Innovations In Wired Network Service Bruce Campbell.

Slides:



Advertisements
Similar presentations
Introduction to the WatchGuard AP Device
Advertisements

Designing for Pervasive Network Security. Designing for Security Our aim in this section will be to concentrate on how campus Networks can be designed.
1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
Chapter 1: Introduction to Scaling Networks
CY-SWR1100 Dual Band Wireless N Router
DMZ (De-Militarized Zone)
DMZ (De-Militarized Zone)
Wireless Access Things that you need to know TC Meeting SCISC – January 17, 2007.
NextGen Wireless Steven Bourque (IST). Overview Introduction Current Wireless Issues Access Point (AP) Hardware Controller Hardware Campus Design Redundancy.
CIM 2465 IP Addressing Scheme1 IP Addressing Scheme (Topic 4) Textbook: Networking Basics, CCNA 1 Companion Guide, Cisco Press Cisco Networking Academy.
1 Dynamic DNS. 2 Module - Dynamic DNS ♦ Overview The domain names and IP addresses of hosts and the devices may change for many reasons. This module focuses.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
Wireless and Switch Security NETS David Mitchell.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 11: Planning Network Access.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Hardware Firewalls: Advanced Feature © N. Ganesan, Ph.D.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0— © 2003, Cisco Systems, Inc. All rights reserved.
AutoMAC: A Tool for Automating Network Moves, Adds, and Changes Christopher J. Tengi Princeton University.
Chapter 8: Configuring Network Connectivity. Installing Network Adapters Network adapter cards connect a computer to a network. Installation –Plug and.
1 Configuring Linksys Wireless Router Prof. Valencia Community College.
1. A router is a device in computer networking that forwards data packets to their destinations, based on their addresses. The work a router does it called.
TCP/IP Addressing Design. Objectives Choose an appropriate IP addressing scheme based on business and technical requirements Identify IP addressing problems.
PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.
Technical Training: DAP-1360 Wireless N Access Point DAP-1360.
Using RADIUS Within the Framework of the School Environment Ed Register Consultant April 6, 2011.
Dainis Krakops’ Wireless Network MOTOROLA SURFboard SB5101 CABLE MODEM Enables cable operators to provide broadband Internet connection for my LAN devices.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
DHCP Server © N. Ganesan, Ph.D.. Reference DHCP Server Issues or leases dynamic IP addresses to clients in a network The lease can be subject to various.
Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.
Day15 IP Space/Setup. IP Suite of protocols –TCP –UDP –ICMP –GRE… Gives us many benefits –Routing of packets over internet –Fragmentation/Reassembly of.
11 NETWORK PROTOCOLS AND SERVICES Chapter 10. Chapter 10: Network Protocols and Services2 NETWORK PROTOCOLS AND SERVICES  Identify how computers on TCP/IP.
Module 7: Configuring TCP/IP Addressing and Name Resolution.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Troubleshooting Your Network Networking for Home and Small Businesses.
Configuring Routing and Remote Access(RRAS) and Wireless Networking
Dartmouth’s Wireless Network May 16, 2005 David W. Bourque.
DHCP Training.
A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e
Common Devices Used In Computer Networks
Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.
70-411: Administering Windows Server 2012
Implementing Network Access Protection
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
1 TGIF: NetDB for Power Users April 11, 2003 Sunia Yang Networking Systems.
DSL-2544N Dual Band Wireless N600 Gigabit ADSL2+ Modem Router
DHCP Security DHCP Snooping and Security David Mitchell 03/19/2008.
© 2006 Cisco Systems, Inc. All rights reserved. Optimizing Converged Cisco Networks (ONT) Module 6: Implement Wireless Scalability.
CHAPTER 3 PLANNING INTERNET CONNECTIVITY. D ETERMINING INTERNET CONNECTIVITY REQUIREMENTS Factors to be considered in internet access strategy: Sufficient.
Secure Wireless Home Networks Area 2 SIR Presentation Nov. 18, 2004 Dean Steichen Br. 8.
1/28/2010 Network Plus Unit 4 WAP Configuration WAP Configuration In this section we will discuss basic Wireless Access configuration using a Linksys.
5.1 © 2004 Pearson Education, Inc. Exam Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 5: Planning.
Update on Campus Networks December 2009 Bruce Campbell Director, Network Services Information Systems and Technology.
Resnet Enhancements and Directions Part 1, Bruce Campbell, Information Systems and Technology.
The Next Generation Wireless Yuri Kolomiyets Network Services Information Systems and Technology.
Configuring Network Access Protection
Terri Lahey Control System Cyber-Security Workshop October 14, SLAC Controls Security Overview Introduction SLAC has multiple.
DHP Agenda: How to Access Web Interface of the DHP-1320 on Access Point Mode How to Access Web Interface of the DHP-1320 on Router Mode How to Change.
INDIANAUNIVERSITYINDIANAUNIVERSITY Indiana University Update Tom Zeller
1 Week #5 Routing and NAT Network Overview Configuring Routing Configuring Network Address Translation Troubleshooting Routing and Remote Access.
7.4 Update - ISE Session.
Windows Vista Configuration MCTS : Advanced Networking.
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY IT375 Window Enterprise Administration Course Name – IT Introduction to Network Security Instructor.
Instructor Materials Chapter 9: Testing and Troubleshooting
Unit 27: Network Operating Systems
Chapter 10: Advanced Cisco Adaptive Security Appliance
What’s New In WatchGuard Wi-Fi Cloud v8.6
Presentation transcript:

