Innovations In Wired Network Service

Bruce Campbell

First, a bit about wireless

Aruba system Main Campus

3 controllers (adding 4th in 2010-2011) 850 APs (b/g) 25 /24 public subnets

Housing residences 3 controllers 535 APs (a/b/g) 14 /24 public subnets

Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell

Wireless Usage Increasing

handheld devices need to move to NAT (private addresses) adding traffic management (peer to peer etc) average 6,000 square feet per AP on main campus

need to double or triple density in high load areas, e.g. DC, LIB, SLC

adding 50-100 APs before April 30, 2010 adding 100-200 APs 2010-2011

Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell

‘n’

new 802.11n AP available, $510, a/b/g/n (2x2) More channels, higher bandwidth Will be deployed in new buildings may install 'n' in existing high load areas, and

recycle b/g APs

Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell

What makes wireless so special ?

available everywhere users don't need to request service in advance mobile meets many users basic requirements allows users to use network services on their terms

Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell

What makes wireless less special ?

slower less secure ? less reliable ? requires authentication, or some other means to restrict

usage to authorized users. generally focused on laptops, netbooks, handhelds, with

dynamic IPs technology refresh cycle, compare

network cabling infrastructure - 15-20 years network switch/router infrastructure - 6-8 years wireless infrastructure - 3-4 years

Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell

Providing Wired and Wireless Network Services

Wireless only vendors claim wireless is ready to be the primary network service.

Reality Check: Mobile (wireless) networking is designed for mobile

computing. Fixed (wired) networking is designed for fixed computing.

We have both fixed and mobile computing, and thus need both fixed and mobile networking, and will likely need to continue to expand and improve both.

Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell

Wired/Wirelesscomparison

Wired and wireless networking serve different needs, but lets compare them anyway.

The wireless vendors will work on speed, reliability, security Mobility on the wired network limited to wall jacks and length of

patch cable. Can we do anything about convenience on wired networking ?

Wired Wireless

Mobility ●

Convenience ●

Speed ●

Reliability ●

Security ●

Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell

Is Convenience Important ?

Improved service Self service can reduce IT staff work load People may choose a convenient service over the right service.

We need to make the right services convenient Wireless – limitations (speed, reliability) are largely

governed by laws of physics. Wired – limitations (convenience) are largely

governed by our processes

Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell

Self Serve Wired Network Service

First make sure the wall jacks are live

UW (unnamed dept) TrentWatitis 2009 - Innovations in Wired Network Service - Bruce Campbell

1-to-1 patch cabling

All jacks live. Implemented in Science 2006-2007 Standard in all new buildings. Upgrades in Academic Support buildings in

progress.

Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell

Cable Documentation

See ona screenshots

Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell

DHCP and Authentication

Making all jacks live is only part of the picture. Computers still need IP addresses

Manually assign in Maintain Computer can be hardcoded or use DHCP

Dynamic ranges in Maintain Can require MAC addresses be registered or not

Network connectivity Unauthenticated Authenticated

Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell

Dynamic Ranges in Maintain

Hostmaster sets these up on request

Can be set to allow any, Registered, or unregistered

Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell

Authenticate or not ?

Unauthenticated access Used in resnet (subject to MAC lockdown) Short dynamic ranges on many campus subnets, for

registered hosts Pharmacy

Authentication options Captive portal 802.1x

Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell

Wired Captive Portal

• Same as wireless (Aruba)

• Offered in 12 areas on campus

• Most heavily used in Engineering

Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell

802.1x wired authentication

Not currently offered, experimental

Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell

802.1x Switch configuration

Enabling 802.1x on port 26 Setup radius server. Switch config fragment:

aaa authentication port-access login eap-radiusradius-server host 129.97.x.y key xxxxxxxxprimary-vlan 108aaa port-access authenticator 26aaa port-access authenticator activeaaa port-access 26

Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell

802.1x Client Configuration

See How to configure 802.1x authentication with a Windows XP or Vista supplicant

(maybe it is easier with Windows 7) With a configurator tool, this might work well Need to test other devices (e.g. VoIP phones)

Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell

Unauthenticated Network AccessResnet

Thousands of people move into residence over a weekend. Network security mechanisms and processes used in resnet:

MAC lockdownport-security NN learn-mode static

DHCP snoopingdhcp-snoopingdhcp-snooping authorized-server 129.97.x.ydhcp-snooping database file "tftp://xxxxx"dhcp-snooping option 82 untrusted-policy keepdhcp-snooping vlan nnninterface NN dhcp-snooping trust exit

ARP protectionarp-protect arp-protect trust NNarp-protect validate src-mac dest-mac iparp-protect vlan nnn

Documented network cabling Traffic management “Client only” ACLs

Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell

Unauthenticated Network AccessSchool of Pharmacy

Desire for guests and occasional users to have immediate, self serve, wired, network access

Small range of dynamic addresses on same subnet as static addresses

Available in private offices only No authentication needed

IP address # Purpose

129.97.135.129 1 Default gateway

129.97.135.130 to 239 110 Static addresses

129.97.135.240 to 254 15 Dynamic addresses

Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell

How to trace/block misuse of a dynamic, unauthenticated, IP

address?

Given IP/date/time of incident… Determine MAC from ona ARP logs Determine switch port from ona MAC logs Determine room from cable documentation Determine person (who has keys to room)

Or, disable the switch port Or blackhole the MAC (tools not provided yet)

Chill. Recognize that with static IPs, DNS records are often out of date, and people can hard code the wrong IP anyway.

Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell

MAC address documentation by reverse engineering

It is the MAC address, not the IP, that is tied to a given piece of equipment.

Can we figure out users associated with MAC addresses ? When a user checks e-mail (or uses bookit, nexus,

myhrinfo, etc)… From host logs, we can get a date/time/IP/userid From ona ARP logs, we can determine MAC Thus we can build a database table of userid/MAC

Next time there is an incident, and date/time/IP is reported… We determine MAC from ona ARP logs We determine userid from table of userid/MAC

Even if our cabling looks like Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell

Authentication Logging Pilot

Orgunit Users Percentage ofActive IPs

Admin 619 34

Science 1033 58

Math 255 20

CS 390 29

Engineering 1936 57

Arts 646 56

Env 247 55

Library 143 23

AHS 204 48

IST 250 43

Resnet 3270 59

Total 8993 49

Enabled on mywaterloo, mailservices, and nexus in October

Matched userid/MAC for users shown in table

Inspired by GULP: A Unified Logging Architecture for Authentication Data (LISA ‘05)

Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell

Another Feature of the Pharmacy Model

Ever ran out of Ips on a subnet, and needed to clean it up ?

Ona ping results show last active dates, but what is considered inactive ? Not seen in 6 months, a year ?

If you have a range of dynamic addresses on your subnets, which allow any host, you can aggressively delete inactive static hosts.

If a user of a deleted host comes back, they will get a dynamic address… and can use it to complain.

Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell

Recommendations

To provide convenient wired service to users, and to reduce IT staff workload: Subnets serving hosts in private areas should have

dynamic ranges added, which allow any hosts. To maintain security and accountability:

Authentication logging pilot should be expanded to other major systems (e.g. Exchange, quest, bookit)

Ports serving public areas need to be adequately protected from misuse (e.g. MAC lockdown, authentication)

Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell