Innovations In Wired Network Service Bruce Campbell
First, a bit about wireless Aruba system Main Campus 3 controllers (adding 4th in ) 850 APs (b/g) 25 /24 public subnets Housing residences 3 controllers 535 APs (a/b/g) 14 /24 public subnets Watitis Innovations in Wired Network Service - Bruce Campbell
Wireless Usage Increasing handheld devices need to move to NAT (private addresses) adding traffic management (peer to peer etc) average 6,000 square feet per AP on main campus need to double or triple density in high load areas, e.g. DC, LIB, SLC adding APs before April 30, 2010 adding APs Watitis Innovations in Wired Network Service - Bruce Campbell
n new n AP available, $510, a/b/g/n (2x2) More channels, higher bandwidth Will be deployed in new buildings may install 'n' in existing high load areas, and recycle b/g APs Watitis Innovations in Wired Network Service - Bruce Campbell
What makes wireless so special ? available everywhere users don't need to request service in advance mobile meets many users basic requirements allows users to use network services on their terms Watitis Innovations in Wired Network Service - Bruce Campbell
What makes wireless less special ? slower less secure ? less reliable ? requires authentication, or some other means to restrict usage to authorized users. generally focused on laptops, netbooks, handhelds, with dynamic IPs technology refresh cycle, compare network cabling infrastructure years network switch/router infrastructure years wireless infrastructure years Watitis Innovations in Wired Network Service - Bruce Campbell
Providing Wired and Wireless Network Services Wireless only vendors claim wireless is ready to be the primary network service. Reality Check: Mobile (wireless) networking is designed for mobile computing. Fixed (wired) networking is designed for fixed computing. We have both fixed and mobile computing, and thus need both fixed and mobile networking, and will likely need to continue to expand and improve both. Watitis Innovations in Wired Network Service - Bruce Campbell
Wired/Wireless comparison Wired and wireless networking serve different needs, but lets compare them anyway. The wireless vendors will work on speed, reliability, security Mobility on the wired network limited to wall jacks and length of patch cable. Can we do anything about convenience on wired networking ? WiredWireless Mobility Convenience Speed Reliability Security Watitis Innovations in Wired Network Service - Bruce Campbell
Is Convenience Important ? Improved service Self service can reduce IT staff work load People may choose a convenient service over the right service. We need to make the right services convenient Wireless – limitations (speed, reliability) are largely governed by laws of physics. Wired – limitations (convenience) are largely governed by our processes Watitis Innovations in Wired Network Service - Bruce Campbell
Self Serve Wired Network Service First make sure the wall jacks are live UW (unnamed dept) Trent Watitis Innovations in Wired Network Service - Bruce Campbell
1-to-1 patch cabling All jacks live. Implemented in Science Standard in all new buildings. Upgrades in Academic Support buildings in progress. Watitis Innovations in Wired Network Service - Bruce Campbell
Cable Documentation See ona screenshotsona screenshots Watitis Innovations in Wired Network Service - Bruce Campbell
DHCP and Authentication Making all jacks live is only part of the picture. Computers still need IP addresses Manually assign in Maintain Computer can be hardcoded or use DHCP Dynamic ranges in Maintain Can require MAC addresses be registered or not Network connectivity Unauthenticated Authenticated Watitis Innovations in Wired Network Service - Bruce Campbell
Dynamic Ranges in Maintain Hostmaster sets these up on request Can be set to allow any, Registered, or unregistered Watitis Innovations in Wired Network Service - Bruce Campbell
Authenticate or not ? Unauthenticated access Used in resnet (subject to MAC lockdown) Short dynamic ranges on many campus subnets, for registered hosts Pharmacy Authentication options Captive portal 802.1x Watitis Innovations in Wired Network Service - Bruce Campbell
Wired Captive Portal Same as wireless (Aruba) Offered in 12 areas on campus Most heavily used in Engineering Watitis Innovations in Wired Network Service - Bruce Campbell
802.1x wired authentication Not currently offered, experimental Watitis Innovations in Wired Network Service - Bruce Campbell
802.1x Switch configuration Enabling 802.1x on port 26 Setup radius server. Switch config fragment: aaa authentication port-access login eap-radius radius-server host x.y key xxxxxxxx primary-vlan 108 aaa port-access authenticator 26 aaa port-access authenticator active aaa port-access 26 Watitis Innovations in Wired Network Service - Bruce Campbell
802.1x Client Configuration See How to configure 802.1x authentication with a Windows XP or Vista supplicantHow to configure 802.1x authentication with a Windows XP or Vista supplicant (maybe it is easier with Windows 7) With a configurator tool, this might work well Need to test other devices (e.g. VoIP phones) Watitis Innovations in Wired Network Service - Bruce Campbell
Unauthenticated Network Access Resnet Thousands of people move into residence over a weekend. Network security mechanisms and processes used in resnet: MAC lockdown port-security NN learn-mode static DHCP snooping dhcp-snooping dhcp-snooping authorized-server x.y dhcp-snooping database file "tftp://xxxxx" dhcp-snooping option 82 untrusted-policy keep dhcp-snooping vlan nnn interface NN dhcp-snooping trust exit ARP protection arp-protect arp-protect trust NN arp-protect validate src-mac dest-mac ip arp-protect vlan nnn Documented network cabling Traffic management Client only ACLs Watitis Innovations in Wired Network Service - Bruce Campbell
Unauthenticated Network Access School of Pharmacy Desire for guests and occasional users to have immediate, self serve, wired, network access Small range of dynamic addresses on same subnet as static addresses Available in private offices only No authentication needed IP address#Purpose Default gateway to Static addresses to 25415Dynamic addresses Watitis Innovations in Wired Network Service - Bruce Campbell
How to trace/block misuse of a dynamic, unauthenticated, IP address? Given IP/date/time of incident… Determine MAC from ona ARP logs Determine switch port from ona MAC logs Determine room from cable documentation Determine person (who has keys to room) Or, disable the switch port Or blackhole the MAC (tools not provided yet) Chill. Recognize that with static IPs, DNS records are often out of date, and people can hard code the wrong IP anyway. Watitis Innovations in Wired Network Service - Bruce Campbell
MAC address documentation by reverse engineering It is the MAC address, not the IP, that is tied to a given piece of equipment. Can we figure out users associated with MAC addresses ? When a user checks (or uses bookit, nexus, myhrinfo, etc)… From host logs, we can get a date/time/IP/userid From ona ARP logs, we can determine MAC Thus we can build a database table of userid/MAC Next time there is an incident, and date/time/IP is reported… We determine MAC from ona ARP logs We determine userid from table of userid/MAC Even if our cabling looks like Watitis Innovations in Wired Network Service - Bruce Campbell
Authentication Logging Pilot OrgunitUsersPercentage of Active IPs Admin61934 Science Math25520 CS39029 Engineering Arts64656 Env24755 Library14323 AHS20448 IST25043 Resnet Total Enabled on mywaterloo, mailservices, and nexus in October Matched userid/MAC for users shown in table Inspired by GULP: A Unified Logging Architecture for Authentication Data (LISA 05)GULP: A Unified Logging Architecture for Authentication Data Watitis Innovations in Wired Network Service - Bruce Campbell
Another Feature of the Pharmacy Model Ever ran out of Ips on a subnet, and needed to clean it up ? Ona ping results show last active dates, but what is considered inactive ? Not seen in 6 months, a year ?ping results If you have a range of dynamic addresses on your subnets, which allow any host, you can aggressively delete inactive static hosts. If a user of a deleted host comes back, they will get a dynamic address… and can use it to complain. Watitis Innovations in Wired Network Service - Bruce Campbell
Recommendations To provide convenient wired service to users, and to reduce IT staff workload: Subnets serving hosts in private areas should have dynamic ranges added, which allow any hosts. To maintain security and accountability: Authentication logging pilot should be expanded to other major systems (e.g. Exchange, quest, bookit) Ports serving public areas need to be adequately protected from misuse (e.g. MAC lockdown, authentication) Watitis Innovations in Wired Network Service - Bruce Campbell