Arizona State University has become the foundational model for the “New American University”, a new paradigm for the public Research University that transforms higher education. ASU is committed to Excellence, Access and Impact in everything that it does.
Arizona State University has become the foundational model for the “New American University”, a new paradigm for the public Research University that transforms higher education. ASU is committed to Excellence, Access and Impact in everything that it does.
Presenter
Presentation Notes
Quick Facts: Founded in 1885 as the Territorial Normal School Renamed to Arizona State University in 1958 In 1994 ASU was classified as a Research I institute Largest public university in the United States by enrollment 83K Students enrolled in Academic year 2013-2014 20K Degrees completed Ranked #4 in the world for US patents in universities w/o a medical school Research Expenditures = $700 Million a Year Currently, Arizona State University is ranked among the Top 25 research institutes in the U.S. in terms of research output, innovation, development, research expenditures, number of awarded patents, and awarded research grant proposals. ASU is measured not by who it excludes but by whom it includes.
Presenter
Presentation Notes
Quick Facts: Slides from Arizona Board of Regents meeting (ABOR) Research Expenditures have tripled in ten years The NSF is aggressively seeking collaborative solutions and methodologies apart from the traditional HPC organizations. This opens the door for the NGCC. Software Defined Data Center A first generation Data Science Research Instrument. Software Defined Networking
Key University Needs• Improved Operational Efficiency• Increased Service Agility / Dynamic Rapid Elasticity• Leverage Commodity Hardware / Vendor Agnosticism• Programmable, Pluggable Architectures• Low Latency / High Bandwidth / High Availability• Hybridized Cloud Model (Software Defined Datacenter - SDN)
• Improved Time to Research!• Control of the ‘Wild West’ that could be
Presenter
Presentation Notes
Challenges you say? NSF sharing the federal funding dollar reduction impact with research universities. Building a demand for ‘more creative, collaborative’ solutions. Extend the lifespan of hardware acquisitions through software. Highly Available - Friction Free - High Bandwidth over Internet2. And make all this happen without the SSO having your head on a plate for hearing about the university on the evening news. (DDoS from inside out / We have 5K cores & 100G)
Presenter
Presentation Notes
The NGCC infrastructure choreographs a diverse collection of physical and logical capabilities that perform as an integrated whole. The infrastructure resources represent a combination of local instantiations and virtual capacity. Dr. Kenneth Buetow project University Funded to create a “First Generation Data Science Instrument” and the infrastructure to support it.
Self-Defined Isolated Workloads• Segregated servers lead to under-utilized assets
– Inefficient utilization of capacity, energy and dollars
GPG Compute
Virtual Compute
Hadoop Ecosystem
Presenter
Presentation Notes
Dynamic compute resources Dynamic Provisioning Portal for HPC, GPU and Big Data Intra-Inter University Collaborative Model Internet 2 Connectivity for statewide collaboration Elastic programmable networks Open Daylight based OpenFlow controllers with a spare set dedicated to CS and Eng. (Fulton) Unified “Open” storage platform Not just Big Data, but Open Big Data focused intra-inter university collaboration(s) Flexibility in programming models OF 1.3 Python, Java, Scala, and multiple UDF and prebuilt flows and tools Deployment automation Dynamic allocation of HPC, GPU, VI, (KVM, HypeV, VMWare, Xen) and BMP resources with validated templates Holistic, solution based approach Not about the legacy approach of cores/nodes. About the Why and not the How Pluggable, Programmable Architecture Flexible, Modular, Elastic and Future Proof, OR less vulnerable than previous architectures Cloud Bursting for Adaptive Workload Management Integration with S3, Azure, and hybrid cloud partners including public cloud providers Technologies that Work! Built on OpenStack, ODP, OF, and a Vision
Open Source Network Operating System
The “Software Defined Network”
Packet Forwarding Hardware – Merchant Silicon ODM
APP
API
APP
API
APP
API
APP
API
APP
API
Open Interface to Hardware Components (OpenFlow 1.3)
Rapid Elasticity
Presenter
Presentation Notes
High Level overview of components and rapid elasticity
Presenter
Presentation Notes
Unconstrained Bandwidth Availability – 100GE Layer 2 Connection: Extraordinary increases in network capacity and speed, delivered across a 100GE national backbone, deep into the places where tomorrow’s innovators are at work, enabling widespread application development and delivery. A New Class of Control – Software Defined Networks: Entirely new dimensions of possibility, allowing previously untouchable, inflexible networks to be deeply programmable and optimized for compute, storage, visualization and transport capabilities so all can be driven by applications. Fewer Bottlenecks – Science DMZ: Pioneering concepts like the Science DMZ** provide a blueprint for architecting and optimizing local networks to support the very unique needs of passing high-bandwidth research data. Using this model, campuses experience improved application performance without sacrificing security—and as a result, can fully leverage their investments in 100GE connectivity
ASU SDN Research Initiatives • FlowGuard
• Joint initiative with Clemson to create a Robust SDN firewall• Verification of direct and indirect policy violations• Packet Filter as well as Policy Checker• Flow path space analysis & Flow path space calculation• Partially funded by DOE Grant (DE-SC0004308)
FlowGuard: Building Robust Firewalls for Software-Defined Networks | Hongxin Hu, WonkyuHan , Gail-JoonAhn and ZimingZhao / Arizona State Universityhttp://www.public.asu.edu/~zzhao30/publication/HongxinHotSDN2014.pdf
HotSDN 2014
Presenter
Presentation Notes
A firewall in SDN is both Packet Filter + Policy Checker – The first packet goes through the controller and is filtered by firewall – The subsequent packets of the flow directly match the flow policy. Violations can not only be detected by mitigated programmatically. Indirect violation = dynamic packet modification en-route manipulation of Set-Field in OpenFlow Remember: Internal firewalls trust one side and distrust another. This methodology does not support an active research environment. SDN can provide both Centralized firewall services, Firewall on Demand and Distributed firewall(s) Floodlight Flowguard Flowspace Flowpath space analysis Notice: Stateful Monitoring: Currently, OpenFlow only provides very limited access to packet-level information in the controller In addition, the OpenFlow forwarding plane is almost stateless and unable to actively monitor flow status without the involvement of the controller. Therefore, it is challenging to fully support stateful packet inspection in SDN firewalls. http://sefcom.asu.edu/publications/towards-reliable-sdn-ons2014.pdf
Violation Resolution Mechanism
Flow TaggingFlow Rerouting
Scalability & Performance Analysis
ASU SDN Research Initiatives (Cont.)
