Network Performance Issues at the University of Utah. Draft for Review

Transcription

1 Network Performance Issues at the University of Utah Overview of Issues: Draft for Review The University of Utah (UoU) is experiencing network performance issues that are severely degrading the abilities of various disciplines to accomplish scientific, artistic and other research goals in a timely manner. Examples of network performance issues are: 50Megabit/second transfers from the Texas Advanced Computer Center, 12Mbit/sec transfers from Fermi National Labs, and 6.7Mb/s transfers from Oak Ridge National Labs. These performance issues are also preventing the University of Utah from fully realizing the significant investments it is making in network infrastructure, both on the campus and at Utah Education Network (UEN). The Utah Education Network maintains a 10 Gigabit/second connection to the Internet2 backbone. The University of Utah maintains (2) 10 Gigabit/second connections to the Utah Education Network. For single box, single user, single application flows utilizing the IPv4 protocol, the University of Utah is only able to utilize.08% to 6% of the network connectivity to the Internet2 backbone. As the University of Utah looks to the next generation of Internet Protocol, IPv6, the performance is worse,.08% to 2% of the network connectivity to the Internet2. For multiple box, multiple user, multiple application flows, the Univ. of Utah is hitting ceilings of 20-30% of the available network bandwidth. Utilizing its current security/network configuration, the University of Utah is NOT able to maximize its significant investment in network infrastructure. Staff at the Center for High Performance Computing, campus Network Operations Center and the Utah Education Network have investigated and optimized the network and the campus Wide Area Network (WAN) firewall to the extent possible. At this time, the fundamental limitation is the campus WAN firewall. Staff have created a bypass of this firewall for a single measurement device and been able to achieve a near line rate of 8.9Gigabits/second rate out of the University. For large data transfers in IPv6, the firewall vendor has explicitly stated that the firewall should not sustain any large IPv6 flows through the firewall. Firewalls have traditionally been limitations to high performance transfers and other applications that are extremely network intensive. Even the "latest and greatest" in firewall technology often only keeps up for 1 to 2 years. Enterprises often need to amortize firewalls over 3-5 years. The University of Utah s current firewall is seven years old. The University of Utah and UEN have 10Gig connectivity today to the national research backbone. Over the next year and a half, the national Internet2 Research and Education backbone will implement 100Gig/s. The University of Utah and UEN will not go immediately to a large connection of this size, but will increase as the network usage increases. Several University staff and faculty have collaborated in order to execute a large number of tests over the past year. These tests have involved several scenarios and tests from locations around the United States. The final sets of tests concluded in

2 March 2011 with a test machine with 10Gig/sec connectivity bypassing the campus WAN firewalls. This test machine sat very close to a baseline server which has been collecting data through the firewalls for over one year. Figure 1 shows a summary of these tests, specifically the average incoming data to the University of Utah. Figure 1: Summary graph of average incoming data to CHPC from various locations around the United States, both with a firewall and without a firewall. The results of these tests of various scenarios to the University of Utah have led to a set of recommendations that the University of Utah might potentially consider: Recommendations: 1. Upgrade campus WAN firewalls as soon as possible a. Project Costs: approx $200,000 Already exists as a UPlanIT Portfolio project for Create and segment a Performance Node/Science Demilitarized Zone (DMZ) similar to the trend happening in the national computational laboratories (see Eli Dart's slides: a. Establish trial setup with a collaboration of the Center for High Performance Computing, Information Security Office and the campus Network Operations Center Proposed project in UPlanIT Cyberinfrastructure Portfolio waiting for approval and detail, proof-of concept prototype $50-$75k b. Investigate various long term architectural options see Architectural Options Appendix 3. Create a goal and plan for the University of Utah to: "Move a TeraByte between the University of Utah and most large research institutions in the US in around 8 hours." 4. Implement security options in front of "Performance Node/Science DMZ" to give proactive and reactive protection

