Non-Technical Issues regarding connecting hospitals to
Download
Report
Transcript Non-Technical Issues regarding connecting hospitals to
Connecting hospitals to the NREN
The Danish case story
Copenhagen, 15th September 2009
Martin Bech
Deputy Director, UNI•C
[email protected]
Optical network
•
•
Backbone in production
from the middle of 2009
Access connections are
continuously upgraded to
optical networking
Metro-ring in the Copenhagen Area
IHK
LYNGBY
15 km
4,75 dB
16 km
5 dB
28 km
8 dB
Panum
12 km
4 dB
Risø
KVL-T
7 km
2,75 dB
KUA
3 km
1,75 dB
RUC
National and
International
connections
6 km
2,5 dB
12 km
4 dB
Hørs.
6 km
2,5 dB
23 km
6,75 dB
ØRESTAD
Lightpaths for production IP
AAU-2
AAU-1
LYNGBY
AU-2
AU-1
ØRESTAD
SDU-2
SDU-1
8 x 1GE
10GE
Physical fibre
Moving towards supplying multiple
network connections everywhere
At every location we now offer:
• Internet production IP service (as always)
• Infinite traffic and bandwidth…
• A connection type appropriate to the need
• Multiple dedicated network connections for “intranet” and
“lambda” use
• Segregation between the networks are realized by means of a
combination of lightpaths, MPLS and even VLANs
University of
Aarhus: 23
locations
…and the other
universities are
not much better
This means a lot of
lightpaths…
Special services for special user groups
• Network for everyone
But on top of that, many of us are involved in serving the
needs of special user groups:
• Supercomputing facilities
• GRID clusters
• Facilities for radio astronomy
• Video and telephony
• Content portals, databases etc.
But what about services for health research and health care?
Why is health research and health care
different from our other users?
•
•
•
•
•
Not just a few large facilities, but also
huge numbers of smaller entities/departments
Huge numbers of scanners, databases and other facilities
They all need their own separate private connections
Users are very aware of security constraints, but totally unaware
of the services and equipment that implement these constraints
• Many ad hoc projects and connections
Communicating across organizational boundaries
LAN
LAN
FW
FW
External
network
FW
LAN
The challenge
External
Network
FW A
Lab A
User A
FW B
Firewall rules (A)
Firewall rules (B)
----------------------User A may access
Service B
----------------------
----------------------Service B may be
accessed by User A
----------------------
Lab B
Service B
Setup of a new connection
External
Network
FW A
Lab A
User A
FW B
Firewall rules (A)
Firewall rules (B)
----------------------User A may access
Service B
----------------------
----------------------Service B may be
accessed by User A
----------------------
Lab B
Service B
Expiry of a connection
External
Network
FW A
Lab A
User A
FW B
Firewall rules (A)
Firewall rules (B)
----------------------User A may access
Service B
----------------------
----------------------Service B may be
accessed by User A
----------------------
?
Lab B
?
Service B
Manual administration
• No problem for a single example such as this, except that
the set-up of each connection typically takes a day
• But, if a research project with 20 partners are sharing just
10 common services, the total number of rules are 1.900
• Most firewall administrators can’t say who is responsible
for every rule
Therefore: We need a system to keep track of all these
connections
The Connection agreement system
• All groups of users and all services are put into the
system by the users
• User A finds Service B in a large directory
• User A enters a request for a connection to system B
• Both User A and the administrator of Service B
accepts the connection in the system
• The system generates rules which the fírewall
administrators put into their firewalls
Using the Connection Agreement System
Connection Agreement System
FW A
Lab A
User A
VPN
gateway
FW B
Firewall rules (B)
Firewall rules (A)
----------------------User A may access
Service B
----------------------
----------------------Service B may be
accessed by User A
----------------------
Lab B
Service B
The connection agreement system
• Everybody can find the services they need – and each
other
• Eliminates the need for administering a huge number of
VPN tunnels
• Establishes documentation of who ordered what
connection and how long it is supposed to exist
• Simplifies security administration
• A simple and inexpensive solution to a problem that is
common to most researchers sharing resources
The technology works:
In production since 2003!
• The nation-wide Danish Health Data Network is
based on the Connection Agreement System
• The swedish health network, Sjunet, has also
decided to use the Connection Agreement System
• Several other countries and regions are considering
implementing the Connection Agreement System
Number of connections registered
Traffic volumes in the Danish Health Data network
Kbytes pr. month
NRENs provide a lot of services…
Universities and
research institutions
Hospitals
Basic Internet connectivity
Yes
Yes
Video conferencing
Yes
Collaboration tools
Yes
Lambda networking
Yes
IPv6
Yes (but no use)
Roaming services
Yes
CERT and security
Yes
GRID and Scientific Computing
Yes
Media Libraries
Yes
The Health Data Network provides:
Hospitals
Basic Internet connectivity
No
Video conferencing
Yes
Collaboration tools
Yes
Lambda networking
Not yet
IPv6
If needed
Roaming services
Yes
CERT and security
Yes
GRID and Scientific Computing
Yes
Media Libraries
Yes
Can we generalize this approach?
Mega-science has it all:
• Separate λ-connections
• Dedicated GRID-clusters
• Services hardened to tolerate being directly on the internet
What do researchers with more
modest budgets do?
Connecting two research resources
Lab A
Lab B
Analysis
equipment
Scanner
No connection
Connecting two research resources
Lab A
Lab B
Scanner
Analysis
equipment
Too expensive and unflexible
Connecting two research resources
Lab A
Analysis
equipment
Lab B
Scanner
Not safe: Equipment will be hacked and connection is not secure
Connecting two research resources
Lab B
Lab A
Analysis
equipment
Scanner
FW
FW
Using firewalls:
Works, but unflexible and time-consuming to set up each time
Connecting two research resources
Lab A
Lab B
Connection
Agreement
System
Analysis
equipment
Scanner
FW
Using the Connection Agreement System:
Flexibility by user configuration
FW
Have we now solved all problems?
YES – Once connected, new connections are operational almost
immediately
YES – We can now manage the increased complexity of the
explosion of many types of connections between
organizations
YES – A light-weight alternative to dedicated lambda connections
(no cost, immediate set-up)
YES – Local security administrators can let their users do the
administration and documentation of their security
components
NO – Network interoperability does not guarantee working
interoperability of services
NO – The present system does not offer any means for identity
management of users (yet…)
The health sector
•
•
•
•
•
Ought to be an integral part of every NREN community
They do research, education and an every-day production
Security constraints on the network usage
Their bandwidth needs are growing rapidly
Today, they are no different from our traditional community
Do we want to focus on the needs of the health sector?
Why do many NREN not have a health sector strategy?