Company

Lawrence Berkeley National Lab Secures Its Enterprise Network With Force10 E1200

To university-based research institutions, collaboration is the key to advancing scientific knowledge. And with the growth of the Internet, scientific collaboration has become easier. But organizations like Lawrence Berkeley National Laboratory (LBNL) must also protect their information assets from those with less-than-positive intentions.

As a result, LBNL recently incorporated an E1200 switch/router from Force10 Networks into LBLnet, the lab’s enterprise network as part of an intrusion detection application for network security. The line-rate performance and scalability of the E1200 system with packet filtering or access control lists (ACLs) enabled—and Force10’s high level of customer support—helps LBNL protect its network from unauthorized access without affecting network response times, ensuring that researchers can leverage the entire bandwidth of the network for data-intensive applications.

Balancing security and performance

Located on a hillside above the University of California at Berkeley, LBNL conducts research for the Department of Energy in advanced materials, life sciences, energy efficiency, detectors and accelerators. LBNL’s enterprise network, LBLnet, currently supports 15,000 network-attached devices at the lab’s main facilities and at five remote sites.

Due to the nature of the research performed at LBNL, the LBLnet staff must strike a balance between providing a high-performance network that encourages collaboration while taking into account security considerations. To protect the network from unauthorized access, the LBLnet team developed an intrusion detection system (IDS) that was then integrated with LBLnet’s previous border router. The IDS monitors both incoming and outgoing traffic, detects potential security or Denial of Service (DoS) attacks and applies ACL rules to the router.

However, LBNL found that as the number of ACLs grew, the performance of the previous router slowed. When the router vendor was unable to solve this problem, LBNL turned to Force10, which worked closely with the lab to address its issues. As a result, LBNL replaced its previous router with an E1200 from Force10.

“I’d come up with a proposed design, and without even being asked, Force10 proactively built the scenario in their lab and tested it,” says Mike Bennett, LBNL senior network engineer for the LBLnet Services Group. “I was floored. Force10 listened to our needs and provided us with a solution. Force10 Network’s support has exceeded my expectations every time.”

Line-Rate Performance with ACLs

Now, by monitoring traffic on both sides of the E1200 switch/router, the IDS dynamically adjusts the ACLs on the E1200 via a dedicated point-to-point Gigabit Ethernet (GE) link. The E1200 acts on these ACL updates from the IDS and quickly seals off potential security breaches. LBNL soon found that the E1200 delivered line-rate performance even with large numbers of ACLs.

“With the E1200 system, we’ve improved the response time by about half,” Bennett says. “As we optimize it further, we expect that within a month we’ll be about 20 times faster than we were in our worst case. This has all been from the willingness of Force10 to work with us to solve our problem.”

Currently, the LBLnet E1200 is configured with a line card containing 24 GE ports. The scalability of the system means that LBNL has room to grow as its needs increase. With up to 14 line card slots per chassis, an E1200 switch router can contain up to 672 GE ports or 56 10 Gigabit Ethernet (10GE) ports.

“It’s so scalable that as we go through the next budget cycle, we’ll simply add to it,” says Bennett. “Force10’s switch/routers are competitively priced and work as promised. They deliver line-rate performance with ACLs enabled, which means I don’t have to worry about what happens when the load increases.”

L2/L3 functionality with room to grow

In addition, the Force10 EtherScale™ architecture upon which the E1200 is built—and the FTOS™ real-time operating system—deliver the full L2 switching and L3 routing functionality that LBNL needs to satisfy current and future requirements, without sacrificing line-rate performance. According to Bennett, LBNL uses the E1200’s BGP4 routing protocols as well as its VLAN capabilities.

“One of the deciding factors for purchasing the E1200 was its rich set of features,” says Bennett. “We knew that as we grow, we’d have all the functionality we needed.”

Planned upgrade to 10 Gigabit Ethernet

In fact, LBNL is finding that as researchers need more bandwidth for data-intensive applications in fields such as distributed computing and life sciences, the demand for high-bandwidth connectivity in LBLnet’s local and regional backbones, as well as to the Internet, is also increasing. Because of this, the lab is rapidly moving toward the deployment of 10GE services.

“We have researchers developing applications that need 10GE now,” says Bennett. “It's become more common for scientists to use a facility such as the Advanced Light Source (ALS) lab and send the results of the experiment back to their home site via the network. Add this to the existing load on the network, and it's not hard to see that we'll be using 10GE in the near future. One possible application is the interconnection of LBNL with other national labs in a regional area network, which would cost far less than with equivalent SONET technology.”

Another force driving the adoption of 10GE is that the cost of network interfaces continues to drop: Bennett says that LBNL has found a 10GE interface to cost about the same as aggregating ten GE connections. Bennett also notes that 10GE simplifies network design by providing a single point-to-point connection rather than 10 aggregated GE connections that must be installed and maintained.

“Simplicity is a must as we maintain the network with a small staff,” says Bennett. “The good news is that companies like Force10 Networks can deliver 10GE at wire-speed rates today.”
 

back to top >