Cisco Cisco Open SDN Controller 1.0 Libro bianco
© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 1 of 10
White Paper
Event-Based Software-Defined Networking: Build a
Secure Science DMZ
Secure Science DMZ
What You Will Learn
As the need to efficiently move large data sets around the world increases, the Science DMZ - built at the network
edge and designed to be secure without the performance limitations imposed by traditional security devices such
as firewalls - is becoming vital. This document explores an event-based software-defined networking (SDN)
solution that improves both the security and efficiency of the traditional science DMZ. The document discusses:
●
Current science DMZ implementations and weaknesses
●
Network functions needed for a secure science DMZ
●
Concepts of event-based SDN
●
Details of the reference implementation
This document is intended for individuals responsible for designing and engineering solutions for networks that
involve the movement of large amounts of data.
Background
Scientific research increasingly relies on very large data flows, with large collaborative partnerships of researchers
and the transfer of data from experiments and simulations around the world. The unique characteristics of this
huge data transfer pose new networking challenges:
●
Traditional campus networks are designed for enterprise business operations. They typically are designed
for a very large number of small flows and are not well suited to the bulk transfer of scientific data, which is
characterized by a small number of very large flows.
●
Sharing scientific data characterized by large flows with traditional campus networks has significant
drawbacks. For typical data traffic, packet loss is often tolerated in the campus LAN. However, even very
small amounts of packet loss can reduce TCP performance by an order of magnitude when WAN latency is
introduced, and hence such a solution does not meet the stringent requirements for the movement of
scientific data.
●
The hardware limitations of firewalls are generally exposed when the heavy network-traffic loads of big data
flows are managed under complex firewall rule-set constraints. Other limitations, such as old fiber optics
also pose performance constraints on these large flows.
●
Traditional campus networks are optimized for security and partially sacrifice performance for this purpose.
The security optimization in traditional networks leads to campus firewall policies that block ports or limit
flows needed for various data-intensive experiments.
●
The traffic engineering methods in traditional campus networks cannot perform the detailed classification of
flows needed to enforce big data policies for bandwidth provisioning.