SJSU Research Network (SRN)
SJSU is connected to the 100 gigabit connection to Cenic/Internet2, the research specific network that connects many of the top universities in the country. All campus users whose traffic is destined for an off campus Internet2 connected university automatically use that higher speed pathway. Some of the key information is as follows:
Dozens of other universities and the Department of Energy’s ESNet have been using networks at 100 gigabits for some time and have a model that facilitates fast research file transfers. The key is to designate a portion of the network to be a Science DMZ, which has many characteristics that speed up science.
Our extension of the Science DMZ is called the SJSU Research Network and it will be distributed around campus to many buildings via two 10 gigabits connections, in order not to overload the single 100 gigabit network to Internet2.
Information about the Science DMZ concept: http://fasterdata.es.net/science-dmz/
A Science DMZ integrates five key components into a unified whole:
- A network architecture explicitly designed for high-performance applications, where science/research use is distinct from general-purpose use
- The use of dedicated systems for data transfer (DTN)
- Performance measurement and network testing systems that are regularly used to characterize the network and are available for troubleshooting (PerfSonar)
- Security policies and enforcement mechanisms that are tailored for high performance environments
- Engagement with Network Users focused on creating partnerships, educating and providing resources/ongoing support
SJSU Research Network Rollout
Traffic on this network can’t include data subject to FISMA, FERPA, HIPAA, nor for general PHI data. Basically, the data on the network should only be low-risk research data.
All systems connecting to the research network must connect at 10gigabits.
The network will not have traditional firewall protection; therefore it is imperative that you provide host based protection. A well-implemented set of host-based tools will make your system safer than those systems on campus sitting behind a departmental firewall. However, you have to actively implement and monitor the host.
The ideal type of host for Low Risk Data would be a linux system with:
- Frequent and regular updating/patching per the campus ISO requirements and recommendations
- A valid NetDB entry
- Local host based firewall, like IPTables, blocking ports not needed for transfers.
- Review login credentials quarterly, use Kerberos logins if at all possible
If dealing with Moderate Risk Data, then also implement:
- Test for vulnerabilities quarterly (Qualys scan)
- Two-step Authentication (Duo)
- Centralized logging (University IT LogRythm)
- Malware protection, if appropriate (Sophos for Windows)
- Host base Intrusion Detection (Sophos for Windows, Sophos for Linux)
- Secure physical environment
- Systems moved to the Research Network may NOT be dual homed to the campus network and the Research Network
- Full Internet, I2 and Campus networks will be available from the new network. Similarly, the new network will be reachable by the campus networks through a router hop. This network will be considered ‘off campus’ to the normal departmental firewall rules.
The Network DEMARCATION Point
SJSU IT Network Services will install a 10gigabit capable switch in a central closet. Available ports will be marked as will the IP range (and network) to help with NetDB record creation. This switch could have both 10gbaseT and fiber ports and could be in the building’s main telecom closet or on an upper floor, depending on where the potential researchers are located within the building. If the building wiring isn't functional at 10gigabit, then a fiber connection may be needed to handle the high speed.
This policy is subject to change and petitions may be made for exceptions.