Transcript slides
High Speed Network and Security
For Copernicus Communities
Case Study
TNC-15 - Porto (Portugal), 17/06/2015
ESA EOP-G Network & Security Team
Francesco Nisi, RHEA System SA
ESA UNCLASSIFIED – For Official Use
Copernicus Programme
Copernicus (formerly known as GMES)
is
a
European
space
flagship
programme led by the European Union
Space
Component
Provides the necessary data for
operational
monitoring
of
the
environment and for civil security,
generated (several TB/day) by a fleet
of satellites called Sentinels equipped
with new generation instruments
Users shall have free, full and open
access to Copernicus dedicated
Sentinel data and Copernicus service
information
ESA coordinates the Space Component
ESA UNCLASSIFIED – For Official Use
In-Situ
Compone
nt
Services
Compone
nt
Copernicus Ground Segment
Circulation and Dissemination Network
Dissemination
“Internet”
Network
Firewall &
CPE
General
Public
Circulation
Network
CDB
CDB
Other services
Mirror Sites
Tailored access for
specific user
communities
ESA UNCLASSIFIED – For Official Use
Copernicus Network & Security
Services
Procurement and Deployment milestones
•
The Network & Security services implements the Circulation and Dissemination
networks
•
Open Tender according to ESA procurement regulations - issued on June 2012
•
Contract awarded to a commercial provider and kicked-off in February 2013
•
The five Sentinel-1 facilities ready in pre-operation in September 2013
•
Nominal operations started on December 2013
•
2014: Network completed with S2 and S3 facilities, Central Dissemination facility
The Challenges
•
Provide high speed (10G) WAN network between facilities located Mainland
Europe and with the remote receiving stations;
•
Provide a high capacity (10G+) and scalable solution to disseminate huge
amount of data to user communities
•
Ensure Security and open the network to multiple communities at the same time
ESA UNCLASSIFIED – For Official Use
Copernicus Ground Segment
Copernicus Ground Segment
•
3 Core Ground Stations
•
5 Processing & Archiving
Centres
•
Mission Performance
Centres
•
PDMC Centres
•
Marine Centre
•
EDRS Receiving Station (2015)
•
Virtual Archives & Processing
Distributed over 11+ Facilities
ESA UNCLASSIFIED – For Official Use
Agenda
Copernicus Ground Segment
TheCopernicus
Copernicus WAN
The
WANSolution
Solution
Service Model
Verification & Validation
Conclusions
ESA UNCLASSIFIED – For Official Use
The Network & Security Services
Centralised services design for easier management and control
•
Central Service Area in two Twin Core Data Center
•
Hosts the Copernicus central services: Internet Access, Auxiliary Services (DNS,
NTP, Proxy, Mail Relay), RAS and Pick-Up Point (storage and data dissemination)
•
Local Services: Firewall/IDPS + Local LAN
•
Connected via the Intranet Service
ESA UNCLASSIFIED – For Official Use
WAN Intranet Service
The DWDM Backbone
10G DWDM Backbone
• IP/MPLS connectivity
• 3 VRFs
• Both links active and
carrying traffic in nominal
conditions
• 9K MTU end-to-end
ESA UNCLASSIFIED – For Official Use
Internet Access Service
•
Redundant 10 Gbps connection to DTAG Backbone
•
Autonomous System 3320 with peering agreements on a global scale
•
Scalable by adding additional 10 G links
•
Security enforcement
•
Connected with GEANT via
third AS with multiple
connections
•
Serves Core Users community
accessing the local DMZs
Dedicated GEANT
connectivity via DFN
(planned)
ESA UNCLASSIFIED – For Official Use
Pick-Up Point Service
A Central Virtual Archive Service
• Storage area connected at 10 Gbps to the Internet backbone
• Rolling archive for 12 months of
Sentinels products
• Ready for 10+ Petabyte of
storage (3 PB by 2015)
• Maximum performance thanks to
reduced network latency
• Based on virtualised infrastructure
• Available for scientific community
and general public
Connectivity to academic user community via GEANT (planned)
ESA UNCLASSIFIED – For Official Use
Security Services
The Defence Perimeter
•
•
•
Redundant central firewalls to
enforce
the EU/ESA security policies
Redundant DDoS self-learning
detection and mitigation
IDS/IPS detection and blocking
DDOS
WWW
ESA UNCLASSIFIED – For Official Use
•
Central events correlation service
•
Redundant Proxies
•
Peripheral firewalls with local
IPS/IDS
•
ACLs and Iptables
•
SIEM solution
Ctrl FWs +IDPS Ctrl Services
Loc. FW+IDPS
End Systems
Security Services
Security Policy Enforcement
ESA Earth Observation Security Policy Enforcement
• Only authorized and documented Data Flows are
traversing the local and central Firewall
• PDGS Systems published on Internet only after
successful Security Plan process
• Proxy and Mail-Relay accessible by authenticated clients
• Proxy URL Filtering based on white list allowing only business related
destinations
• Continuous process for monitoring and fine tuning of the
DDoS, IDPS and Firewalls configuration
• Continuous update and patching process
ESA UNCLASSIFIED – For Official Use
Agenda
Introduction
The Copernicus WAN Solution
Verification
& Validation
Service
Model
Verification & Validation
Conclusions
ESA UNCLASSIFIED – For Official Use
Service Model
Service Level Agreement
• Service coverage for all the services: 24/7
• Target availability for the connectivity services: 99.95%
• Maximum Time To Repair for blocking/critical incidents: 4/8 hours
• Change implementation time: 8 hours
• Penalty scheme associated to each service level target
One provider for all the Services
• Single contact point for all the
services available 24/7
• Network Operations Center (NOC)
• Security Operations Center (SOC)
ESA UNCLASSIFIED – For Official Use
Agenda
Introduction
The Copernicus WAN Solution
Service Model
Network Operations
Verification
& Validation
Conclusions
ESA UNCLASSIFIED – For Official Use
Verification & Validation
Approach
V&V Approach
• LAB Test for Design validation
• Verification of each service element during the deployment phase
• Validation during the Service Acceptance
Testing Areas
• Functional test to verify the configuration of each element and
integration in the monitoring & control tools and other PDGS elements
• Performance tests: Line capacity and line quality (packet loss, jitter,
latency); TCP Throughputs; Auxiliary services performance baseline
(e.g.: DNS, NTP, Proxy)
• Redundancy: Extensive test campaign performed to verify
redundancy and failover behaviour of each solution element
the
• Security: Penetration and DDoS test (external specialised company)
ESA UNCLASSIFIED – For Official Use
Intranet Service (1/2)
Test Results Highlights
Tools based on IXIA technology
with multiple 10Gbps TCP/UDP
traffic generators
• Lines are clean and enable
applications/OS to use large
TCP window
• RTDs in line with expected
values due to the distances.