• NICE• Network Intrusion Detection and Countermeasure Selection in Virtual Network Systems.
• NPVM• Non-Intrusive process-based monitoring system to mitigate and prevent VM vulnerability
explorations.
• FlowGuard (Enhancements)• Distributed robust firewall SDN/NFV• Further Development of Stateful SDN Firewall mechanisms• Firewall Virtualization utilizing Network Function Virtualization (NFV)• Robust Security Enforcement Kernels for SDN controllers
A firewall in SDN is both Packet Filter + Policy Checker – The first packet goes through the controller and is filtered by firewall – The subsequent packets of the flow directly match the flow policy. Violations can not only be detected by mitigated programmatically. Indirect violation = dynamic packet modification en-route manipulation of Set-Field in OpenFlow Remember: Internal firewalls trust one side and distrust another. This methodology does not support an active research environment. SDN can provide both Centralized firewall services, Firewall on Demand and Distributed firewall(s) Floodlight Flowguard Flowspace Flowpath space analysis Notice: Stateful Monitoring: Currently, OpenFlow only provides very limited access to packet-level information in the controller In addition, the OpenFlow forwarding plane is almost stateless and unable to actively monitor flow status without the involvement of the controller. Therefore, it is challenging to fully support stateful packet inspection in SDN firewalls. http://sefcom.asu.edu/publications/towards-reliable-sdn-ons2014.pdf
Vendor Evaluation• Unified Switch-Controller Solution (NOT Piecemeal) • Dual 100G inputs (NOT aggregates of lesser bandwidth) modular array of 40G-10G• ODP compliant (supported) SDN controller (Not 3rd party) OpenDaylight• OpenFlow 1.3 capabilities ‘Required’• DISA-STIG Best Practices alignment• Intelligent Flow Management Solution• Hybrid mode SDN also a desired quality as it minimizes cabling• SFLOW is handy for Traffic management as well as SDN DDOS Mitigation• Best cost per 100G / 40G port in evaluation amongst 5 Top Vendors
1. Open Daylight ODP project, http://www.opendaylight.org/ DISA-STIG Practices guide http://www.disa.mil/ Internet2 SDN http://www.internet2.edu/2. RaaS Internet2 “New Models for Research” http://www.hpcwire.com/2015/03/16/new-models-for-research-part-ii/ Brocade Vyatta SDN http://www.brocade.com/products/all/software-defined-
networking/brocade-vyatta-controller/index.page Best Practices. Fulfillment of published and presented capacity as discussed in https://www.linkedin.com/pulse/internet-2-innovation-jay-etchings?trk=prof-post (This communication is included in the universities presentation at Internet 2 Global Summit. Innovations High-Volume Life Sciences Research, has been selected to be Netcast at our upcoming 2015 Global Summit in Washington, DC http://meetings.internet2.edu/2015-global-summit/detail/10003667/
Presenter
Presentation Notes
Tested 5 vendors internally and selected Brocade. With that selection we received some bonus features And we saved MONEY. (Other Musings) You don’t know what you will get in terms of controller quality, support turnaround plus meantime if on older reused server or a VM is used for OESS to cut costs Don’t know redundancy/reliability levels User experience is limited to OESS – depending on NEC or other response Build your own for additional user experience options may be time consuming Open source type support and subject to UTO/CL support mean times No Autonomy of controller use and administration Loss of First Lead status in University space race Don’t know who else is on controller, security, overall lack of control
Brocade Vyatta Based on ODP End2End Network Control Physical & Virtual Options Brocade & 3rd parties Open Source Goodness Load Balancing VPN-NAT Routing & Switching Firewall & IPS
Presenter
Presentation Notes
Architecture Slide goes here! Need to update as we just bought more Brocade.
