Transcript Network Services Update - University of Waterloo

Network Services Update
Bruce Campbell
Director, Network Services
Information Systems and Technology
January 14,2011
Network Management
• IST responsible for campus network management as of
January 1, 2011
–
–
–
–
Monitoring
Repair/replacement of failed equipment
Expansion
Evolution of services in consultation with stakeholders
• Time and materials charges for network cabling
• IST funds incremental expansion of network, and is
responsible for seeking funding for major campus
network upgrades as needed.
• Network equipment for new buildings and major
renovations charged to building/renovation project.
Firewalls
• The University’s networks are generally open
and not firewalled.
• Several firewall deployments do exist:
– Juniper SRX firewalls for point of sale devices in
SLC and SCH
– Juniper SRX firewall cluster for IST machine room
– Sonicwall in Civil Engineering
– Juniper Netscreen in Computer Science
Firewall Support
• IST supports the Juniper SRX product
• Civil Engineering : proposing replacing
Sonicwall with small SRX or ACLs on router
• Computer Science : preparing to deploy used
SRX 650’s coming out of service from wireless
NAT (larger units being deployed for wireless
NAT)
Firewalls
• Consult with IST IT Security group
• Firewalls are needed in some cases for PCI compliance, or
as recommended by auditor.
• Provide a layer of security.
• Little apparent correlation between compromised systems
and firewalls (or lack thereof) – difficult to measure
effectiveness. (hard to say what didn’t get broken into)
• Many compromises are related to phishing, malware –
difficult to address.
• Can add complexity and cost, and impact service (ease of
use).
• Consult with IST IT Security group !
Campus VPN Service
• Campus project, lead by Trevor Grove of CSCF, to select
a VPN solution for faculty, grad students and staff.
• To provide simplified/secure access to some
applications, from off campus, as needed.
• Looked at Cisco, Juniper, Microsoft and open source.
• Cisco ASA 5540 chosen.
• Procurement of redundant pair in progress, IST to
begin implementation within a month.
• Expecting 100-500 users.
IP Addresses
• We are running out of subnets !
• The University has 65,536 public IP address available
(129.97.0.0/16)
• This is generally broken into 256 subnets of 256 addresses each
(with exceptions)
• Only 14 such subnets left (5%)
• We expect to be out of subnets by the end of 2011, as each new
building will require several subnets.
• A major campus effort is needed to optimize use of the campus IP
address space. Discussions have started at CTSC and CNAG.
• Technical effort is not difficult, but it can be time consuming.
• Involves changing IP addresses on computers, working with end
users.