Campus IT networks are the lifeblood of many researchers, educators and students. They provide a platform for researchers and students to exchange information and collaborate to find answers to really big questions more effectively. Over the past few years, many groups owning and operating these high-speed backbones have extended connectivity to K-12 schools, libraries, hospitals, laboratories, and government organizations to enable cost-effective, interactive online services that benefit us all. For the IT professionals responsible for operating research and higher education networks, it’s a constant struggle to balance their academic openness and the need for data security across a variety of networks.
Connectivity is the foundation for research and higher education networks, linking together 1000s of institutions and commercial industries that engage with academic research and education. The goal of RENs is to extend collaboration and productivity beyond the physical location, supporting data-intensive and time-critical applications such as large file transfers, computer modelling and simulations, application sharing, remote instrumentation and visualization as well as videoconferencing. The key technologies that enable global high-velocity research and secure high-velocity collaboration are VPNs.
High-performance VPNs are essential building blocks for securing the delivery and consumption of time-critical data across the research and education networks. IPsec VPN, the standard deployment for site-to-site connections, uses encrypted tunnels for connectivity and protection of the data that traverses it. As research and education networks extend their reach to interconnect other networks around the world, ensuring pervasive data security at all links of the network becomes more critical.
VPNs that are based on the IPsec protocol suite offer a cost-effective, scalable solution for higher education institutions seeking to securely connect campuses to the research community. IPsec provides robust security and encryption functionalities to protect critical data across any IP network. Given the current risks to security, educational institutions are showing a heightened interest in securing more data, especially as it moves across the network. Encryption is becoming an increasingly important means of ensuring pervasive data security. However, current infrastructures do not provide the capability to support this security strategy at scale. Colleges and universities are seeking to better secure their data and research information in transit without affecting network performance and collaborator productivity.
Securing the Culture of Openness
The distributed nature of today’s research community and the growing complexity of RENs require a holistic strategy to provide the network performance, resiliency, and security needed to drive collaboration, achieve operational efficiency, and guarantee overall investment protection. With increasing focus around data security, the ability to encrypt more traffic across the networks becomes a priority. However, a new model is needed – one that supports end-to-end high-performance encryption from the desktop to the cloud..
The Brocade® pervasive data security solution challenges the common belief that ensuring data security in high-speed networks is costly and complex and compromises network performance. Educators can now more easily deploy an end-to-end network encryption solution using standards-based strong encryption that is built into Brocade networking hardware and software.. The IPsec security capabilities and interoperability of these products offer a wide variety of ways to leverage end-to-end consolidated network and encryption to achieve research and collaboration objectives.
Table 1. Brocade pervasive data security solution.
Both the Brocade MLXe Router and the Brocade ICX 7450 Switch integrate IPsec encryption via IPsec modules. The IPsec modules leverage programmable hardware technology to provide hardware-based acceleration for IPsec VPNs using the Advanced Encryption Standard (AES).
Research and higher education networks are high-performance computing (HPC) environments that rely on a super-fast network infrastructure to connect all universities, school districts, libraries, and affiliated institutions across wide areas. These environments traditionally connected into campus networks that sit behind one or more security appliances, which are typically firewalls. This architecture presented challenges to the HPC environments in terms of data throughput and general network complexity. To address common network performance problems encountered at research institutions, the concept of a Science-DMZ emerged where the connectivity to the HPC environment is moved to a portion of the network built at or near the campus. This new model moves the HPC environment from behind the campus firewall to a network portion that is optimized for secure high performance scientific applications.
The Science-DMZ allows the local HPC environment to have better connectivity to other research and education networks by putting it in its own DMZ. The external connectivity is often provided via an upstream Research backbone. Through collaboration with the northbound REN, the Science DMZ plays an important a role in its new platform architecture designed to help its university members take advantage of advanced network capabilities to facilitate innovation and discovery on campuses. To deliver this kind of high performance connectivity and data security, the Science-DMZ border router will need to meet the following demands in terms of scale, performance, and security:
Must be capable of delivering 100 Gbps connectivity, including support for large, long-lived flows
Must support pervasive OpenFlow and SDN for ease of provisioning and innovative applications
Must support deep packet buffers to handle short data bursts
Must support line-rate ACLs to provide security without impacting data throughput
The Brocade MLXe is a high-performance router that performs the role of the Science-DMZ border router, serving as the interconnection, peering, and routing exchange fabric, and providing a next-generation of software-defined exchange based on software-defined networking (SDN) technology. It supports a dynamic and agile network with new levels of operational efficiency and automation, enabling on-demand connectivity between the various connection points. With the Brocade MLXe Router, RENs can leverage an innovation platform that enhances connectivity and security to campus and wide-area Science DMZ applications. This will allow researchers to move data between labs and scientific instruments to collaborators’ sites, supercomputer centers, and data repositories with zero performance degradation.
The IPsec encryption capability of the Brocade MLXe Router ensures data security and regulatory compliance without additional licenses or expensive purpose-built encryption appliances. The ability to encrypt at Layer 3 using IPsec and to integrate with existing key management and distribution configurations strengthens data security while maximizing investment protection for the router. Each IPsec module delivers 44 Gbps throughput, enabling a single Brocade MLXe platform to support over 1 terabit per second of IPsec traffic at wire speed. This capability helps ensure that services levels are not affected in even the largest research and education networks.
Data Security within the Campus
The unique value of the Brocade solution is its end-to-end encryption, which is built into high-performance networking routers and switches. From the wiring closet within the campus to wide-area Science DMZ applications, the Brocade solution supports a variety of data security and integrity needs.
The Brocade ICX 7450 with the IPsec service module consolidates network switching and encryption to provide a cost-effective, scalable way to secure network data as it traverses the campus network. By initiating an IPsec tunnel form the switch for transporting selected traffic, this solution enables researchers and educators to securely send data across various portions of the campus network without deploying dedicated encryption appliances. This provides a valuable extra layer of protection for projects that need path isolation and support collaboration among communities of interest.
Maintaining Security to the Cloud
Research and higher education networks have seen the proliferation of datasets move from centralized on-campus resources to include public cloud environments (such as AWS, Azure, Softlayer, etc.). A challenge has been how to cost effectively provide secure high speed access to these cloud-based datasets.
The Brocade vRouter virtualizes network services such as IPSec VPN to provide high speed quick turn-up of secure data transmission. To connect the public cloud, a new VPN virtual machine can be turned up in minutes using a small fraction of an existing server. This enables researchers to securely transfer and download datasets to public cloud resources at high speed for enhanced collaboration.
In the New IP era of networking, it is crucial for research and higher education networks to have technology in place that will enable them to stay ahead of the curve and continue making a difference in the research and education world. Brocade delivers an end-to-end solution to enable high-performance VPN connectivity and cost-effective network encryption across today’s research and educational communities.
The MLXe routing solution, used in conjunction with the Brocade ICX 7450 switching solution, gives researchers and educators access to information anytime, anywhere. The Brocade solution not only helps organizations running research and education networks achieve school compliance and strengthen data security, it does this without affecting performance. With increasingly complex multi-site environments extending their reach globally, end-to-end high-performance VPN connectivity and data security are important components of research and education network security that retains the culture of openness.
You can learn more about solutions for Research and Higher Education Networks at brocade.com/research.