Research and operations closely linked
Use Case 1: Firewall as a Service
Firewalls are an integral part in securing the boundaries between networks and the hosts participating in those. A durable operation and administration of such a critical piece of infrastructure takes time, money and proficiency. Furthermore, classical Firewalls are often managed and operated centrally which does not scale well with regard to personnel and the adaption to ever changing requirements. If the latter two cannot be guaranteed there is a high risk of neglect of security. With Firewall as a Service this central bottleneck can be mitigated. Firewall as a Service moves the configuration and administration aspects of the Firewall closer to the actual end users while the burden of operation lies with the actual provider of the Firewall service. A possible use case could be to place routers into the purview of university institutions. These routers are then configured at site to forward all incoming and outgoing traffic to a central Firewall provider.
Service Function Chain Cloud
The underlying technology that leverages Firewall as a Service is the concept of a Service Function Chain. Service Function Chaining allows the administrator to force packets to traverse a specific path of services before reaching the final goal. These services are highly configurable and can be dynamically adjusted according to the specific requirements and obligations of the end user.
Self Service Portal
In order to make all of this configurable for the end user there must be an easy to use self-service interface in place. A Self-Service Portal provides to the end user means of different service functions concatenation into chains without a deep knowledge in IT.
Use Case 2: Access via WIFI and 5G networks
Many mobile devices have several radio technologies, e.g. WiFi and 5G. In this use case, such technologies will be orchestrated to be used in parallel and made usable for different learning scenarios.
The digitization of teaching increasingly requires access to learning-oriented services and content, e.g. for online research, for access to electronic materials and multimedia content, and in future perhaps also for visualizations with augmented reality (AR) or virtual reality (VR). Today's campus networks must provide access to corresponding services and content from sources inside and outside the campus network or the BelWü. Wireless access networks support this by providing seamless connectivity. On university campuses, such networks are typically based on IEEE 802.11 ("WiFi"). Additionally, campus users resort to (5G) mobile networks using private mobile phone contracts.
In the future, the complete operation of the wireless access network on a campus may even be carried out by a 5G mobile operator, with the university as a customer. This use case explores how to benefit from multiple wireless technologies in learning scenarios by distributing content and service request among the technologies.
Use Case 3: Transfer of large research datasets
A distinctive task of BelWü and university campus networks is the transfer of large scientific datasets. Such large transfer volumes caused by individual users are a rather uncommon traffic pattern, usually not found in, e.g., commercial provider networks. Such patterns, however, can severely affect other traffic in the network.
If the theoretical transmission capacity of a sender is larger than the available resources in the network, the transmission rate has to be regulated. This is typically done by so-called congestion control algorithms. They are able to detect impending overload situations and slow down the senders. Still, the service quality of video conferences, web based applications, and other delay sensitive services can be significantly reduced in such a situation. Today, this is usually solved overprovisioning the network, applying rate limits to large transfers, or scheduling these transfers only at night times. However, these approaches often require manual interventions and are usually far from ideal; just imagine a video conference that happens at night times with a dialog partner on different continent.
In use case 3, such situations shall be automatically detected and solved by the network without the need of massive overprovisioning or manual interventions. Still, network operators shall stay informed and in control what happens in the network.
Use Case 4: Improved security in campus networks
A special property of research networks is their heterogeneity and open structure, where hundreds of employees, students, but also potential attackers can access the public research network as well as services. Perimeter security can not offer sufficient protection in such an environment, since the perimeter concept only deals with attackers from outside.
Through the use of mobile devices and virtual private networks, the perimeter is also bypassed as the devices are sometimes located in the secured network and sometimes not. Managed devices cannot be deployed University-wide because most of the research facilities pursue a bring-your-own-device policy in particular for students but also for many employees. A potential attacker can therefore often access the network unhindered with any device and use stolen user data (e.g., obtained through phishing attacks) to access sensitive data such as exam grades. As described above, currently deployed security concepts attempt to protect against unauthorized access primarily through perimeter security and simple, account-based access control. Since the above-mentioned services should be accessible from everywhere and with any unmanaged device, these measures are not sufficient.
The project aims at security level increasing by applying the Zero Trust Security concept to the campus networks. What such a Zero Trust Security concept applied to a research network could look like can be seen in the following figure.