Transcript Innovations In Wired Network Service

Innovations In Wired Network Service
Bruce Campbell
First, a bit about wireless
 Aruba system
 Main Campus
 3 controllers (adding 4th in 2010-2011)
 850 APs (b/g)
 25 /24 public subnets
 Housing residences
 3 controllers
 535 APs (a/b/g)
 14 /24 public subnets
Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell
Wireless Usage Increasing




handheld devices
need to move to NAT (private addresses)
adding traffic management (peer to peer etc)
average 6,000 square feet per AP on main campus
 need to double or triple density in high load areas, e.g.
DC, LIB, SLC
 adding 50-100 APs before April 30, 2010
 adding 100-200 APs 2010-2011
Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell
‘n’




new 802.11n AP available, $510, a/b/g/n (2x2)
More channels, higher bandwidth
Will be deployed in new buildings
may install 'n' in existing high load areas, and
recycle b/g APs
Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell
What makes wireless so special
?





available everywhere
users don't need to request service in advance
mobile
meets many users basic requirements
allows users to use network services on their terms
Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell
What makes wireless less
special ?
slower
less secure ?
less reliable ?
requires authentication, or some other means to restrict
usage to authorized users.
 generally focused on laptops, netbooks, handhelds, with
dynamic IPs
 technology refresh cycle, compare




 network cabling infrastructure - 15-20 years
 network switch/router infrastructure - 6-8 years
 wireless infrastructure - 3-4 years
Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell
Providing Wired and Wireless
Network Services
 Wireless only vendors claim wireless is ready to be
the primary network service.
 Reality Check:
 Mobile (wireless) networking is designed for mobile
computing.
 Fixed (wired) networking is designed for fixed computing.
 We have both fixed and mobile computing, and
thus need both fixed and mobile networking, and
will likely need to continue to expand and improve
both.
Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell
Wired/Wireless
comparison
 Wired and wireless networking serve different needs, but lets
compare them anyway.
Wired
Wireless
Mobility
●
Convenience
●
Speed
●
Reliability
●
Security
●
 The wireless vendors will work on speed, reliability, security
 Mobility on the wired network limited to wall jacks and length
of patch cable.
 Can we do anything about convenience on wired networking
?
Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell
Is Convenience Important ?
 Improved service
 Self service can reduce IT staff work load
 People may choose a convenient service over the
right service.
  We need to make the right services convenient
 Wireless – limitations (speed, reliability) are
largely governed by laws of physics.
 Wired – limitations (convenience) are largely
governed by our processes
Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell
Self Serve Wired Network
Service
 First make sure the wall jacks are live
UW (unnamed dept)
Trent
Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell
1-to-1 patch cabling




