1 / 26

Innovations In Wired Network Service

Innovations In Wired Network Service. Bruce Campbell. First, a bit about wireless. Aruba system Main Campus 3 controllers (adding 4th in 2010-2011) 850 APs (b/g) 25 /24 public subnets Housing residences 3 controllers 535 APs (a/b/g) 14 /24 public subnets. Wireless Usage Increasing.

danil
Télécharger la présentation

Innovations In Wired Network Service

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Innovations In Wired Network Service Bruce Campbell

  2. First, a bit about wireless • Aruba system • Main Campus • 3 controllers (adding 4th in 2010-2011) • 850 APs (b/g) • 25 /24 public subnets • Housing residences • 3 controllers • 535 APs (a/b/g) • 14 /24 public subnets Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell

  3. Wireless Usage Increasing • handheld devices • need to move to NAT (private addresses) • adding traffic management (peer to peer etc) • average 6,000 square feet per AP on main campus • need to double or triple density in high load areas, e.g. DC, LIB, SLC • adding 50-100 APs before April 30, 2010 • adding 100-200 APs 2010-2011 Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell

  4. ‘n’ • new 802.11n AP available, $510, a/b/g/n (2x2) • More channels, higher bandwidth • Will be deployed in new buildings • may install 'n' in existing high load areas, and recycle b/g APs Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell

  5. What makes wireless so special ? • available everywhere • users don't need to request service in advance • mobile • meets many users basic requirements • allows users to use network services on their terms Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell

  6. What makes wireless less special ? • slower • less secure ? • less reliable ? • requires authentication, or some other means to restrict usage to authorized users. • generally focused on laptops, netbooks, handhelds, with dynamic IPs • technology refresh cycle, compare • network cabling infrastructure - 15-20 years • network switch/router infrastructure - 6-8 years • wireless infrastructure - 3-4 years Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell

  7. Providing Wired and Wireless Network Services • Wireless only vendors claim wireless is ready to be the primary network service. • Reality Check: • Mobile (wireless) networking is designed for mobile computing. • Fixed (wired) networking is designed for fixed computing. • We have both fixed and mobile computing, and thus need both fixed and mobile networking, and will likely need to continue to expand and improve both. Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell

  8. Wired/Wirelesscomparison • Wired and wireless networking serve different needs, but lets compare them anyway. • The wireless vendors will work on speed, reliability, security • Mobility on the wired network limited to wall jacks and length of patch cable. • Can we do anything about convenience on wired networking ? Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell

  9. Is Convenience Important ? • Improved service • Self service can reduce IT staff work load • People may choose a convenient service over the right service. •  We need to make the right services convenient • Wireless – limitations (speed, reliability) are largely governed by laws of physics. • Wired – limitations (convenience) are largely governed by our processes Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell

  10. Self Serve Wired Network Service • First make sure the wall jacks are live Trent UW (unnamed dept) Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell

  11. 1-to-1 patch cabling • All jacks live. • Implemented in Science 2006-2007 • Standard in all new buildings. • Upgrades in Academic Support buildings in progress. Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell

  12. Cable Documentation • See ona screenshots Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell

  13. DHCP and Authentication • Making all jacks live is only part of the picture. • Computers still need IP addresses • Manually assign in Maintain • Computer can be hardcoded or use DHCP • Dynamic ranges in Maintain • Can require MAC addresses be registered or not • Network connectivity • Unauthenticated • Authenticated Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell

  14. Dynamic Ranges in Maintain • Hostmaster sets these up on request Can be set to allow any, Registered, or unregistered Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell

  15. Authenticate or not ? • Unauthenticated access • Used in resnet (subject to MAC lockdown) • Short dynamic ranges on many campus subnets, for registered hosts • Pharmacy • Authentication options • Captive portal • 802.1x Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell

  16. Wired Captive Portal • Same as wireless (Aruba) • Offered in 12 areas on campus • Most heavily used in Engineering Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell

  17. 802.1x wired authentication • Not currently offered, experimental Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell

  18. 802.1x Switch configuration • Enabling 802.1x on port 26 • Setup radius server. • Switch config fragment: aaa authentication port-access login eap-radius radius-server host 129.97.x.y key xxxxxxxx primary-vlan 108 aaa port-access authenticator 26 aaa port-access authenticator active aaa port-access 26 Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell

  19. 802.1x Client Configuration • See How to configure 802.1x authentication with a Windows XP or Vista supplicant • (maybe it is easier with Windows 7) • With a configurator tool, this might work well • Need to test other devices (e.g. VoIP phones) Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell

  20. Unauthenticated Network AccessResnet • Thousands of people move into residence over a weekend. • Network security mechanisms and processes used in resnet: • MAC lockdown port-security NN learn-mode static • DHCP snooping dhcp-snooping dhcp-snooping authorized-server 129.97.x.y dhcp-snooping database file "tftp://xxxxx" dhcp-snooping option 82 untrusted-policy keep dhcp-snooping vlannnn interface NN dhcp-snooping trust exit • ARP protection arp-protect arp-protect trust NN arp-protect validate src-macdest-macip arp-protect vlannnn • Documented network cabling • Traffic management • “Client only” ACLs Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell

  21. Unauthenticated Network AccessSchool of Pharmacy • Desire for guests and occasional users to have immediate, self serve, wired, network access • Small range of dynamic addresses on same subnet as static addresses • Available in private offices only • No authentication needed Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell

  22. How to trace/block misuse of a dynamic, unauthenticated, IP address? • Given IP/date/time of incident… • Determine MAC from ona ARP logs • Determine switch port from ona MAC logs • Determine room from cable documentation • Determine person (who has keys to room) • Or, disable the switch port • Or blackhole the MAC (tools not provided yet) • Chill. Recognize that with static IPs, DNS records are often out of date, and people can hard code the wrong IP anyway. Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell

  23. MAC address documentation by reverse engineering • It is the MAC address, not the IP, that is tied to a given piece of equipment. • Can we figure out users associated with MAC addresses ? • When a user checks e-mail (or uses bookit, nexus, myhrinfo, etc)… • From host logs, we can get a date/time/IP/userid • From ona ARP logs, we can determine MAC • Thus we can build a database table of userid/MAC • Next time there is an incident, and date/time/IP is reported… • We determine MAC from ona ARP logs • We determine userid from table of userid/MAC • Even if our cabling looks like Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell

  24. Authentication Logging Pilot • Enabled on mywaterloo, mailservices, and nexus in October • Matched userid/MAC for users shown in table • Inspired by GULP: A Unified Logging Architecture for Authentication Data (LISA ‘05) Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell

  25. Another Feature of the Pharmacy Model • Ever ran out of Ips on a subnet, and needed to clean it up ? • Onaping results show last active dates, but what is considered inactive ? Not seen in 6 months, a year ? • If you have a range of dynamic addresses on your subnets, which allow any host, you can aggressively delete inactive static hosts. • If a user of a deleted host comes back, they will get a dynamic address… and can use it to complain. Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell

  26. Recommendations • To provide convenient wired service to users, and to reduce IT staff workload: • Subnets serving hosts in private areas should have dynamic ranges added, which allow any hosts. • To maintain security and accountability: • Authentication logging pilot should be expanded to other major systems (e.g. Exchange, quest, bookit) • Ports serving public areas need to be adequately protected from misuse (e.g. MAC lockdown, authentication) Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell

More Related