Some room for improvements.
• Failover
design
ESA UNCLASSIFIED – For Official Use
behaviour
as
by
Intranet Service (2/2)
Test Results Highlights
Findings:
File
size
20
MB
50
MB
500
MB
3
GB
Buffer size = 16 MB
Buffer size = 2 MB
TCP congestion avoidance
TCP congestion avoidance
algorithm
algorithm
Cubic
HTCP
Hybla
Cubic
HTCP
Hybla
(KB/s)
(KB/s)
(KB/s)
(KB/s)
(KB/s)
(KB/s)
24876.6
24854.3
31965.7
23236.4
24257
30327.7
25060.2
25051.9
32204.1
24471.7
23465.1
30717.2
25036.4
24971.7
32236.4
24384.2
23423.4
30545.5
48182.4
48171.1
57889.6
46179.8
46063.5
55006
48633.3
48860
58703.3
46774.7
46760.6
55490.7
48740.8
48724.8
58773
46765.3
46747.6
55299.5
91919.3
80936.4
78787.5
91583.5
80985
77814.1
92672.9
82038.8
79445.1
91935.5
80850
75468.5
95143.8
76885.9
76874.8
92156
81850.5
73386.3
100731.4
89194.2
83027.4
102622.1
84519.4
88771.3
101559.9
85331.5
88174.5
103646.4
80290.9
91982.1
102177.9
89466
89210.8
100576.7
89890.4
88440
ESA UNCLASSIFIED – For Official Use
•
The file size has a big impact
of the throughput
•
Noticeable improvement
derived from TCP
configuration parameters fine
tuning.
•
Some TCP parameters(i.e.:
congestion avoidance
algorithm) are effective only
to specific scenarios ->
customization per project is
necessary
Internet Service
Test Results Highlights (will be expanded)
•
Test campaign to assess the achievable performance via commercial Internet for
different user communities
•
Good performance with peaks up to nearly 900 Mbps for European users with 45
ms RTD, and TCP stack and servers optimization and high speed local Internet
access
•
Performance strongly depends on the remote user systems fine tuning and
application used for the download
User
AS Path
University of
AS2501/AS2907/
Tokyo, Japan
AS701/AS3320
University of
AS786/AS1299/
Leeds, UK
AS3320
STFC
AS786/AS1299/
Chilton, UK
AS3320
University of
AS451/AS209
Miami, USA
/AS3320
IREA-CNR
AS137/AS3356/
Naples, Italy
AS3320
ESA UNCLASSIFIED – For Official Use
RTD
IPerf tests
FTP Downloads
[ms]
[Mbps]
[Mbps]
328
10
1.0
40
Not conducted
45
292
132
118
Not conducted
50
91
51
Remark
14.4
Using FTP
300
Using WGET
264 - 440
Average values
890
Peak value
Local WAN limit
of 100 Mbit/s
Agenda
Introduction
The Copernicus WAN Solution
Service Model
Verification & Validation
Conclusions
Conclusions
ESA UNCLASSIFIED – For Official Use
Conclusions
•
Utilization of DWDM technologies to build a 10G capable network
backbone between Copernicus sites ensure the needed network capacity
and stability
•
Performance tests confirm the importance of the end systems fine tuning
to get the highest achievable performance.
•
The current Internet access based on multiple 10G nodes via commercial
provider ensures the needed capacity for data dissemination to the
general public and all scientific communities
WHAT NEXT:
• Increase the dissemination capabilities in order to serve the additional
user communities that will access to the new Sentinels data portals
• Deploy a dedicated 10 Gbps connection between Copernicus and GEANT
networks to improve the access capacity for scientific communities
connected to the academic networks
• Build and integrate a performance monitoring solution
ESA UNCLASSIFIED – For Official Use
PRAGUE 09-13 MAY 2016
Main Objective:
Presentation of Exploitation Results based on
ESA Earth Observation Measurements
Important Dates:
Deadline for abstract submission
Notification of Acceptances
Issue of Preliminary Programme
Opening of Registration to the Symposium
Release of the Final Programme
Submission of Full Papers
ESA UNCLASSIFIED – For Official Use
16 October 2015
End January 2016
February 2016
February 2016
at the symposium
at the symposium
Themes:
Atmosphere, Oceanography, Cryosphere, Land,
Hazards, Climate and Meteorology, Solid
Earth/Geodesy, Near-Earth Environment,
Methodologies and Products, Open Science 2.0
http://lps16.esa.int