3 a. Establish trial setup with a collaboration of the Center for High Performance Computing, Information Security Office and the campus Network Operations Center i. Example 1: BRO implementation at LBL ( (Prototype would require optical taps, equipment, scripting and part-time FTE from ISO and from CHPC - $50-100k, if chosen) ii. Example 2: Modification of University of Utah "autoshun" routines to work with non-production router; (Prototype would require scripting and part-time FTE from ISO and from CHPC - $50-$100k, if chosen) b. Implement project which would leverage as much of the existing campus licenses, hardware, and tap infrastructure as possible. (At this time, however, the existing infrastructure cannot handle current University of Utah IT loads. Upgrades to this infrastructure are awaiting the completion of a Security Gap Analysis project in the UPlanIT Infrastructure Portfolio and the allocation of $250k-$500k in budget.) c. Implement project which would leverage the DNS Blacklisting project, Firewall Protection project and other related security projects entering into the UPlanIT Infrastructure Portfolio. 5. Create a campus performance initiative with corresponding plans in UPlanIT for segmenting appropriate networks to the Performance Node/Science DMZ a. Identify and document tuning requirements for networks, hosts and applications (CHPC has some information already available). b. Define performance requirements and process for segmenting appropriate networks including confidential data identification and mitigation controls. (See Security Zone Appendix) 6. Setup and maintain an Active Network Measurement infrastructure that continually validates performance requirements a. Prototype implemented/funded by CHPC work completed with collaboration from UEN, campus NOC and SCI b. Full implementation including University of Utah and key state higher education partners will require approximately $70k-$100k, depending on equipment leveraged by collaborators Detail: Quantification of Network Impact of University of Utah Wide Area Network firewall The University of Utah, Utah Education Network and their collaborators (i.e. BYU, USU, etc.) pay $525,000 per year for 10 Gigabits/second connectivity to the Internet2 backbone. Of this amount, the University of Utah has a pro-rated share of $262,500/year. This connectivity allows the University of Utah, other institutions in the state and other collaborators to directly access the Internet2 backbone, peer research university institutions, national labs (i.e. Lawrence Livermore National Lab,

4 Argonne National Lab, Oak Ridge National Lab, etc.), research instrumentation and other key government, research and collaborative institutions. Though 10Gigabits/second is available to Internet2, the University of Utah is only able to utilize a small average percentage of the available Internet2 bandwidth for single user/single application/single flow (<6%). For multiple users/multiple applications/multiple flows, the University of Utah is able to utilize the bandwidth somewhat more effectively but still not to its full availability. Staff and faculty of the University of Utah have collaborated to create and graph transfers between the University of Utah and the various Internet2 Points of Presence (PoPs), as well as several of the national labs. These transfers have revealed various bottlenecks at the labs and the University of Utah campus. Staff and faculty have worked with the national labs and the technology on campus to either remove or optimize the throughput in/out of the University. Even after optimizing technology, the bandwidth out of the University still suffers dramatically. The average bandwidth from a device in CHPC with a 10Gig/s interface to an equivalent device in Houston with a 10Gig/sec interface is 144Megabit/s and the average bandwidth from Houston back to CHPC is 88.54Mb/s. Transfers between the University of Utah and an Internet2 measurement box in New York reveal a similar story. The average bandwidth from CHPC to New York is Megabits/sec and the average bandwidth from New York to CHPC is Megabits/sec through the 10Gigabits/sec connection. Graphs of transfers between the University of Utah and the Internet2 measurement box located at the Level 3 Point of Presence within Salt Lake City show an average bandwidth of Mb/s from the University to the I2 device and Mb/s from the I2 device to the University. In the Salt Lake City scenario, the latency is approximately 1ms or less and the location is so close, that packet drops, buffer sizes, etc. play less of a factor. Comparatively, Houston is over 30ms away in network latency and over a thousand miles away in terms fiber, multiple pieces of equipment, etc. All of these factors serve to impact data transfers, as well as magnify existing problems. In order to isolate the major impediment to the data transfers in and out of the University of Utah, University staff set up another equivalent test box with a logical bypass of the campus Wide Area Network (WAN) firewall. The test box resides a couple of racks away from the original test box and traverses the same network infrastructure as the original test box. Staff then re-ran similar tests to the same destination points. In direct comparisons, the CHPC measurement box that bypasses the campus firewall produced numbers closer to those expected for a 10Gig/sec circuit. Transfers from CHPC to the Internet2 Houston measurement box produced an average bandwidth of 5.11Gig/sec, while the average bandwidth from Houston back to CHPC is 4.46Gig/sec. Transfers from CHPC to the Internet2 New York measurement device produced an average bandwidth of 4.18Gig/sec while the average bandwidth on the return trip is 4.93Gig/sec. Transfers between CHPC and the Internet2 device in Salt Lake produced close to line rate on the 10Gig circuit. The average bandwidth from CHPC to the Salt Lake device is 8.18Gig/sec while the average bandwidth of the Salt Lake to CHPC transfer is 8.32Gig/sec. The results of these tests conclusively proved that the major impediment to traffic in and out of the University was and is the WAN firewall. See graph detail appendix for several of the graphs of the data transfers to the various sites.

