Engineering Computing report to CNAG September 2004

Note: This is the first Engineering Computing report to CNAG.

• Appletalk - Phased out in Engineering early 2002. IST Appletalk service is deprecated (since January 2004). ESAG members have been canvassed to see if there is anyone depending on IST support of pre version 10 MacOS.
• IST VPN/Firewall project. IST is considering deployment of a campus VPN, with restrictive default firewall settings for the campus, and is soliciting input. ESAG members have been canvassed, and our input is as follows:
  • A policy and (ideally semi-automated) procedure to add exceptions, to expand/reduce the initial set of allowed ports is required, for example to allow inbound access to a specific ip/mask[:port], typically 129.97.n.n/32 (host) or 129.97.n.0/24 (subnet) or 129.97.0.0/16 (site)
  • Grid computing initiatives and high speed networking initiatives can be hampered by the existance of non wire speed or restrictive firewalls and/or strict security policies. Optical bypass of firewalls may be required for some research initiatives, depending on the firewall technology and policies.
• "client only" subnets - implemented on Extreme core router August 2003. Approximately 10 Engineering subnets protected. Uses static access lists, not as flexible as a stateful firewall. Wire speed. As there is a limit to the number of access lists which can be applied, 10 exceptions per subnet can be realistically handled, to allow access to servers etc on protected subnets.
• Open Network Administrator (ona) - used by Arts, Computer Science, Engineering, Math and Science to manage approximately 252 switches. Supports delegation with granular access restrictions. IST network/security staff may request an ona account with full access on all switches if desired. Ona may evolve into a PBNM (Policy Based Network Management) tool as standards, network hardware capabilities, and needs evolve.
• CEIT network. Contract on core Black Diamond expires Novemeber 30, 2004. Renew shortly.
• ORION. ORION is a Research and Education network that provides an environment in which bandwidth is no longer a major constraint to creativity, innovative research and education projects and/or activities, and new knowledge creation. Full exploitation of Orion by UW researchers may later require network capacity expansion internal to UW. Evaluating existing equipment and planned/future core/PoP switch purchases for upgradeability, for example xenpak capability. Fibre optic implications also.
• Extreme Summit400 switch - 48 port 10/100/1000 switch with xenpak slot. One in use in our machine room for a few months now. Considering upgrading 3 PoP switches to Summit400.
• mmlab. 120 Nexus lab in CPH is occasionaly used for exams, and a firewall lockdown can be performed on the core Extreme router to prevent/detect some forms of attempts to cheat electronically. A Summit48si has been ordered to replace one of the existing Cisco 3548 switches serving the lab, so that the firewall lockdown can be performed locally. The Cisco 3548 will be installed in DWE to replace a 3524 which is almost full.
• Extreme Summit200 switch - this is our edge switch of choice. Relatively low cost, limited lifetime warranty, and 2 gigabit ports, each of which has a mini GBIC and copper connection. Approximately 12 have been bought across campus in the last 6 months.
• Private networks. Developed a draft policy concerning the use of private networks at UW. Note this is only for private networks that could benefit from cross campus routing. Subsequent feedback suggested that 10.0.0.0 be the "reserved" range, and the following process be used to allocate such networks across campus:
  • assign as 10.x.0.0/16 blocks where 'x' is an existing 129.97.x.0 network already assigned.
  • For example, if E&CE needed a private network, they could use 10.8.0.0/16 as they already are assigned 129.97.8.0/24