ICPSR's network migration begins

Last month I wrote about ICPSR's new network topology in my TRAC series of posts. We started the move to the new network last week, and the early signs are good, and it is time for an update.

Here's a high-level architectural view of our future network on the left.

We're breaking the current network into three virtual networks, each with a series of firewall rules to protect the people, content, and systems behind the firewall.

Moving from left to right...

Our Public (green) network has the lowest level of security. It hosts our public-facing systems such as our public web server, www.icpsr.umich.edu, the authoritative DNS server for the icpsr.umich.edu domain (and many others!), a machine we use to mirror Web portals for partner organizations, and more. Machines on this network have publicly routable IP addresses, and there is generally free and open access between this network, its resources, and the Internet.

Our Semi-Private (purple) network has a higher level of security. It hosts the vast bulk of our network-attached devices: desktop workstations, laptops, printers, private-facing servers (like a DHCP server), and more. Machines on this network have addresses in private IP address space, and use NAT to reach the Internet. Since the addresses are not public, there is no inbound access to the network from outside the University of Michigan network (UMnet) except through Virtual Private Network technology. I'm typing this blog post on a machine connected to the Semi-Private network.

Our Private (red) network has the highest level of security. It hosts a very small number of systems, all of which are used by ICPSR data managers to process the data and documentation we receive from the research community and from government agencies. In general, there is no access between this network and any other network unless it has explicitly been granted by a firewall rule.

Access to this network flows largely through a Virtual Desktop Infrastructure (VDI) service (also red) that we are using. The VDI hosts a collection of virtual Windows 7 desktop systems which contain the same software used on physical desktop workstations at ICPSR. Once one has connected to the VDI, one may access resources on the Private network, such as newly deposited content, ICPSR archival holdings, etc. Access from the VDI to the desktop is also tightly controlled so that one may not, for example, cut-and-paste between the two. Essentially this is a virtual data enclave, but where the client is ICPSR staff, not external data analysts.