Cenic.org
  • Home
  • Blog
  • How CENIC AIR Enables Secure AI and Machine Learning Innovation

How CENIC AIR Enables Secure AI and Machine Learning Innovation

Categories AI/Machine Learning RENS & NRENS Technology & Innovation

Tags CENIC AIR

In a previous article, CENIC outlined some of the topics a campus must consider to take advantage of everything that CENIC AIR (and the National Research Platform or NRP) has to offer, including building bridges between faculty and campus IT departments, understanding your faculty’s IT needs, evaluating campus network connection options, choosing the right Science DMZ model for your campus, and finding funding.

However, the Science DMZ model itself sometimes raises questions about how network security can be maintained while also avoiding the big-data bottleneck that a campus firewall can create.

After all, firewalls are put in place to ensure cybersecurity, so directly connecting campus equipment to remote equipment around a resident campus’ firewall will often prompt questions from IT directors and other campus decision-makers on how cybersecurity is maintained.

Happily, there are well-understood options and policies already in place that allow CENIC member institutions to participate in CENIC AIR and NRP while enjoying an extremely secure experience.

As Much Firewall as Possible Through Separate DC and HPR Connections

During January’s Sixth National Research Platform Workshop (6NRP), UC San Diego’s Tom DeFanti and CENIC’s Christopher Bruton reviewed the current status of NRP along with the latest and most common Science DMZ models architected by CENIC for our membership. (The slides for their 4pm Tuesday tutorial can be viewed and downloaded at the 6NRP portal.)

As described in our previous article, if a Science DMZ is to support participation in CENIC AIR and NRP, it must have a high enough bandwidth to handle big-data usage plus connect to the global Internet for needed upgrades and patches. In CENIC terms, this translates to connections to both the High-Performance Research (HPR) and Digital California (DC) tiers of CENIC’s California Research and Education Network (CalREN).

CENIC is happy to customize our Science DMZ models for our member institutions’ unique needs, but certain broad trends are evident in Bruton’s presentation, one of which is the utility of treating the CalREN-DC and CalREN-HPR connections separately so that the DC connection still passes through the campus firewall. While this approach maintains tight cybersecurity where it is most needed—when connecting to the global Internet and the patches, downloads, upgrades, and security threats that originate on it—it still sequesters CENIC AIR and NRP big-data traffic in its own flow, where it can’t “clog the pipes” of the campus firewall and interfere with enterprise-level traffic.

Building a Firewall with Calico: The Walled Garden of NRP Nodes

It may seem as if this leaves big-data traffic vulnerable, but as part of NRP, CENIC AIR participants—and their equipment—enjoy the advanced security used by NRP itself: a firewall via the host’s iptables (or nftables) programmatically created with Calico software, a common networking layer for Kubernetes.

Calico ensures that a CENIC or NRP node only accepts connections from other NRP nodes unless the type of connection has been explicitly whitelisted. Furthermore, it restricts communication between pods unless explicitly allowed, providing NRP user isolation. This setup effectively creates an NRP-exclusive distributed firewall that limits traffic to other NRP nodes and allows only a carefully vetted whitelist of groups to accept connections from outside the NRP. As a result, the majority of NRP usage is isolated and protected from incoming connections from the broader network.

In addition, NRP also performs active monitoring of all processes running on its—and hence CENIC AIR’s—nodes to catch any issues. As NRP’s Derek Weitzel of the University of Nebraska–Lincoln states, “There has never been a breach of NRP’s user, container, and network isolation that we have in place.”

Thus, as stated earlier, IT directors and other decision-makers at CENIC member institutions can rest easy knowing that implementing a Science DMZ to participate in CENIC AIR and NRP will not compromise their institution’s cybersecurity in any way. It will, in fact, make them part of yet one more world-class community of experts in secure network-enabled research and education.

If you’d like to learn more about CENIC AIR and how your institution can participate and make use of the resources it offers, please contact your representative at the CENIC Project Management Office or our Network Operations Center.

Related blog posts

CENIC AIR and Your Campus: From Concept to Connection

CENIC AIR and Your Campus: From Concept to Connection

San Diego State University’s VERNE: Applying the CENIC AI Resource to Multi-disciplinary Instruction

San Diego State University’s VERNE: Applying the CENIC AI Resource to Multi-disciplinary Instruction

Recent news

CENIC Welcomes New Board of Directors Chairperson

Major CENIC Line System Upgrade Means Improved Provisioning and Services for CENIC Members

Pacific Wave Distributed International Peering Exchange Supports Big-Data Demonstrations at Supercomputing 2024 Conference

Learn What CENIC and Our Members Accomplished Together in the CENIC 2022-24 Community Report

New Connections to Major Cloud Providers Boost Performance and Value for CENIC Members

Recent blog posts

How CENIC AIR Enables Secure AI and Machine Learning Innovation

CENIC and its Member Community in 2024: Artificial Intelligence, Digital Equity, and R&E Innovation

CENIC Internships: Working with Higher Ed to Create a Skilled Workforce for the Future of Networking

CENIC AIR and Your Campus: From Concept to Connection

The Easy Button for DDoS Attacks: Fast, Convenient, Cost-Effective Mitigation for CENIC Member Institutions

Subscribe to our newsletter

Stay up to date on news and stories from the CENIC community.

Subscribe now

About Network CENIC Membership News