All jacks live.
Implemented in Science 2006-2007
Standard in all new buildings.
Upgrades in Academic Support buildings in
progress.
Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell
Cable Documentation
 See ona screenshots
Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell
DHCP and Authentication
 Making all jacks live is only part of the picture.
 Computers still need IP addresses
 Manually assign in Maintain
 Computer can be hardcoded or use DHCP
 Dynamic ranges in Maintain
 Can require MAC addresses be registered or not
 Network connectivity
 Unauthenticated
 Authenticated
Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell
Dynamic Ranges in Maintain
 Hostmaster sets these up on request
Can be set to allow any,
Registered, or unregistered
Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell
Authenticate or not ?
 Unauthenticated access
 Used in resnet (subject to MAC lockdown)
 Short dynamic ranges on many campus subnets, for
registered hosts
 Pharmacy
 Authentication options
 Captive portal
 802.1x
Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell
Wired Captive Portal
•Same as wireless
(Aruba)
•Offered in 12 areas on
campus
•Most heavily used in
Engineering
Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell
802.1x wired authentication
 Not currently offered, experimental
Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell
802.1x Switch configuration
 Enabling 802.1x on port 26
 Setup radius server.
 Switch config fragment:
aaa authentication port-access login eap-radius
radius-server host 129.97.x.y key xxxxxxxx
primary-vlan 108
aaa port-access authenticator 26
aaa port-access authenticator active
aaa port-access 26
Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell
802.1x Client Configuration
 See How to configure 802.1x authentication with a
Windows XP or Vista supplicant
 (maybe it is easier with Windows 7)
 With a configurator tool, this might work well
 Need to test other devices (e.g. VoIP phones)
Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell
Unauthenticated Network Access
Resnet
 Thousands of people move into residence over a weekend.
 Network security mechanisms and processes used in resnet:
 MAC lockdown
port-security NN learn-mode static
 DHCP snooping
dhcp-snooping
dhcp-snooping authorized-server 129.97.x.y
dhcp-snooping database file "tftp://xxxxx"
dhcp-snooping option 82 untrusted-policy keep
dhcp-snooping vlan nnn
interface NN
dhcp-snooping trust
exit
 ARP protection
arp-protect arp-protect trust NN
arp-protect validate src-mac dest-mac ip
arp-protect vlan nnn
 Documented network cabling
 Traffic management
 “Client only” ACLs
Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell
Unauthenticated Network Access
School of Pharmacy
 Desire for guests and occasional users to have
immediate, self serve, wired, network access
 Small range of dynamic addresses on same subnet
as static addresses
 Available in private offices only
 No authentication needed
IP address
#
Purpose
129.97.135.129
1
Default gateway
129.97.135.130 to 239
110
Static addresses
129.97.135.240 to 254
15
Dynamic addresses
Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell
How to trace/block misuse of a
dynamic, unauthenticated, IP
address?
 Given IP/date/time of incident…




Determine
Determine
Determine
Determine
MAC from ona ARP logs
switch port from ona MAC logs
room from cable documentation
person (who has keys to room)
 Or, disable the switch port
 Or blackhole the MAC (tools not provided yet)
 Chill. Recognize that with static IPs, DNS records
are often out of date, and people can hard code
the wrong IP anyway.
Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell
MAC address documentation by
reverse engineering
 It is the MAC address, not the IP, that is tied to a given
piece of equipment.
 Can we figure out users associated with MAC addresses
?
 When a user checks e-mail (or uses bookit, nexus,
myhrinfo, etc)…
 From host logs, we can get a date/time/IP/userid
 From ona ARP logs, we can determine MAC
 Thus we can build a database table of userid/MAC
 Next time there is an incident, and date/time/IP is
reported…
 We determine MAC from ona ARP logs
 We determine userid from table of userid/MAC
 Even if our cabling looks like
Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell
Authentication Logging Pilot
Enabled on
mywaterloo,
mailservices, and
nexus in October
Matched
userid/MAC for users
shown in table
Inspired by GULP: A
Unified Logging
Architecture for
Authentication Data
(LISA ‘05)
Orgunit
Users
Percentage of
Active IPs
Admin
619
34
Science
1033
58
Math
255
20
CS
390
29
Engineering
1936
57
Arts
646
56
Env
247
55
Library
143
23
AHS
204
48
IST
250
43
Resnet
3270
59
Total
8993
49
Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell
Another Feature of the
Pharmacy Model
 Ever ran out of Ips on a subnet, and needed to clean it
up ?
 Ona ping results show last active dates, but what is
considered inactive ? Not seen in 6 months, a year ?
 If you have a range of dynamic addresses on your
subnets, which allow any host, you can aggressively
delete inactive static hosts.
 If a user of a deleted host comes back, they will get a
dynamic address… and can use it to complain.
Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell
Recommendations
 To provide convenient wired service to users, and
to reduce IT staff workload:
 Subnets serving hosts in private areas should have
dynamic ranges added, which allow any hosts.
 To maintain security and accountability:
 Authentication logging pilot should be expanded to other
major systems (e.g. Exchange, quest, bookit)
 Ports serving public areas need to be adequately
protected from misuse (e.g. MAC lockdown,
authentication)
Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell