Menu
Home
People
Places
Arts
History
Plants & Animals
Science
Life & Culture
Technology
Reference.org
Science DMZ Network Architecture
open-in-new
<h2 id="stateful-firewalls">Stateful firewalls</h2> <p class="note">Main article: <a href="/facts/Stateful_firewall/eCIseahN">Stateful firewall</a></p> <p>Most businesses and other institutions use a firewall to protect their internal network from malicious attacks originating from outside. All traffic between the internal network and the external Internet must pass through a firewall, which discards traffic likely to be harmful. </p><p>A stateful firewall tracks the <a href="/facts/State_(computer_science)/4Yu8xXHS">state</a> of each logical connection passing through it, and rejects data packets inappropriate for the state of the connection. For example, a website would not be allowed to send a page to a computer on the internal network, unless the computer had requested it. This requires a firewall to keep track of the pages recently requested, and match requests with responses. </p><p>A firewall must also analyze network traffic in much more detail, compared to other networking components, such as routers and switches. Routers only have to deal with the <a href="/facts/Network_layer/L2jAtJzQ">network layer</a>, but firewalls must also process the <a href="/facts/Transport_layer/UmIGUCeK">transport</a> and <a href="/facts/Application_layer/FAFhLruA">application layers</a> as well. All this additional processing takes time, and limits network throughput. While routers and most other networking components can handle speeds of 100 billion bits per second (Gbps), firewalls limit traffic to about 1 Gbit/s,<a class="footnote-ref" id="fnref:12" href="#fn:12"><sup>12</sup></a> which is unacceptable for passing large amounts of scientific data. </p><p>Modern firewalls can leverage custom hardware (<a href="/facts/ASIC/YGUXpX50">ASIC</a>) to accelerate traffic and inspection, in order to achieve higher throughput. This can present an alternative to Science DMZs and allows in place inspection through existing firewalls, as long as <a href="/facts/Unified_threat_management/lQV0Dnfl">unified threat management</a> (UTM) inspection is disabled. </p><p>While stateful firewall may be necessary for critical business data, such as financial records, credit cards, employment data, student grades, trade secrets, etc., science data requires less protection, because copies usually exist in multiple locations and there is less economic incentive to tamper.<a class="footnote-ref" id="fnref:13" href="#fn:13"><sup>13</sup></a> </p> <h2 id="dmz">DMZ</h2> <p class="note">Main article: <a href="/facts/DMZ_(computing)/gHmwgIo7">DMZ (computing)</a></p> <p>A firewall must restrict access to the internal network but allow external access to services offered to the public, such as web servers on the internal network. This is usually accomplished by creating a separate internal network called a DMZ, a play on the term "demilitarized zone." External devices are allowed to access devices in the DMZ. Devices in the DMZ are usually maintained more carefully to reduce their vulnerability to malware. Hardened devices are sometimes called <a href="/facts/Bastion_host/FXnxCJJC">bastion hosts</a>. </p><p>The Science DMZ takes the DMZ idea one step farther, by moving high performance computing into its own DMZ.<a class="footnote-ref" id="fnref:14" href="#fn:14"><sup>14</sup></a> Specially configured routers pass science data directly to or from designated devices on an internal network, thereby creating a virtual DMZ. Security is maintained by setting <a href="/facts/Access_control_lists/t38J9Vao">access control lists</a> (ACLs) in the routers to only allow traffic to/from particular sources and destinations. Security is further enhanced by using an <a href="/facts/Intrusion_detection_system/mAw24Fyo">intrusion detection system</a> (IDS) to monitor traffic, and look for indications of attack. When an attack is detected, the IDS can automatically update router tables, resulting in what some call a Remotely Triggered BlackHole (RTBH).