Innovations In Wired Network Service Bruce Campbell

First, a bit about wireless Aruba system Main Campus 3 controllers (adding 4th in ) 850 APs (b/g) 25 /24 public subnets Housing residences 3 controllers 535 APs (a/b/g) 14 /24 public subnets Watitis Innovations in Wired Network Service - Bruce Campbell

Wireless Usage Increasing handheld devices need to move to NAT (private addresses) adding traffic management (peer to peer etc) average 6,000 square feet per AP on main campus need to double or triple density in high load areas, e.g. DC, LIB, SLC adding APs before April 30, 2010 adding APs Watitis Innovations in Wired Network Service - Bruce Campbell

n new n AP available, $510, a/b/g/n (2x2) More channels, higher bandwidth Will be deployed in new buildings may install 'n' in existing high load areas, and recycle b/g APs Watitis Innovations in Wired Network Service - Bruce Campbell

What makes wireless so special ? available everywhere users don't need to request service in advance mobile meets many users basic requirements allows users to use network services on their terms Watitis Innovations in Wired Network Service - Bruce Campbell

What makes wireless less special ? slower less secure ? less reliable ? requires authentication, or some other means to restrict usage to authorized users. generally focused on laptops, netbooks, handhelds, with dynamic IPs technology refresh cycle, compare network cabling infrastructure years network switch/router infrastructure years wireless infrastructure years Watitis Innovations in Wired Network Service - Bruce Campbell

Providing Wired and Wireless Network Services Wireless only vendors claim wireless is ready to be the primary network service. Reality Check: Mobile (wireless) networking is designed for mobile computing. Fixed (wired) networking is designed for fixed computing. We have both fixed and mobile computing, and thus need both fixed and mobile networking, and will likely need to continue to expand and improve both. Watitis Innovations in Wired Network Service - Bruce Campbell

Wired/Wireless comparison Wired and wireless networking serve different needs, but lets compare them anyway. The wireless vendors will work on speed, reliability, security Mobility on the wired network limited to wall jacks and length of patch cable. Can we do anything about convenience on wired networking ? WiredWireless Mobility Convenience Speed Reliability Security Watitis Innovations in Wired Network Service - Bruce Campbell

Is Convenience Important ? Improved service Self service can reduce IT staff work load People may choose a convenient service over the right service. We need to make the right services convenient Wireless – limitations (speed, reliability) are largely governed by laws of physics. Wired – limitations (convenience) are largely governed by our processes Watitis Innovations in Wired Network Service - Bruce Campbell

Self Serve Wired Network Service First make sure the wall jacks are live UW (unnamed dept) Trent Watitis Innovations in Wired Network Service - Bruce Campbell

1-to-1 patch cabling All jacks live. Implemented in Science Standard in all new buildings. Upgrades in Academic Support buildings in progress. Watitis Innovations in Wired Network Service - Bruce Campbell

Cable Documentation See ona screenshotsona screenshots Watitis Innovations in Wired Network Service - Bruce Campbell

DHCP and Authentication Making all jacks live is only part of the picture. Computers still need IP addresses Manually assign in Maintain Computer can be hardcoded or use DHCP Dynamic ranges in Maintain Can require MAC addresses be registered or not Network connectivity Unauthenticated Authenticated Watitis Innovations in Wired Network Service - Bruce Campbell

Dynamic Ranges in Maintain Hostmaster sets these up on request Can be set to allow any, Registered, or unregistered Watitis Innovations in Wired Network Service - Bruce Campbell

