Science DMZ

A lightweight and high performing on-ramp to the REANNZ international research and education network.

Key components

Developed by US Energy Sciences Network (ESnet) and implemented by REANNZ, the Science DMZ model addresses common network performance problems encountered at research institutions by creating an environment that is tailored to the needs of high performance science applications, including high-volume bulk data transfer, remote experiment control, and data visualisation.

The main elements of the Science DMZ include:

  • specialised end devices, referred to as data transfer nodes (DTNs) built for sending/receiving data at a high speed over wide area networks;

  • high-throughput, friction-free paths connecting DTNs, instruments, storage devices, and computing systems;

  • performance measurement devices to monitor end-to-end paths over multiple domains; and

  • security policies and enforcement mechanisms tailored for high-performance environments.

Source: http://fasterdata.es.net/science-dmz/

Design

Reflecting the varied needs of REANNZ members, there are a number of ways in which the Science DMZ can be implemented. Below are three primary examples of how the Science DMZ has already been deployed to various members, but the Science DMZ concept is flexible and a tailored solution can be developed.

Option one: REANNZ managed edge device

Diagram showing the logical and physical topology of a Science DMZ with one REANNZ managed edge device

A REANNZ managed edge device would be deployed to the member site(s) that hosts the Science DMZ infrastructure. As well as segmenting the Science DMZ traffic away from the standard enterprise traffic, this device also provides the Science DMZ security control functionality. These set rules or policies are created specifically for controlling access to or from the Science DMZ. They are optimised and tuned to ensure that data throughput is maximised, consistent and secure.

Security controls include IP Access Control Lists (ACLs) which allow the member organisation, via REANNZ, to limit access to appliances and applications hosted within the Science DMZ to specific ports or remote IPs. The edge device and Science DMZ security configuration is managed by REANNZ, while the enterprise traffic continues to flow through the member’s security infrastructure. 

Option two: no REANNZ on premise equipment

Diagram showing the logical and physical topology of a Science DMZ with no REANNZ on premise equipment

In this option the Science DMZ architecture, hardware, and security are all supported by the member. There is still a separation between any traffic destined for the Science DMZ and the traffic from the enterprise infrastructure, but how that separation is managed is determined by the member. 

Security controls are also managed by the member, but it is anticipated that these controls would be separate from any existing security policies to ensure a lightweight, high-performance implementation. Upstream connectivity is directly to the REANNZ network, with the combined Science DMZ and enterprise traffic being carried across the same member infrastructure.

Option three: multiple REANNZ managed devices

Diagram showing the logical and physical topology of a Science DMZ with with multiple REANNZ managed devices

For this design a further REANNZ managed device is inserted downstream from the REANNZ managed edge at locations that host the Science DMZ infrastructure. This device provides dedicated connectivity to multiple data intensive devices, scientific instruments or high-performance applications.

The same Science DMZ rules or policies are applied with the same valuable benefit of secured, consistent high-speed throughput. IP Access Control Lists (ACLs) are available for security control, which enable the member organisation, via REANNZ, to limit access to appliances and applications hosted within the Science DMZ to specific ports or remote IPs.

Both REANNZ managed devices and the Science DMZ security configuration are supported by REANNZ based on member requirements, while the enterprise traffic continues to flow through the member’s security infrastructure.

Capabilities and features

Science DMZs addresses several key issues in data-intensive science, including:

Reducing or eliminating the packet loss often found in enterprise networks that cause poor TCP (Transmission Control Protocol) performance.

Implementing appropriate security architectures and controls so that high performance applications are not hampered by unnecessary constraints while maintaining a high level of security for the environment.

Incorporating network testing, network measurement and performance analysis through the deployment of advanced toolsets such as perfSONAR.

Find out more about REANNZ Products and Services.

Find anything about our products, services, and more. Enter a query in the search input above.