5 Qualification of need to balance performance and protection Many dynamic, opposing tensions continue to exist in balancing performance, security and new research investigations. Enterprise firewalls necessarily have long amortization schedules due to the significant costs and complexity of the devices. Long amortization schedules typically translate into a lag in cutting edge features and performance as time progresses. Technologies for cutting edge research continue to evolve quickly, especially in areas that are network intensive. Performance needs continue to increase rapidly as vendors, staff and researchers identify bottlenecks and remove them. Enterprise firewalls and computer security require full time focus as well as ongoing training and education. Researchers require speed but also desire some protection. Researchers do not want to become security experts. In fact, for them to be experts in their field, they CANNOT become experts in the security field. All of these opposing factors create dynamic tensions which are difficult to solve. Based on the data that staff and faculty of the University have accumulated, the existing campus WAN firewalls are severely impacting the ability to perform various types of research. However, without these firewalls or some alternative security strategies, the various types of research and University intellectual property are at risk. Upgrading these firewalls is a necessary step in enabling certain fields of research to progress in a timely fashion. University of Utah researchers are now moving data sets on the order of several Terabytes daily and weekly. With maximum bandwidth available, moving one Terabyte of data takes 30 hours on a 100Mb/s network, 3hours on a 1Gb/s network and 20min on a 10Gb/s ( Researchers are typically moving the data from a resource where they gathered the data to a resource where they will process the data. While waiting, researchers are not able to move forward on certain aspects of their investigations. Many of the national labs and the networks that support them have agreed that a minimum should exist. As of 2011, that minimum is: "Moving a TeraByte between most large research institutions in the US should only take around 8 hours. This assumes an end-to-end path with a capacity of 1 Gbps or higher, and that only 1/3 of the capacity is used, leaving room for other users traffic." ( With a network infrastructure that compares to most of its peer institutions and some of the national labs in terms of bandwidth and capabilities, this minimum is one that the University of Utah could realistically strive for and obtain. How does the University strive for this goal and still balance the needs of the enterprise for tight security? National science labs and national research/education and government backbones have wrestled with the balance of national security projects and supporting large volumes of specialized science. The approaches have varied. Current approaches involve a mix of very expensive high-end firewalls, dedicated gateway transfer machines and the ideas of "science demilitarized zones (DMZ)". Dedicated gateway machines involve staging of data by researchers from one location to another in order for it to transfer to yet a third location. This process is very time consuming and resource intensive from a researcher perspective. The idea of a "science DMZ"

6 allows a segregation of networks that places those with high performance and other specialized needs outside the firewall from the core enterprise or high security projects. -- (link to Eli Dart's slides: This approach usually utilizes alternative methods of providing dynamic border control lists and routing to mitigate the most egregious of risks. This approach allows full bandwidth and network resources to whole specific network segments and also protection. A leading example of an alternative method is the implementation of Bro at Lawrence Berkeley National Lab (LBNL). Software engineers at LBNL have created an intrusion detection system and instrumented it to make changes at the WAN border in response to attacks. The intrusion detection system is not "in-line" and, therefore, operates in a non-interfering and passive manner. By operating in this "out-of-band" manner, the intrusion detection allows full access to the internet and yet maintains protection from those attacking the networks. The University of Utah could utilize the Bro implementation or choose to leverage hardware/software that it already maintains. With the purchase of additional hardware and software licenses, the University of Utah could leverage the existing commercial product QRadar for its intrusion detection and monitoring. By scripting and building off of this platform, the University could potentially create a similar environment to that of LBNL. For maintaining optimum performance, networks, end-hosts and file systems require tuning. These tuning activities are sometimes not ideal for the populace at large. An example is the configuration of deep buffers on a switch which may increase large transfers but negatively impact many small short transactions. Different security policies are also necessary for specific projects. How does one meet these requirements of research and still support the day to day operations of the enterprise? Again, segmentation along with alternative security mechanisms enables the fast moving fields of research to progress in a timely fashion today and tomorrow. Segmentation with traditional security mechanisms provides the security of the enterprise to meet the compliance requirements of today and tomorrow. Checks and balances - Creating an Active Measurement infrastructure In order to efficiently calibrate the network and maintain a proactive stance towards bandwidth intensive and latency sensitive applications, Active Measurement is necessary. An Active Measurement infrastructure is necessary to provide constant data regarding the network. An Active Measurement infrastructure also enables engineers to proactively diagnose across the local infrastructure and the Active Measurement infrastructure deployed across Internet2, Energy Sciences Network (ES-Net - home of most of the labs), and to peer institutions. The perfsonar package developed by groups in ES-net, Internet2, GEANT, etc. allows entities to deploy a consistent measurement infrastructure that allows the necessary testing and proactive troubleshooting. This infrastructure creates a convenient "checks and

