- Data deluge requires a digital infrastructure to match.
- Science DMZ is an elegant solution to keep big data science flowing.
- Science DMZ offers risk scoping -- enterprise traffic separated from research data.
Scientists in the 21st century depend on thin strands of glass. Their instruments – mass spectrometers, satellites, particle colliders – gather enormous quantities of information. Known as big data, this flow of information requires a communication scaffolding scaled to match.
To meet the demand for faster speeds and larger data capacity, national research and education network providers like Internet2 and ESnet built a high-speed internet backbone – fiber optic lines unspooling over thousands of miles.
But while capable researchers work at labs across the world, local networks hold these large data sets at bay. Firewalls at the network borders protect users from bad actors, but they also reduce data transmission speeds. This isn’t a problem when you’re waiting on your email, but when you’re transferring petabytes of atmospheric data, the slightest reduction in network speeds can wreak havoc.
A Science DMZ is not about bypassing security . . . It’s about scoping the risk for enterprise and research systems differently. ~Nick Lewis.
To tune research networks to accommodate large data flows with low latency (little delay), network engineers conceived of the Science DMZ, a separate network segment dedicated to handling large flows of research data. It’s a friction-free zone so that scientists can receive and send large data sets without worrying about bottlenecks.
“Larry Smarr’s interstate analogy is a good way to describe the Science DMZ,” says Karl Newell, cyberinfrastructure security engineer at Internet2. “That’s exactly it: We already have roads connecting cities, so why do we need to build bigger roads to connect the cities? We already have networks connecting our campuses, but we need high speed low latency networks for scientific research flows.”
A Science DMZ can be used for any kind of research that calls for a high bandwidth and low latency. “It could be something that has no inherent security needs; for instance, a public data set from a satellite that needs to be brought down very quickly because of the time-sensitive nature of research," says Damian Doyle, director for enterprise infrastructure at the University of Maryland - Baltimore County. “Or it could be something that has patient data in it and so it needs to be protected.”
Safe at any speed
Rather than reducing campus network security, a Science DMZ improves it by classifying and cordoning off types of network traffic. Normal internet traffic with all its sensitive information is routed through traditional firewall security checks. Big research data flows, on the other hand, are left unfettered.
“A Science DMZ is not about bypassing security,” says Nick Lewis, NET+ program manager at Internet2. “It’s about providing a protective zone that can help with the complexities of the enterprise firewall and also help with the complex needs on the research side as well. It’s about scoping the risk for those systems differently.”
On the enterprise side, a Science DMZ means fewer security exceptions are needed, fewer ports are left open, and fewer configuration changes are required. For the research side, a Science DMZ means a certain level of risk is accepted, but the rest of the campus network won’t be infected if research data is compromised. A Science DMZ means research networks are allowed to run at full speed – 100 Gbps and higher – so scientists get the data they need, when they need it.
To maintain information security and still allow the data transfer rates that computational science requires, a Science DMZ follows National Institute of Standards and Technology (NIST) recommendations for what constitutes a firewall.
While traditional hardware firewalls serve enterprise data security needs very well, for high-speed, large-scale, data-driven science, NIST suggests a packet filtering firewall option. This type of firewall scans incoming data packets at line rate without any loss in transmission speed.
Traditional firewalls can do sophisticated analysis of incoming data packets, but packet filters like router access control lists perform a more basic analysis without introducing the latency experienced with traditional firewalls.
“Without something like the Science DMZ, you’re back to where you were a couple of years ago where researchers were shipping hard drives full of data,” says Doyle. “If you can do something like the Science DMZ where you can get the data to the researchers quickly, then the focus moves back to their research and lets them make these breakthroughs.”
In short, it’s about enabling research. Connecting labs and research institutions with a high-speed network was the first step – the Science DMZ is the next one.