JISCMail - TB-SUPPORT Archives

Hi,

Does anyone have any good references on Science DMZs/Data Transfer Zones, it sounds better than firewall bypass and as a quite hot topic at the moment, that might be best thing to go in asking for - I believe that's the JISC recommendation so if there's anything from JISC Liverpool can take to their networking people that could be good.

On firewalls, there are two things, firstly I suspect most 10Gb/s rated appliances are only rated at that with a single "PASS ALL" rule, secondly even if the firewall appliance can handle a throughput of 10Gb/s that's probably only spread over thousands of individual connections and the per stream rate of any individual connection will be much lower (I'm actually pretty impressed with Cambridge's 1Gb/s stream rate, that's way better than we've ever got out of some pretty expensive kit at RAL).

Yours,
Chris.

P.s. Does it mean anything that I keep on mistyping 'networking 'as 'notworking'

On 26/01/2018, 09:55, "Testbed Support for GridPP member institutes on behalf of Peter Clarke" <[log in to unmask] on behalf of [log in to unmask]> wrote:

    John
    
    Im interested seeing the replies coming in.
    
    For completness Edinburgh also has a very good relation with our networking people whose attitude is “how can we make sure the science gets done”
    There is no question of paying for this sort of thing.
    
    The problem here is that this needs to be raised above your network group at a strategic level.
    
    In Edinburgh I comunicate directly with Heads of College, Head of IS…etc.. and so our needs are understood in the context of does this university
    want to be a peer with other research led universities, and play in the arena of "global data intensive science”
    I.e. are we a “well found university”  
    
    I also have said within Edinburgh (although hardly had to use) that other sites have no problem, and the bottom line is that we would cease
    to be a Tier-2 if in-surmoutable barriers were placed in front of us by the university centre.
    
    So i would suggest you talk with Themis to see if there is a way to bring this up at a more strategic level
    without annoying anyone.
    Im happy to talk to Themis with you if it helps 
    This is one of the reasons we have the Network Forward Look by the way, so you can take it to university management and
    show them what their peers are doing.
    
    Pete
    
    
    On 26 Jan 2018, at 08:20, John Bland <[log in to unmask]> wrote:
    
    Hi,
    
    We're getting some push back from our central networking team about our WAN connectivity.
    
    Our current connection uses the standard shared campus WAN, passing through the university firewall, then out to JISC through a redundant pair of 10G links.
    
    Although we have our 'grid' IP range set to be not filtered by the firewall all packets still pass through it and still get hit with some filtering (most recent bit of fun was SSL connections with X509 certificates being dropped because they were wrongly marked as 'insecure', essentially killing all Grid traffic).
    
    Our traffic also causes campus-wide issues, mostly due to overloading the firewall rather than the links themselves, so we are throttled to ~5G. While we have IPv6 addresses our traffic is being heavily throttled (~0.3G) by university routers in the path that have very poor IPv6 performance.
    
    The plan was to reuse some university routers to upgrade the physical connection and to provide us a direct 10G link to the JISC WAN, with no University firewall and (supposedly) much better IPv6 throughput.
    
    Despite this initial progress the University is now pushing us (again) to pay for our own direct 10G link to JISC, and pay for and install a hardware firewall on this connection (yeah). Apparently another department has done this (why, or how, we don't know).
    
    What would be interesting to know before loading up my shotgun and replying to them is whether other Grid sites do this, or have been asked to do this. Does any other Grid site pay for a dedicated WAN uplink to JISC just for GridPP or their department? Do you put a hardware firewall on this path as well?
    
    Cheers,
    
    John
    
    -- 
    John Bland                       [log in to unmask]
    Research Fellow                  office: 220
    High Energy Physics Division     tel (int): 42911
    Oliver Lodge Laboratory          tel (ext): +44 (0)151 794 2911
    University of Liverpool          http://www.liv.ac.uk/physics/hep/
    "I canna change the laws of physics, Captain!"
    
    
    
    The University of Edinburgh is a charitable body, registered in
    Scotland, with registration number SC005336.