Science DMZ Firewall Limits | NSRC Training Resources

Video Topics

BGP for All

Introduction to Routing

Internet Routing

Routing Protocols

Introduction to IS-IS

IS-IS Adjacencies

Best Configuration Practices for IS-IS on Cisco IOS

IS-IS Authentication, Default Routes and IPv6

Introduction to OSPF

OSPF Adjacencies

Best Configuration Practices for OSPF on Cisco IOS

OSPF Authentication, Default Routes and IPv6

Comparing OSPF and IS-IS

Choosing between OSPF and IS-IS

Migrating OSPF to IS-IS

Finalizing Migration

Introduction to BGP

Introduction to Border Gateway Protocol

Transit and Peering

Autonomous Systems

Supporting Multiple Protocols

Setting up EBGP

Setting up IBGP

Introducing prefixes into the BGP RIB

How to configure aggregation

Display BGP Status

BGP Attributes

Local Preference

Multi Exit Discriminator

Community Specifics

BGP Policy

Applying Policy

Prefix Filtering

AS Path Filtering

Policy Language

Managing Policy Changes

BGP Scaling Techniques

Cisco Peer Groups & Juniper BGP Groups

Route Reflector Introduction

Route Reflector Deployment

Confederation Overview

Route Flap Damping

BGP Best Practices

Introduction to BGP Best Practices

EBGP Default Behavior

Overview of BGP versus IGP

How to Generate an Aggregate

How to Announce an Aggregate

Keeping IBGP Internal

Efforts to Improve Aggregation (CIDR Report)

Receiving Prefixes from Customers

Receiving Prefixes Peers

Receiving Prefixes from Upstream-Transit Provider

BGP Configuration Tips

InterConnection Best Practices

Internet Routing Registry: Introduction

Internet Routing Registry: Route Object, AS Object and AS Set

InterConnection Best Practices: Summary

Multi-Homing

Why Multi-Home?

Multi-Homing Definition

Multi-Homing Resources

Multi-Homing Policy Tools

Choosing Peering Partners and Transit Providers

Multi-Homing Scenarios

Multiple Sessions between Two ASes

Basic Principles of Multi-Homing

IP Addressing and Multi-Homing

Inbound Traffic Engineering

Two Links to One ISP, Primary and Backup

Two Links to One ISP, Load Balancing

Multiple-Dual-Homed Customers

Two Links to Different ISPs, Primary and Backup

Two Links to Different ISPs, Load Balancing

Outbound Traffic Engineering

One Upstream, One Local Peer

One Upstream, One Local IXP

Upstream Provider Also Peering at the IXP

Two Upstream, Local Peer--Using Defaults

Two Upstream, Local Peer--Using Full Routes

Two Upstream, Local Peer--Using Partial Routes

Summary of Multi-Homing Examples

BGP Case Studies

Peering Priorities

Transit Provider Peering at an IXP

Customer Multihomed between two IXP members

Traffic Engineering for an ISP connected to two IXes

Traffic Engineering for an ISP with two interfaces on one IX LAN

Traffic Engineering and CDNs

Communities

Communities: RFC 1998 Traffic Engineering

Communities: Simplifying Traffic Engineering

How to Apply Communities to Originated Routes

How to Use Communities for Service Identification

How to Use Communities to Scale a Route Reflector

Using Communities for Customer Policy

Value of Peering

Peering Definitions

Types of Peering

Role of the IXP

Local versus Regional Exchange Point

IXP Design and Implementation

Basic Principles of an IXP

"Layer 3 Exchanges?"

IXP Design Considerations

Routing Policies at IXPs

Internet Resources required for an IXP

Choosing IXP Hardware

Charging at IXPs

Services at IXPs

Route Collectors

What Can Go Wrong

IXP Further Considerations

BGP for NRENs

Research and Education Network Ecosystem

NREN Model Implications for Campuses

Dual Homed Campuses

Routing Security

Routing Infrastructure Security

Route Authentication

Credential Management

Credential Security

Security Practice Considerations

DDoS and Remotely Triggered Black Hole

DDoS Mitigation and RTBH

Unicast Reverse Path Forwarding (uRPF)

Route Origin Validation: Quick Introduction

Route Origin Validation

Validating BGP Route Announcements

Resource Public Key Infrastructure (RPKI)

Route Origin Authorisation: Background

Route Origin Authorisation: Creating ROAs

Route Origin Validation: Introduction

Route Origin Validation: AS0

Route Origin Validation: Vendor Support & Validator Caches

Validator Cache Deployment

Configuring Routers to use Validator Caches

RPKI Status Checking

Deploying RPKI within an AS

Propagating Validation State within an AS

Route Origin Validation: Statistics & Summary

MANRS

MANRS - 1 - Prefix Filtering

MANRS - 2 - BCP38 and uRPF

MANRS - 3 - NOC to NOC Communication

MANRS - 4 - RPKI and ROA

perfSONAR

Intro & Installation

What is perfSONAR?

perfSONAR Deployment Plan

How to Select Hardware for perfSONAR

Install perfSONAR

How to Secure a perfSONAR node

Interpreting Performance Behind Firewalls

Understanding TCP Buffer-Size

Configuration

How to Configure the Toolkit

How to Configure Enabled Services

How to Configure NTP Services^NEW

How to Configure Testing Policies

How to Find Other perfSONAR Nodes^NEW

Regular Testing

Using Metrics

Metrics Traceroute

Metrics Throughput

Network Measurements

pScheduler^{NEW in pS4.0}

TCP Buffer-Size

Using MaDDash

MaDDash Overview

MaDDash Configuration File

Install MaDDash

Install MaDDash Mesh Configuration

Configuring Test Hosts with MaDDash

ScienceDMZ

Background and Structure

Science DMZ Overview

Science DMZ Examples

Science DMZ Security

Specific Designs

Minimal Science DMZ

Multiple Science DMZs

DMZ Multiple Data Transfer Nodes

Science DMZ in a Supercomputer Center Network

Science DMZ Big Data Site

Techniques & Technology

Science DMZ TCP Performance

perfSONAR in the Science DMZ

Science DMZ Firewall Limits

Science DMZ Backplane Limits

Science DMZ for Software Defined Networks

Science DMZ Data Transfer Nodes versus Enterprise Security

Science DMZ as A Customer

FedIdM

Campus Identity

eduroam and Identity Services

Introduction to Identity on Campus

Identity and the Campus Network

Identity and Cloud Services

Federated Identity

Introduction to Identity Federations

Identity and Access Management for Researchers

Identity Federation for Service Providers

Identity and Business Models

Value Proposition and Business Models

Risk Management and Identity

Science DMZ Firewall Limits

The primary function of a firewall ruleset is to permit or deny network traffic using packet header information in a process where each packet is typically matched against the firewall ruleset. The primary criteria used to decide whether a packet conforms to security policy or not are source IP address, source port (if the packet is a TCP or UDP packet), destination IP address, and destination port. Firewall appliances rely on the use of internal mechanisms (packet inspection, state tables, parallelization) to perform their tasks, which often slow down the delivery of network traffic. This video describes how a firewall impacts TCP traffic, and ways the Science DMZ design can deliver the same functionality without the use of a firewall.

Related Documents

Acceptable Use

© 2016, The Regents of the University of California, through Lawrence Berkeley National Laboratory (subject to receipt of any required approvals from the U.S. Dept. of Energy). All rights reserved.

NOTICE. This material is owned by the U.S. Department of Energy. As such, the U.S. Government has been granted for itself and others acting on its behalf a paid-up, nonexclusive, irrevocable, worldwide license in the material to reproduce, prepare derivative works, and perform publicly and display publicly.