7 balances" setup with the existing network, what vendors claim and what actually is happening on the network, often unbeknown to the engineers. Recommendations/Conclusions: 1. Upgrade campus WAN firewalls as soon as possible The University of Utah has created a Next Generation Firewall project within the UPlanIT Portfolio Management system. -> Infrastructure -> Next Generation Firewall This project is for the 2012 Fiscal Year with a budget request of approximately $200,000. The first portion of the project will investigate different vendor firewalls to determine the best performance and feature set combination. The next generation of firewalls has a large breadth of performance and feature set support. The price points of the vendors vary widely. Full line rate support at 10Gigabit/second with a large firewall feature set comes at a premium. The University will attempt to balance the proper feature set/performance/price for the greatest amount of the constituents. 2. Create and segment a Performance Node/Science Demilitarized Zone (DMZ) similar to the trend happening in the national computational laboratories Several of the large National Labs are collaborating with the Department of Energy and Sciences Network (ES-NET) to create strategic performance nodes/science Demilitarized Zones (DMZs). These Performance Networks/Science DMZs support the large data transfers and unique traffic flows necessary for various research disciplines while still protecting the administrative and compliance needs of the federal government and its collaborators (see Eli Dart's slides: ) This segmentation allows alternative security options in front of the high performance non-classified areas. The University of Utah Center for High Performance Computing (CHPC) and the campus Network Operations Center (NOC) have prototyped the ability to logically segment a network and bypass the firewall for performance purposes. This segment supported a single machine and allowed staff to collect the data necessary to create the graphs shown in the Graph Detail Appendix. For this network segment to be of real use to the University, the basic prototype must include realistic security options and tests. Security MUST go hand in hand with explorations of network performance. The Performance Architecture Testbed project within the Cyberinfrastructure Portfolio of UPlanIT will allow for explorations of network performance, unique network flows and various security options. The project url is: -> Cyberinfrastructure -> Performance Architecture Test Bed

8 This project will require additional details and approval. The project will also require at least $50k-$75k of funding for security proof of concept. In the past year through collaborative efforts, the University of Utah was able to create a simple logical bypass of the firewall for minimal costs. The University accomplished this task by leveraging existing technologies, focused time from various staff, and equipment that was not yet in production. Going forward, the University will need to make an investment in additional labor and some equipment in order to implement very basic security prototypes. These prototypes will help prove the feasibility of various ideas for implementation. 3. Create a goal and plan for the University of Utah to: "Move a TeraByte between the University of Utah and most large research institutions in the US in around 8 hours." The various national labs, national research/education/government backbones and others have created this goal of transfer speeds based on the usage of a standard Gigabit connection. See This goal assumes an end-toend path with a capacity of 1 Gbps or higher, and that only 1/3 of the capacity is used, leaving room for other users traffic. The University of Utah should create a plan with a focused end date that ensures that any Gigabit attached machine should be able to obtain these speeds to remote sites which are capable. For 10Gig capable machines, the University should strive to maintain the same ratio through its network and security infrastructure. This ratio would imply at least 3Gigabit/second on 10Gig capable machines, which in turn, would imply a Terabyte moved within an hour. For reference, the chart at Expectations/Data-Transfer-Rates.pdf shows the bandwidth requirements for various data set sizes and times. Note that the goal is an attempt to balance high performance use and other simultaneous use of the Wide Area Network, as well as the research network connectivity. 4. Implement options in front of "Performance Node/Science DMZ" to give proactive and reactive protection As discussed in recommendation 2, the Security models MUST walk hand-in-hand with the needs of performance and unique traffic flows. Staff from the Center for High Performance Computing, Information Security Office and the campus Network Operations Center will need to collaborate to investigate different security models that match these requirements and then implement the appropriate models. Two examples of potential implementation models are: a) the BRO implementation at LBL ( and b) the modification of University of Utah "autoshun" routines to work with existing QRadar implementation. Both implementation models utilize similar ideas of monitoring, comparing to rules and crafting Access Control Lists or Border Gateway Protocol (BGP) route injections to reject attackers. Both implementations utilize passive optical tap infrastructure which bleed part of the light signal into dedicated analysis boxes. These analysis boxes analyze the data against rule sets and then craft the necessary response. Network flows from the routers also provide information to the analysis boxes. Both implementations would require optical tap

