hospitals by hedongchenchen

VIEWS: 16 PAGES: 36

									Connecting hospitals to the NREN
    The Danish case story


     Copenhagen, 15th September 2009

               Martin Bech
          Deputy Director, UNI•C
          martin.bech@uni-c.dk
Optical network


•   Backbone in production
    from the middle of 2009
•   Access connections are
    continuously upgraded to
    optical networking
Metro-ring in the Copenhagen Area


                      IHK      15 km              LYNGBY
                               4,75 dB
                                         16 km
                                         5 dB
            28 km
            8 dB               Panum
                     12 km
                     4 dB
  Risø                                                     National and
                                6 km
                                                           International
                                2,5 dB
                                                           connections


  7 km               KVL-T     KUA
  2,75 dB
                     3 km
                     1,75 dB             6 km
                                         2,5 dB

  RUC        12 km   Hørs.     23 km              ØRESTAD
             4 dB              6,75 dB
Lightpaths for production IP
       AAU-2

       AAU-1



                                           LYNGBY

       AU-2

       AU-1

                                           ØRESTAD




       SDU-2             8 x 1GE
       SDU-1
                         10GE
                          Physical fibre
Moving towards supplying multiple
network connections everywhere
At every location we now offer:
• Internet production IP service (as always)
• Infinite traffic and bandwidth…
• A connection type appropriate to the need
• Multiple dedicated network connections for “intranet” and
   “lambda” use
• Segregation between the networks are realized by means of a
   combination of lightpaths, MPLS and even VLANs
University of
Aarhus: 23
locations

…and the other
universities are
not much better

This means a lot of
lightpaths…
Special services for special user groups
• Network for everyone
But on top of that, many of us are involved in serving the
  needs of special user groups:
• Supercomputing facilities
• GRID clusters
• Facilities for radio astronomy
• Video and telephony
• Content portals, databases etc.

But what about services for health research and health care?
Why is health research and health care
different from our other users?
• Not just a few large facilities, but also
• huge numbers of smaller entities/departments
• Huge numbers of scanners, databases and other facilities
• They all need their own separate private connections
• Users are very aware of security constraints, but totally unaware
  of the services and equipment that implement these constraints
• Many ad hoc projects and connections
Communicating across organizational boundaries


     LAN
                                   LAN

           FW                FW


                  External
                  network

                                  FW     LAN
The challenge

                                  External
                                  Network

           FW A                                              FW B



  Lab A      Firewall rules (A)               Firewall rules (B)      Lab B
                ------------                      ------------
                ------------                      ------------
            User A may access                 Service B may be
                Service B                    accessed by User A
                                                  ------------
  User A        ------------
                 -----------                       -----------      Service B
Setup of a new connection


                                   External
                                   Network

            FW A                                              FW B



   Lab A      Firewall rules (A)               Firewall rules (B)      Lab B
                 ------------                      ------------
                 ------------                      ------------
             User A may access                 Service B may be
                 Service B                    accessed by User A
                                                   ------------
   User A        ------------
                  -----------                       -----------      Service B
Expiry of a connection

                                   External
                                   Network

            FW A                                              FW B



   Lab A      Firewall rules (A)               Firewall rules (B)         Lab B
                 ------------                      ------------
                                                   ------------
                                                                    ?
                 ------------

                                   ?
             User A may access                 Service B may be
                 Service B                    accessed by User A
                                                   ------------
   User A        ------------
                  -----------                       -----------         Service B
Manual administration

• No problem for a single example such as this, except that
  the set-up of each connection typically takes a day
• But, if a research project with 20 partners are sharing just
  10 common services, the total number of rules are 1.900
• Most firewall administrators can’t say who is responsible
  for every rule

Therefore: We need a system to keep track of all these
  connections
The Connection agreement system

• All groups of users and all services are put into the
  system by the users
• User A finds Service B in a large directory
• User A enters a request for a connection to system B
• Both User A and the administrator of Service B
  accepts the connection in the system
• The system generates rules which the fírewall
  administrators put into their firewalls
Using the Connection Agreement System

                              Connection Agreement System




           FW A                    VPN                              FW B
                                  gateway
                                                     Firewall rules (B)      Lab B
  Lab A      Firewall rules (A)
                                                         ------------
                ------------                             ------------
                ------------                         Service B may be
            User A may access                       accessed by User A
                Service B                                ------------
  User A        ------------                              -----------      Service B
                 -----------
The connection agreement system

• Everybody can find the services they need – and each
  other
• Eliminates the need for administering a huge number of
  VPN tunnels
• Establishes documentation of who ordered what
  connection and how long it is supposed to exist
• Simplifies security administration
• A simple and inexpensive solution to a problem that is
  common to most researchers sharing resources
The technology works:
In production since 2003!
• The nation-wide Danish Health Data Network is
  based on the Connection Agreement System
• The swedish health network, Sjunet, has also
  decided to use the Connection Agreement System
• Several other countries and regions are considering
  implementing the Connection Agreement System
Number of connections registered
        Traffic volumes in the Danish Health Data network

Kbytes pr. month
 NRENs provide a lot of services…
                                Universities and        Hospitals
                                research institutions
Basic Internet connectivity     Yes                     Yes
Video conferencing              Yes
Collaboration tools             Yes
Lambda networking               Yes
IPv6                            Yes (but no use)
Roaming services                Yes
CERT and security               Yes
GRID and Scientific Computing   Yes
Media Libraries                 Yes
The Health Data Network provides:
                                   Hospitals
   Basic Internet connectivity     No
   Video conferencing              Yes
   Collaboration tools             Yes
   Lambda networking               Not yet
   IPv6                            If needed
   Roaming services                Yes
   CERT and security               Yes
   GRID and Scientific Computing   Yes
   Media Libraries                 Yes
  Can we generalize this approach?




Mega-science has it all:
• Separate λ-connections
• Dedicated GRID-clusters
• Services hardened to tolerate being directly on the internet
What do researchers with more
modest budgets do?
 Connecting two research resources
  Lab A                           Lab B


Analysis
equipment                             Scanner




                      No connection
Connecting two research resources
Lab A                               Lab B



                                    Scanner


                                Analysis
                                equipment


                   Too expensive and unflexible
   Connecting two research resources
    Lab A                                         Lab B


  Analysis
  equipment                                       Scanner




Not safe: Equipment will be hacked and connection is not secure
   Connecting two research resources
    Lab A                                        Lab B


 Analysis
 equipment                                        Scanner



               FW                          FW


Using firewalls:
Works, but unflexible and time-consuming to set up each time
  Connecting two research resources
   Lab A                 Connection           Lab B
                         Agreement
                         System


 Analysis
 equipment                                    Scanner



              FW                         FW


Using the Connection Agreement System:
Flexibility by user configuration
Have we now solved all problems?
YES – Once connected, new connections are operational almost
     immediately
YES – We can now manage the increased complexity of the
     explosion of many types of connections between
     organizations
YES – A light-weight alternative to dedicated lambda connections
     (no cost, immediate set-up)
YES – Local security administrators can let their users do the
     administration and documentation of their security
     components
NO – Network interoperability does not guarantee working
     interoperability of services
NO – The present system does not offer any means for identity
     management of users (yet…)
The health sector

•   Ought to be an integral part of every NREN community
•   They do research, education and an every-day production
•   Security constraints on the network usage
•   Their bandwidth needs are growing rapidly
•   Today, they are no different from our traditional community


Do we want to focus on the needs of the health sector?
Why do many NREN not have a health sector strategy?

								
To top