26
Innovations In Wired Network Service Bruce Campbell
Innovations In Wired Network Service
Bruce Campbell
First, a bit about wireless
Aruba system Main Campus
3 controllers (adding 4th in 2010-2011) 850 APs (b/g) 25 /24 public subnets
Housing residences 3 controllers 535 APs (a/b/g) 14 /24 public subnets
Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell
Wireless Usage Increasing
handheld devices need to move to NAT (private addresses) adding traffic management (peer to peer etc) average 6,000 square feet per AP on main campus
need to double or triple density in high load areas, e.g. DC, LIB, SLC
adding 50-100 APs before April 30, 2010 adding 100-200 APs 2010-2011
Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell
‘n’
new 802.11n AP available, $510, a/b/g/n (2x2) More channels, higher bandwidth Will be deployed in new buildings may install 'n' in existing high load areas, and
recycle b/g APs
Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell
What makes wireless so special ?
available everywhere users don't need to request service in advance mobile meets many users basic requirements allows users to use network services on their terms
Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell
What makes wireless less special ?
slower less secure ? less reliable ? requires authentication, or some other means to restrict
usage to authorized users. generally focused on laptops, netbooks, handhelds, with
dynamic IPs technology refresh cycle, compare
network cabling infrastructure - 15-20 years network switch/router infrastructure - 6-8 years wireless infrastructure - 3-4 years
Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell
Providing Wired and Wireless Network Services
Wireless only vendors claim wireless is ready to be the primary network service.
Reality Check: Mobile (wireless) networking is designed for mobile
computing. Fixed (wired) networking is designed for fixed computing.
We have both fixed and mobile computing, and thus need both fixed and mobile networking, and will likely need to continue to expand and improve both.
Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell
Wired/Wirelesscomparison
Wired and wireless networking serve different needs, but lets compare them anyway.
The wireless vendors will work on speed, reliability, security Mobility on the wired network limited to wall jacks and length of
patch cable. Can we do anything about convenience on wired networking ?
Wired WirelessMobility ●Convenience ●Speed ●Reliability ●Security ●
Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell
Is Convenience Important ?
Improved service Self service can reduce IT staff work load People may choose a convenient service over the right service.
We need to make the right services convenient Wireless – limitations (speed, reliability) are largely
governed by laws of physics. Wired – limitations (convenience) are largely
governed by our processes
Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell
Self Serve Wired Network Service
First make sure the wall jacks are live
UW (unnamed dept) TrentWatitis 2009 - Innovations in Wired Network Service - Bruce Campbell
1-to-1 patch cabling
All jacks live. Implemented in Science 2006-2007 Standard in all new buildings. Upgrades in Academic Support buildings in
progress.
Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell
Cable Documentation
See ona screenshots
Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell
DHCP and Authentication
Making all jacks live is only part of the picture. Computers still need IP addresses
Manually assign in Maintain Computer can be hardcoded or use DHCP
Dynamic ranges in Maintain Can require MAC addresses be registered or not
Network connectivity Unauthenticated Authenticated
Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell
Dynamic Ranges in Maintain
Hostmaster sets these up on request
Can be set to allow any, Registered, or unregistered
Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell
Authenticate or not ?
Unauthenticated access Used in resnet (subject to MAC lockdown) Short dynamic ranges on many campus subnets, for
registered hosts Pharmacy
Authentication options Captive portal 802.1x
Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell
Wired Captive Portal
• Same as wireless (Aruba)
• Offered in 12 areas on campus
• Most heavily used in Engineering
Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell
802.1x wired authentication
Not currently offered, experimental
Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell
802.1x Switch configuration
Enabling 802.1x on port 26 Setup radius server. Switch config fragment:
aaa authentication port-access login eap-radiusradius-server host 129.97.x.y key xxxxxxxxprimary-vlan 108aaa port-access authenticator 26aaa port-access authenticator activeaaa port-access 26
Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell
802.1x Client Configuration
See How to configure 802.1x authentication with a Windows XP or Vista supplicant
(maybe it is easier with Windows 7) With a configurator tool, this might work well Need to test other devices (e.g. VoIP phones)
Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell
Unauthenticated Network AccessResnet
Thousands of people move into residence over a weekend. Network security mechanisms and processes used in resnet:
MAC lockdownport-security NN learn-mode static
DHCP snoopingdhcp-snoopingdhcp-snooping authorized-server 129.97.x.ydhcp-snooping database file "tftp://xxxxx"dhcp-snooping option 82 untrusted-policy keepdhcp-snooping vlan nnninterface NN dhcp-snooping trust exit
ARP protectionarp-protect arp-protect trust NNarp-protect validate src-mac dest-mac iparp-protect vlan nnn
Documented network cabling Traffic management “Client only” ACLs
Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell
Unauthenticated Network AccessSchool of Pharmacy
Desire for guests and occasional users to have immediate, self serve, wired, network access
Small range of dynamic addresses on same subnet as static addresses
Available in private offices only No authentication needed
IP address # Purpose129.97.135.129 1 Default gateway129.97.135.130 to 239 110 Static addresses129.97.135.240 to 254 15 Dynamic addresses
Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell
How to trace/block misuse of a dynamic, unauthenticated, IP
address?
Given IP/date/time of incident… Determine MAC from ona ARP logs Determine switch port from ona MAC logs Determine room from cable documentation Determine person (who has keys to room)
Or, disable the switch port Or blackhole the MAC (tools not provided yet)
Chill. Recognize that with static IPs, DNS records are often out of date, and people can hard code the wrong IP anyway.
Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell
MAC address documentation by reverse engineering
It is the MAC address, not the IP, that is tied to a given piece of equipment.
Can we figure out users associated with MAC addresses ? When a user checks e-mail (or uses bookit, nexus,
myhrinfo, etc)… From host logs, we can get a date/time/IP/userid From ona ARP logs, we can determine MAC Thus we can build a database table of userid/MAC
Next time there is an incident, and date/time/IP is reported… We determine MAC from ona ARP logs We determine userid from table of userid/MAC
Even if our cabling looks like Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell
Authentication Logging Pilot
Orgunit Users Percentage ofActive IPs
Admin 619 34Science 1033 58Math 255 20CS 390 29Engineering 1936 57Arts 646 56Env 247 55Library 143 23AHS 204 48IST 250 43Resnet 3270 59Total 8993 49
Enabled on mywaterloo, mailservices, and nexus in October
Matched userid/MAC for users shown in table
Inspired by GULP: A Unified Logging Architecture for Authentication Data (LISA ‘05)
Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell
Another Feature of the Pharmacy Model
Ever ran out of Ips on a subnet, and needed to clean it up ?
Ona ping results show last active dates, but what is considered inactive ? Not seen in 6 months, a year ?
If you have a range of dynamic addresses on your subnets, which allow any host, you can aggressively delete inactive static hosts.
If a user of a deleted host comes back, they will get a dynamic address… and can use it to complain.
Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell
Recommendations
To provide convenient wired service to users, and to reduce IT staff workload: Subnets serving hosts in private areas should have
dynamic ranges added, which allow any hosts. To maintain security and accountability:
Authentication logging pilot should be expanded to other major systems (e.g. Exchange, quest, bookit)
Ports serving public areas need to be adequately protected from misuse (e.g. MAC lockdown, authentication)
Watitis 2009 - Innovations in Wired Network Service - Bruce Campbell