9 infrastructure, server hardware, personnel resources, and scripting. The Bro (or something similar) implementation has no license fees since it is open source. However, the package brings in yet another tool which security personnel would have to learn and maintain. An implementation based on QRadar leverages existing commercial packages that the University owns and operates currently. These commercial packages provide a lot of extra features and commercial support. However, these packages come with steep license fees based on the amount of monitored data and/or number of traffic flows (term has multiple meanings depending on software context). For high performance networks, this licensing scheme may become problematic. The security infrastructure at the University of Utah is currently not adequate to support the existing needs of the University. Part of the infrastructure has reached End of Life status while part of the infrastructure requires significant upgrades in hardware, software and software licenses. The University has a Security Gap Analysis project in the UPlanIT Infrastructure Portfolio to address this situation. Upgrades will require a rough budget of $250,000-$500,000, depending on the scope. These upgrades will be necessary in order to provide any ongoing enterprise security and to provide any security implementation for a performance node/science DMZ. The performance node/science DMZ will leverage the upgraded security infrastructure and potentially share some of the cost. Since security has multiple facets and is evolving constantly, the final implementation model will also leverage other security projects of the University. One example is the DNS Blacklisting Project. This project exists in the UPlanIT Infrastructure Portfolio with detail at the url: -> Infrastructure -> DNS Blacklisting This project will utilize various source feeds from REN-ISAC for known malicious domains and then redirect or disallow DNS requests to these known malicious sites/domains. Another example project is the Firewall Protection Project. This project exists in the UPlanIT Infrastructure Portfolio with detail at the url: -> Infrastructure ->Firewall Protection This project leverages Border Gateway Protocol (BGP) injections and router Access Control Access Lists in order to block malicious traffic. This project allows scripts to automatically install BGP null routes on border routers in order to redirect certain malicious traffic to nowhere. Leveraging the various projects allows better utilization of these investments. The Cyberinfrastructure Portfolio Performance Network Testbed intiative will require a proof of concept security implementation. This proof of concept will leverage time from existing staff and incur up to $50-75,000 in hardware costs. These costs may drop if the University can leverage pre-production server hardware and existing spare router hardware. This proof of concept will allow the validation of the ideas for implementation purposes. This proof of concept will require the temporary repurposing of staff to modify existing scripts to work with this endeavor.

10 5. Create a campus performance initiative with corresponding plans in UPlanIT for segmenting appropriate networks to the Performance Node/Science DMZ Once the network segment and final security implementation is in place, the University Network Operations Center (NOC) will need to work with constituents to plan the migration of identified networks into the Performance Node/Science DMZ. Staff will identify and document tuning requirements for networks, hosts and applications in order to best utilize the network. The Center for High Performance Computing (CHPC) is already attempting to document some of this information as a part of its day to day operations. Groups that require networks to connect to this Performance Node/Science DMZ will need to work closely with the University NOC and Information Security Office (ISO) staff to define the performance requirements/expectations and to define the process for segmenting the appropriate networks. Special care will be necessary to verify that only appropriate networks move into this network segment. Mitigation controls will need to be in place to prevent any undue risk or potential leak of confidential data. 6. Setup and maintain an Active Network Measurement infrastructure that continually validates performance requirements Active Network Measurement is a crucial part of maintaining, monitoring and troubleshooting performance expectations. Active Network Measurement capabilities come in several forms. The University of Utah Center for High Performance Computing (CHPC) has partially funded and partially implemented a local perfsonar ( active measurement infrastructure prototype that collaborates with the national and international perfsonar infrastructure. This infrastructure will need to grow and enhance in order to provide good troubleshooting tools and research data. A full implementation that would provide multiple points within the campus, at the new data center and at strategic points around the state would cost $70k-$100k, depending on how much hardware the project can leverage by collaborators.

11 Graph Detail Appendix Figure GraphDetail.1: Summary graph of average incoming data to CHPC from various locations around the United States, both with a firewall and without a firewall. Figure GraphDetail.2: Transfers between CHPC and Internet2 Salt Lake Point of Presence through University of Utah WAN firewall

12 Figure GraphDetail.3: Transfers between CHPC and Internet2 Salt Lake Point of Presence bypassing University of Utah WAN firewall Figure GraphDetail.4: Transfers between CHPC and Internet2 Los Angeles Point of Presence through University of Utah WAN firewall

13 Figure GraphDetail.5: Transfers between CHPC and Internet2 Los Angeles Point of Presence bypassing University of Utah WAN firewall

14 Figure GraphDetail.6: Transfers between CHPC and Internet2 Houston Point of Presence through University of Utah WAN firewall Figure GraphDetail.7: Transfers between CHPC and Internet2 Houston Point of Presence bypassing University of Utah WAN firewall

15 Figure GraphDetail.8: Transfers between CHPC and Internet2 Washington, D.C. Point of Presence through University of Utah WAN firewall Figure GraphDetail.9: Transfers between CHPC and Internet2 Washington, D.C. Point of Presence bypassing University of Utah WAN firewall

16 Figure GraphDetail.10: Transfers between CHPC and Internet2 New York Point of Presence through University of Utah WAN firewall Figure GraphDetail.11: Transfers between CHPC and Internet2 New York Point of Presence bypassing University of Utah WAN firewall

17 Figure GraphDetail.12: Multiple user/multiple application/multiple flow use of the Campus WAN connection through the firewall

18 Security Zone Appendix The Security Zones diagram shows the architectural discussion of the Security Zones of the University of Utah. This segmentation breaks out large mostly homogenous groups in terms of different security models. Specific security controls should govern the traffic between zones. The Performance Node/Science Demilitarized Zone (DMZ) model has characteristics of zone 2 and zone 4. Some minimal protection is necessary from the raw Internet and the zone will have both servers and some special requirement clients. Some protection is also necessary from this grouping of servers and clients to more secure areas of the University such as Hospital and clinical, administrative services and other mission critical services to the University. Figure SecZone.1: University of Utah Security Zone Diagram

19

20 Architectural Options Appendix The following diagrams show the current Wide Area Network (WAN) firewall replacement and outline various options for creating a Performance Node/Science DMZ. The University can use the various options as discrete options from which to choose or actual architectural phases through which it can morph the network and security alternatives as use becomes greater. Figure ArchOptions.1: Current WAN Firewall Replacement Figure ArchOptions.2 shows a logical bypass of the WAN firewalls utilizing the technology of Multiprotocol Label Switching (MPLS). Various departments would feed logical Virtual Local Area Networks (VLANs) to the campus distribution nodes and the campus would logically take the traffic around the firewalls via MPLS. This technique allows a very minimal cost to segmenting the network. This logical bypass would terminate at a point where optical taps could capture the traffic and feed it back to a security device. Network flows from the terminating router could also feed back to a security device. Scripts on the security device would modify security Access Control Lists (ACLs) or Border Gateway Protocol (BGP) injections on the router.

21 Figure ArchOptions.2: MPLS Firewall Bypass with Alternate Security Figure ArchOption.3 shows a physical distribution node with a logical MPLS firewall bypass. This architectural option shows the physical segmentation of the Performance Node/Science DMZ. The physical segmentation allows departmental groups to bring VLANs physically to a dedicated performance distribution node. This physical node could have different characteristics tuned toward performance or other special protocols than other campus distribution nodes. The egress from this physical node would utilize an aggregate MPLS logical tunnel to bypass the firewall. The alternative security options would be the same as those of Architectural Option 2. Figure ArchOption.3: Performance Node with firewall bypass but same WAN connectivity (includes Alternate

22 Security) Figure ArchOptions.4 shows a completely physical segmentation of the Performance Node/Science DMZ architectural concept. A physical Performance node, Internet Border router and additional connectivity to the Utah Education Network comprise this approach. The physical equipment allows specialized tuning and performance parameters that are unique to the performance and special flow environments. This approach uses the same alternative security options as ArchOptions.2. Though this approach is the most costly, this approach allows the greatest risk mitigation too. This approach physically isolates high performance requirements and/or special protocol requirements from negatively impacting the WAN ingress egress that serves the non-performance based research, academic, hospital and administrative portions of the University. This approach stays within the overall campus network architecture and supports the campus as a whole, but also tailors to the special needs of certain research segments. Figure ArchOptions.4: Performance Node with additional dedicated WAN connectivity (includes Alternate Security)

23