<a class="footnote-ref" id="fnref:15" href="#fn:15"><sup>15</sup></a> </p> <h2 id="justification">Justification</h2> <p>The Science DMZ provides a well-configured location for the networking, systems, and security infrastructure that supports high-performance data movement. In data-intensive science environments, data sets have outgrown portable media, and the default configurations used by many equipment and software vendors are inadequate for high performance applications. The components of the Science DMZ are specifically configured to support high performance applications, and to facilitate the rapid diagnosis of performance problems. Without the deployment of dedicated infrastructure, it is often impossible to achieve acceptable performance. Simply increasing network bandwidth is usually not good enough, as performance problems are caused by many factors, ranging from underpowered firewalls to dirty fiber optics to untuned operating systems. </p><p>The Science DMZ is the codification of a set of shared best practices—concepts that have been developed over the years—from the scientific networking and systems community. The Science DMZ model describes the essential components of high-performance data transfer infrastructure in a way that is accessible to non-experts and scalable across any size of institution or experiment. </p> <h2 id="components">Components</h2> <p>The primary components of a Science DMZ are: </p> <ul><li>A high performance Data Transfer Node (DTN)<a class="footnote-ref" id="fnref:16" href="#fn:16"><sup>16</sup></a> running parallel data transfer tools such as <a href="/facts/GridFTP/mT5rXRcc">GridFTP</a></li> <li>A network performance monitoring host, such as <a href="/facts/PerfSONAR/BBkc3Fp6">perfSONAR</a></li> <li>A high performance router/switch</li></ul> <p>Optional Science DMZ components include: </p> <ul><li>Support for <a href="/facts/Layer_2_MPLS_VPN/2e4IVnCP">layer-2 Multiprotocol Label Switching (MPLS) Virtual Private Networks (VPN)</a></li> <li>Support for <a href="/facts/Software-defined_networking/MJGFxyoj">software-defined networking</a></li></ul> <h2 id="see-also">See also</h2> <ul><li><a href="/facts/Big_Data/XGtrVg4z">Big Data</a></li> <li><a href="/facts/PerfSONAR/BBkc3Fp6">perfSONAR</a></li></ul> <h2 id="external-links">External links</h2> <ul><li><a href="http://fasterdata.es.net/science-dmz/">ESnet web pages describing the Science DMZ</a></li> <li><a href="https://www.nsf.gov/pubs/2012/nsf12541/nsf12541.htm">NSF Program funding Science DMZs</a></li> <li><a href="http://www.oar.net/press/ohio_state_leads_project_develop_">"science_dmz"_internet Announcement on Ohio State University Science DMZ</a></li> <li><a href="https://arstechnica.com/security/2012/06/science-dmz/">NSF Solicitation on funding to build Science DMZs</a></li> <li><a href="http://wiki.chpc.utah.edu/display/CHPC/Performance+and+Science+DMZ+plus+Network+Testbed+-+Parent+Project+page">University of Utah's Science DMZ</a></li></ul> <h2 id="references">References</h2> <ol> <li id="fn:1"><p>Dan Goodin (June 26, 2012). "Scientists experience life outside the firewall with "Science DMZs."". Retrieved 2013-05-12. <a href="https://arstechnica.com/security/2012/06/science-dmz/" target="_blank">https://arstechnica.com/security/2012/06/science-dmz/</a> <a href="#fnref:1" class="footnote-back-ref">↩</a></p></li> <li id="fn:2"><p>Eli Dart; Brian Tierney; Eric Pouyoul; Joe Breen (January 2012). "Achieving the Science DMZ" (PDF). Retrieved 2015-12-31. <a href="http://www.internet2.edu/presentations/jt2012winter/ScienceDMZ-Tutorial-Jan2012-1.pdf" target="_blank">http://www.internet2.edu/presentations/jt2012winter/ScienceDMZ-Tutorial-Jan2012-1.pdf</a> <a href="#fnref:2" class="footnote-back-ref">↩</a></p></li> <li id="fn:3"><p>Dart, E.; Rotman, L.; Tierney, B.; Hester, M.; Zurawski, J. (2013). "The Science DMZ". Proceedings of the International Conference for High Performance Computing, Networking, Storage and Analysis on - SC '13. p. 1. doi:10.1145/2503210.2503245. ISBN 978-1-4503-2378-9. S2CID 52861484. <a href="978-1-4503-2378-9" target="_blank">978-1-4503-2378-9</a> <a href="#fnref:3" class="footnote-back-ref">↩</a></p></li> <li id="fn:4"><p>"Why Science DMZ?". Retrieved 2013-05-12. <a href="http://fasterdata.es.net/science-dmz/motivation/" target="_blank">http://fasterdata.es.net/science-dmz/motivation/</a> <a href="#fnref:4" class="footnote-back-ref">↩</a></p></li> <li id="fn:5"><p>Dart, Eli; Metzger, Joe (June 13, 2011). "The Science DMZ". CERN LHCOPN/LHCONE workshop. Retrieved 2013-05-26. This is the earliest cite-able reference to the Science DMZ. Work on the concept had been going on for several years prior to this. <a href="http://indico.cern.ch/getFile.py/access?subContId=0&contribId=16&resId=0&materialId=slides&confId=131550" target="_blank">http://indico.cern.ch/getFile.py/access?subContId=0&contribId=16&resId=0&materialId=slides&confId=131550</a> <a href="#fnref:5" class="footnote-back-ref">↩</a></p></li> <li id="fn:6"><p>"Implementation of a Science DMZ at San Diego State University to Facilitate High-Performance Data Transfer for Scientific Applications". National Science Foundation. September 10, 2012. Retrieved 2013-05-13. <a href="https://www.nsf.gov/awardsearch/showAward?AWD_ID=1245312" target="_blank">https://www.nsf.gov/awardsearch/showAward?AWD_ID=1245312</a> <a href="#fnref:6" class="footnote-back-ref">↩</a></p></li> <li id="fn:7"><p>"SDNX - Enabling End-to-End Dynamic Science DMZ". National Science Foundation. September 7, 2012. Retrieved 2013-05-13. <a href="https://www.nsf.gov/awardsearch/showAward?AWD_ID=1246386" target="_blank">https://www.nsf.gov/awardsearch/showAward?AWD_ID=1246386</a> <a href="#fnref:7" class="footnote-back-ref">↩</a></p></li> <li id="fn:8"><p>"Improving an existing science DMZ". National Science Foundation. September 12, 2012. Retrieved 2013-05-13. <a href="https://www.nsf.gov/awardsearch/showAward?AWD_ID=1246187" target="_blank">https://www.nsf.gov/awardsearch/showAward?AWD_ID=1246187</a> <a href="#fnref:8" class="footnote-back-ref">↩</a></p></li> <li id="fn:9"><p>Dart, Eli; Rotman, Lauren (Aug 2012). "The Science DMZ: A Network Architecture for Big Data". LBNL-report. <a href="http://www.es.net/news-and-publications/publications-and-presentations/" target="_blank">http://www.es.net/news-and-publications/publications-and-presentations/</a> <a href="#fnref:9" class="footnote-back-ref">↩</a></p></li> <li id="fn:10"><p>Brett Ryder (Feb 25, 2010). "The Data Deluge". The Economist. <a href="http://www.economist.com/node/15579717" target="_blank">http://www.economist.com/node/15579717</a> <a href="#fnref:10" class="footnote-back-ref">↩</a></p></li> <li id="fn:11"><p>."Network Requirements and Expectations". Lawrence Berkeley National Laboratory. <a href="http://fasterdata.es.net/fasterdata-home/requirements-and-expectations/" target="_blank">http://fasterdata.es.net/fasterdata-home/requirements-and-expectations/</a> <a href="#fnref:11" class="footnote-back-ref">↩</a></p></li> <li id="fn:12"><p>"Firewall Performance Comparison" (PDF). <a href="https://www.juniper.net/content/dam/www/assets/datasheets/us/en/security/security-products-comparison-chart.pdf" target="_blank">https://www.juniper.net/content/dam/www/assets/datasheets/us/en/security/security-products-comparison-chart.pdf</a> <a href="#fnref:12" class="footnote-back-ref">↩</a></p></li> <li id="fn:13"><p>"Why Science DMZ?". Retrieved 2013-05-12. <a href="http://fasterdata.es.net/science-dmz/motivation/" target="_blank">http://fasterdata.es.net/science-dmz/motivation/</a> <a href="#fnref:13" class="footnote-back-ref">↩</a></p></li> <li id="fn:14"><p>pmoyer (Dec 13, 2012). "Research & Education Network (REN) Architecture: Science-DMZ". Retrieved 2013-05-12. <a href="http://community.brocade.com/community/brocadeblogs/service_providers/blog/2012/12/13/research-education-network-ren-architecture-science-dmz" target="_blank">http://community.brocade.com/community/brocadeblogs/service_providers/blog/2012/12/13/research-education-network-ren-architecture-science-dmz</a> <a href="#fnref:14" class="footnote-back-ref">↩</a></p></li> <li id="fn:15"><p>Dan Goodin (June 26, 2012). "Scientists experience life outside the firewall with "Science DMZs."". Retrieved 2013-05-12. <a href="https://arstechnica.com/security/2012/06/science-dmz/" target="_blank">https://arstechnica.com/security/2012/06/science-dmz/</a> <a href="#fnref:15" class="footnote-back-ref">↩</a></p></li> <li id="fn:16"><p>"Science DMZ: Data Transfer Nodes". Lawrence Berkeley Laboratory. 2013-04-04. Retrieved 2013-05-13. <a href="http://fasterdata.es.net/science-dmz/DTN/" target="_blank">http://fasterdata.es.net/science-dmz/DTN/</a> <a href="#fnref:16" class="footnote-back-ref">↩</a></p></li> </ol>