Authenticate or not ? Unauthenticated access Used in resnet (subject to MAC lockdown) Short dynamic ranges on many campus subnets, for registered hosts Pharmacy Authentication options Captive portal 802.1x Watitis Innovations in Wired Network Service - Bruce Campbell

Wired Captive Portal Same as wireless (Aruba) Offered in 12 areas on campus Most heavily used in Engineering Watitis Innovations in Wired Network Service - Bruce Campbell

802.1x wired authentication Not currently offered, experimental Watitis Innovations in Wired Network Service - Bruce Campbell

802.1x Switch configuration Enabling 802.1x on port 26 Setup radius server. Switch config fragment: aaa authentication port-access login eap-radius radius-server host x.y key xxxxxxxx primary-vlan 108 aaa port-access authenticator 26 aaa port-access authenticator active aaa port-access 26 Watitis Innovations in Wired Network Service - Bruce Campbell

802.1x Client Configuration See How to configure 802.1x authentication with a Windows XP or Vista supplicantHow to configure 802.1x authentication with a Windows XP or Vista supplicant (maybe it is easier with Windows 7) With a configurator tool, this might work well Need to test other devices (e.g. VoIP phones) Watitis Innovations in Wired Network Service - Bruce Campbell

Unauthenticated Network Access Resnet Thousands of people move into residence over a weekend. Network security mechanisms and processes used in resnet: MAC lockdown port-security NN learn-mode static DHCP snooping dhcp-snooping dhcp-snooping authorized-server x.y dhcp-snooping database file "tftp://xxxxx" dhcp-snooping option 82 untrusted-policy keep dhcp-snooping vlan nnn interface NN dhcp-snooping trust exit ARP protection arp-protect arp-protect trust NN arp-protect validate src-mac dest-mac ip arp-protect vlan nnn Documented network cabling Traffic management Client only ACLs Watitis Innovations in Wired Network Service - Bruce Campbell

Unauthenticated Network Access School of Pharmacy Desire for guests and occasional users to have immediate, self serve, wired, network access Small range of dynamic addresses on same subnet as static addresses Available in private offices only No authentication needed IP address#Purpose Default gateway to Static addresses to 25415Dynamic addresses Watitis Innovations in Wired Network Service - Bruce Campbell

How to trace/block misuse of a dynamic, unauthenticated, IP address? Given IP/date/time of incident… Determine MAC from ona ARP logs Determine switch port from ona MAC logs Determine room from cable documentation Determine person (who has keys to room) Or, disable the switch port Or blackhole the MAC (tools not provided yet) Chill. Recognize that with static IPs, DNS records are often out of date, and people can hard code the wrong IP anyway. Watitis Innovations in Wired Network Service - Bruce Campbell

MAC address documentation by reverse engineering It is the MAC address, not the IP, that is tied to a given piece of equipment. Can we figure out users associated with MAC addresses ? When a user checks (or uses bookit, nexus, myhrinfo, etc)… From host logs, we can get a date/time/IP/userid From ona ARP logs, we can determine MAC Thus we can build a database table of userid/MAC Next time there is an incident, and date/time/IP is reported… We determine MAC from ona ARP logs We determine userid from table of userid/MAC Even if our cabling looks like Watitis Innovations in Wired Network Service - Bruce Campbell

Authentication Logging Pilot OrgunitUsersPercentage of Active IPs Admin61934 Science Math25520 CS39029 Engineering Arts64656 Env24755 Library14323 AHS20448 IST25043 Resnet Total Enabled on mywaterloo, mailservices, and nexus in October Matched userid/MAC for users shown in table Inspired by GULP: A Unified Logging Architecture for Authentication Data (LISA 05)GULP: A Unified Logging Architecture for Authentication Data Watitis Innovations in Wired Network Service - Bruce Campbell

Another Feature of the Pharmacy Model Ever ran out of Ips on a subnet, and needed to clean it up ? Ona ping results show last active dates, but what is considered inactive ? Not seen in 6 months, a year ?ping results If you have a range of dynamic addresses on your subnets, which allow any host, you can aggressively delete inactive static hosts. If a user of a deleted host comes back, they will get a dynamic address… and can use it to complain. Watitis Innovations in Wired Network Service - Bruce Campbell

Recommendations To provide convenient wired service to users, and to reduce IT staff workload: Subnets serving hosts in private areas should have dynamic ranges added, which allow any hosts. To maintain security and accountability: Authentication logging pilot should be expanded to other major systems (e.g. Exchange, quest, bookit) Ports serving public areas need to be adequately protected from misuse (e.g. MAC lockdown, authentication) Watitis Innovations in Wired Network Service - Bruce Campbell

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.