidth data transport to programs in: •  High Energy Physics (LHC) •  Astronomy (SDSS) •  Gravita9onal Waves (LIGO) •  It is managed as a single network for be)er performance and security The Medical Science DMZ
A 'Medical Science DMZ' is, "a method or approach that allows data flows at scale while simultaneously addressing the HIPAA Security Rule and related regula9ons governing biomedical data.” S. Peisert, W. K. Barne), E. Dart, J. Cuff, R. L. Grossman, E. Balas, A. Berman, A. Shankar, and B. Tierney, "The Medical Science DMZ," Journal of the American Medical Informa;cs Associa;on (JAMIA), May 2, 2016. Science DMZ Design PaCern
Border Router
perfSONAR
WAN
10G
Enterprise Border
Router/Firewall
10GE
Site / Campus
access to Science
DMZ resources
Clean,
High-bandwidth
WAN path
10GE
perfSONAR
10GE
Site / Campus
LAN
Science DMZ
Switch/Router
10GE
perfSONAR
Per-service
security policy
control points
High performance
Data Transfer Node
with high-speed storage
Eli Dart, Lauren Rotman, Brian Tierney, Mary Hester, and Jason Zurawski, "The Science DMZ: A Network Design Pa)ern for Data-­‐Intensive Science," Proceedings of the IEEE/ACM Annual SuperCompu;ng Conference (SC13), Denver CO, 2013. Security of Model For a Medical Science DMZ
•  Router acts as non-­‐stateful packet-­‐
filter firewall •  Router manages list of trusted DTNs •  Flows approved by source and des9na9on IP, 9me, protocol, and applica9on. •  Permissions purged when flow is complete •  IDS (eg., Bro) monitors for policy infrac9ons and hos9le ac9vity •  perfSONAR for performance Border Router
perfSONAR
WAN
10G
Enterprise Border
Router/Firewall
10GE
10GE
Site / Campus
access to Science
DMZ resources
Clean,
High-bandwidth
WAN path
perfSONAR
High performance
Data Transfer Node
with high-speed storage
10GE
Site / Campus
LAN
Science DMZ
Switch/Router
10GE
perfSONAR
Per-service
security policy
control points
High Latency WAN Path
Low Latency LAN Path
Eli Dart, Lauren Rotman, Brian Tierney, Mary Hester, and Jason Zurawski, "The Science DMZ: A Network Design Pa)ern for Data-­‐Intensive Science," Proceedings of the IEEE/ACM Annual SuperCompu;ng Conference (SC13), Denver CO, 2013. Enter SoGware Defined Networking (SDN)
Building Produc9on Network Network Transi9on/ Firewall Building Produc9on Network Tradi&onal network switches: •  control func9ons in local firmware •  packet forwarding rules encoded in local config •  proprietary SDN Controller SDN Switch SDN Switch SDN Hub Server A Server B Storage SDN switches: •  control func9ons decoupled from packet forwarding •  controller can view network “as a whole” •  open standards based (Openflow) Why Implement an SDN architecture?
•  Tradi9onal networks can inhibit transfers: •  firewalls •  intrusion preven9on systems •  backups/data transfers •  Neilix/Twitch.tv •  SDN is designed for automated configura9on •  Self-­‐service configurable bypass network •  Researchers may need access to na9onal backbones via Science DMZ (e.g. Open Science Grid) SDN at Duke
Goal: How do we more efficiently move large data sets around the network? Focused on the network transi,on bo.lenecks rather than traffic in data center Improve performance • 
• 
• 
• 
Secure the infrastructure Network transi9on points Controller interface architecture & design secure the control plane authoriza9on for routes tes9ng for vulnerabili9es Controlling the Network
user requests network config changes Switchboard authoriza9on/approvals REST configura9on commands SDN Controller (Ryu REST router) control plane SDN Switch data plane SDN Switch SDN Switch Switchboard (Controlling the Controller)
•  Simplifies SDN controller/switch configura&on and tracks changes • 
• 
• 
• 
• 
who is authorized to enable a bypass/link status of requests update SDN controller based on approved requests rollback/restore SDN controller state audit log of state of network configura&on SDN to Science DMZ
Similar security challenges What’s an approach to geong started? Well-­‐suited for managing data flows to/from a Science DMZ SDN has the ability to flexibly apply policy to network traffic • 
• 
• 
• 
the ability to control or monitor how routes are created the ability to control what nodes are added the ability to audit routes and traffic flows the ability to detect when something malicious enters or exits the network (can be done via SDN flows sent to an IDS) Architecture overview (phase 1)
AL2S Internet SDN Hub 10 GB Links Edge-­‐gw2 IPS/FW Campus Core SDN Bypass Edge-­‐gw1 Physics (SDN Switch) Physics Host Physics Storage Architecture overview (phase 2)
Connect Internet edge to SDN hub Internet Add Data Transfer Node SDN Hub DTN Transfer Node 1 Edge-­‐gw2 IPS/FW Campus Core Physics (SDN Switch) Switchboard Bro IDS File sharing protocol Edge-­‐gw1 SDN Bypass Change AL2S to Internet link and connect to Edge Science DMZ Physics Storage AL2S Science DMZ Internet Edge-­‐gw1 Edge-­‐gw2 IPS/FW SDN Hub Bro IDS Research Compu9ng (SDN Switch) Switchboard Research Compu9ng FI Campus Core Research Compu9ng UCS OSG VM Duke VM OSG Storage Duke Storage Conclusions
•  We must be able to efficiently move large data sets between internal systems/networks or between organiza9ons. •  How do we accomplish without sacrificing the security of sensi9ve data •  Interdisciplinary effort between IT (security, network, research compute) and research teams to design a solu9on that combines: •  high-­‐throughput transfers •  detec9on of security issues •  authoriza9on for use of network with sensi9ve data