Transcript University Issues

University Issues
 William Annis - University of Wisconsin
 David Brumley - Stanford University
 Robyn Landers - University of Waterloo
 Kathy Penn - University of Maryland
 Jon Finke - Rensselaer Polytechnic Institute
Format
Begin
Open Topic_List_Cursor;
Loop
fetch Topic_List_Cursor into Topic,Presenter;
exit when Topic is Null;
Introduce(Presenter, Minutes =>1);
PresenterDiscusses(Topic, Minutes => 10);
PanelRebuts(Topic, Minutes => 5);
AudienceComments;
end loop
end;
Topics:
 Managing Growth
• William Annis
 Computer Security and Incidence
Response
• David Brumley
 Residence Networking
• Robyn Landers
 Backups - Procedure and Policy
• Kathy Penn
Managing Growth
 William Annis
 Biomedical Computing Group - U Wisconsin
•
•
•
•
•
Statisticians - Grads, Faculty and Post Docs
Solaris (20 Servers, 40 desktops), 40 Xterms
Citrix NT for NT applications
Web and database servers.
2 FT Admins, 1/2 Manager, 3/4 Student
When I started:
No admin, just parts of staff and an occasional
grad student
 Machines acting as file servers al over campus
 Strange, uncommented code kept us running

How we changed:
Wrote a large document
 Centralized everything
 One OS version
 cfengine squashes irregularities

The change:
Took two years -- will be done RSN
 Initial steps noisy and obvious
 Users still not quite sure of the centralized
computing concept
 Admin brain-retooling took a while

Computer Security and
Incidence Response
 David Brumley [email protected]
 Stanford University
• Fiber to Internet (100 MB/S single duplex); OC12
to Internet2 (600MB/S full duplex); up to 2.6
gigabit internally (full duplex)
• 505 Active subnets, 53216 registered nodes
• 18116 PCs, 9305 Macs, 2629 Unix
• 2299 Network Infrastructure, 711 Other
• 1997 Printer, 338 Unknown, 258 X-terminals
Residence Hall Networking
 Robyn Landers [email protected]

University of Waterloo, Math Faculty, Undergrad
• Mostly Sun(22) servers, X terminals(200)
• WinCenter (PC apps on X terminals)
• Network Appliance NFS servers
– Unix, PC home directories
• SGI (14), PC ( 90) and Mac(120)
%cc hello.world.c
eh.oot
Nice starting point:
www.adm.uwaterloo.ca/infohous/resnet
Techie details:
www.ist.uwaterloo.ca/cn/Residence/tech.html
Getting Connected
policy agreement
 fill out form, incl. MAC address
 forms hand-entered into spreadsheet
 scripts extract info into DHCP tab and router ARP
entries

Rate Limiting
cron job queries router every 12 minutes
 compute traffic volume per IP

• daily total (150 Mb/day)
• running average (25 Mb/day)
exceed limit => external access cut off
 web page where students can check their own
stats
 reduces accidental and intentional misuse
 manual intervention in case of policy abuse

Privacy and Security
access control on hosts that have resnet info
 can’t use DHCP info to track down student’s
personal info, for example
 students can view only their own usage stats


Interesting Problems
student set up rogue DHCP server
 some MS W98 network drivers locked up after
receiving DHCP answer
 some W98 needed a vendor tag set in DHCP entry
(value irrelevant)
 forging mail and news
 client-side denial of service -- client grabs all the
IPs
 server spoofing

Uninteresting Problems

syntax errors in DHCPtab from manual entry
• now have automatic checker

wall jacks fail from abuse
Non-Problems
automatic rate-limiting prevents network
overload
 students learn and share local sources, reducing
need for off-site

Summary

What’s cool
• auto rate limiting (Perl. Uses no vendor-specific
features. Router just needs to keep and report traffic
stats so you can query it.)
• web page where studens check their usage

What would be nice
• on-line D.I.Y. registration
• use the D in DHCP

Other implementations
• Stanford’s Secure Public InterNet ACcess Handler
http://spinach.stanford.edu
Backup -- Procedure and Policy
 Kathy Penn [email protected]
 Institute for Systems Research, U Maryland
•
•
•
•
900 Grad Students, 60 Faculty, 40 Admin Staff
175 Unix (mostly Sun), 100 PCs & Macs
Sys Admin staff - 5 FTE, 5 Student
3 Class C Subnets, but routers run by University
networking department
Backups
Everyone does them
 Everyone does restores
 Everyone verifies backups
 But does everyone know how?

Document Your Procedures
How to do the actual backups
 How to do the restores
 Have someone step through the instructions
 Don’t forget Why, Where, Which

Document Your Policies
For staff and users
 How frequently backups are made
 How frequently archival copies are made
 How long archives are kept
 What do you NOT backup, and why

Restoration Information
How do users request restores?
 If they can do their own restores, how?
 How long do restores take?
 Who can request restores?

IANAL (I Am Not A Lawyer)
Check with your central University policy
 Check with University lawyers
 Document Everything -- especially your policies

These Slides Will Be Available
Near You Soon!

Http:www.rpi.edu/~finkej/u-issues/