University IssuesUniversity Issues
William Annis - University of WisconsinWilliam Annis - University of Wisconsin David Brumley - Stanford UniversityDavid Brumley - Stanford University Robyn Landers - University of WaterlooRobyn Landers - University of Waterloo Kathy Penn - University of MarylandKathy Penn - University of Maryland Jon Finke - Rensselaer Polytechnic Jon Finke - Rensselaer Polytechnic
InstituteInstitute
FormatFormat
Begin
Open Topic_List_Cursor;
Loop
fetch Topic_List_Cursor into Topic,Presenter;
exit when Topic is Null;
Introduce(Presenter, Minutes =>1);
PresenterDiscusses(Topic, Minutes => 10);
PanelRebuts(Topic, Minutes => 5);
AudienceComments;end loopend;
Topics:Topics:
Managing GrowthManaging Growth• William AnnisWilliam Annis
Computer Security and Incidence Computer Security and Incidence ResponseResponse• David BrumleyDavid Brumley
Residence NetworkingResidence Networking• Robyn LandersRobyn Landers
Backups - Procedure and PolicyBackups - Procedure and Policy• Kathy PennKathy Penn
Managing GrowthManaging Growth
William Annis William Annis Biomedical Computing Group - U Biomedical Computing Group - U
WisconsinWisconsin• Statisticians - Grads, Faculty and Post DocsStatisticians - Grads, Faculty and Post Docs• Solaris (20 Servers, 40 desktops), 40 XtermsSolaris (20 Servers, 40 desktops), 40 Xterms• Citrix NT for NT applicationsCitrix NT for NT applications• Web and database servers.Web and database servers.• 2 FT Admins, 1/2 Manager, 3/4 Student2 FT Admins, 1/2 Manager, 3/4 Student
When I started:When I started:
No admin, just parts of staff and an No admin, just parts of staff and an occasional grad studentoccasional grad student
Machines acting as file servers al over Machines acting as file servers al over campuscampus
Strange, uncommented code kept us Strange, uncommented code kept us runningrunning
How we changed:How we changed:
Wrote a large documentWrote a large document Centralized everythingCentralized everything One OS versionOne OS version cfengine squashes irregularitiescfengine squashes irregularities
The change:The change:
Took two years -- will be done RSNTook two years -- will be done RSN Initial steps noisy and obviousInitial steps noisy and obvious Users still not quite sure of the Users still not quite sure of the
centralized computing conceptcentralized computing concept Admin brain-retooling took a whileAdmin brain-retooling took a while
Computer Security and Computer Security and Incidence ResponseIncidence Response
David Brumley David Brumley [email protected]@stanford.edu
Stanford UniversityStanford University• Fiber to Internet (100 MB/S single duplex); Fiber to Internet (100 MB/S single duplex);
OC12 to Internet2 (600MB/S full duplex); up OC12 to Internet2 (600MB/S full duplex); up to 2.6 gigabit internally (full duplex)to 2.6 gigabit internally (full duplex)
• 505 Active subnets, 53216 registered nodes505 Active subnets, 53216 registered nodes• 18116 PCs, 9305 Macs, 2629 Unix18116 PCs, 9305 Macs, 2629 Unix• 2299 Network Infrastructure, 711 Other2299 Network Infrastructure, 711 Other• 1997 Printer, 338 Unknown, 258 X-terminals1997 Printer, 338 Unknown, 258 X-terminals
Residence Hall NetworkingResidence Hall Networking
Robyn Landers Robyn Landers [email protected]@math.uwaterloo.ca
University of Waterloo, Math Faculty, UndergradUniversity of Waterloo, Math Faculty, Undergrad
• Mostly Sun(22) servers, X Mostly Sun(22) servers, X terminals(200)terminals(200)
• WinCenter (PC apps on X terminals)WinCenter (PC apps on X terminals)• Network Appliance NFS serversNetwork Appliance NFS servers
– Unix, PC home directoriesUnix, PC home directories
• SGI (14), PC ( 90) and Mac(120)SGI (14), PC ( 90) and Mac(120)
Nice starting point:Nice starting point:www.adm.uwaterloo.ca/infohous/resnetwww.adm.uwaterloo.ca/infohous/resnet
Techie details:Techie details:www.ist.uwaterloo.ca/cn/Residence/www.ist.uwaterloo.ca/cn/Residence/
tech.htmltech.html
Getting ConnectedGetting Connected
policy agreementpolicy agreement fill out form, incl. MAC addressfill out form, incl. MAC address forms hand-entered into spreadsheetforms hand-entered into spreadsheet scripts extract info into DHCP tab and scripts extract info into DHCP tab and
router ARP entriesrouter ARP entries
Rate LimitingRate Limiting
cron job queries router every 12 minutescron job queries router every 12 minutes compute traffic volume per IPcompute traffic volume per IP
• daily total (150 Mb/day)daily total (150 Mb/day)• running average (25 Mb/day)running average (25 Mb/day)
exceed limit => external access cut offexceed limit => external access cut off web page where students can check their web page where students can check their
own statsown stats reduces accidental and intentional misusereduces accidental and intentional misuse manual intervention in case of policy abusemanual intervention in case of policy abuse
Privacy and SecurityPrivacy and Security
access control on hosts that have resnet access control on hosts that have resnet infoinfo
can’t use DHCP info to track down can’t use DHCP info to track down student’s personal info, for examplestudent’s personal info, for example
students can view only their own usage students can view only their own usage statsstats
Interesting ProblemsInteresting Problems
student set up rogue DHCP serverstudent set up rogue DHCP server some MS W98 network drivers locked up some MS W98 network drivers locked up
after receiving DHCP answerafter receiving DHCP answer some W98 needed a vendor tag set in some W98 needed a vendor tag set in
DHCP entry (value irrelevant)DHCP entry (value irrelevant) forging mail and newsforging mail and news client-side denial of service -- client grabs client-side denial of service -- client grabs
all the IPsall the IPs server spoofingserver spoofing
Uninteresting ProblemsUninteresting Problems
syntax errors in DHCPtab from manual syntax errors in DHCPtab from manual entryentry• now have automatic checkernow have automatic checker
wall jacks fail from abusewall jacks fail from abuse
Non-ProblemsNon-Problems
automatic rate-limiting prevents automatic rate-limiting prevents network overloadnetwork overload
students learn and share local sources, students learn and share local sources, reducing need for off-sitereducing need for off-site
What’s coolWhat’s cool• auto rate limiting (Perl. Uses no vendor-specific auto rate limiting (Perl. Uses no vendor-specific
features. Router just needs to keep and report features. Router just needs to keep and report traffic stats so you can query it.)traffic stats so you can query it.)
• web page where studens check their usageweb page where studens check their usage What would be niceWhat would be nice
• on-line D.I.Y. registrationon-line D.I.Y. registration• use the D in DHCPuse the D in DHCP
Other implementationsOther implementations• Stanford’s Secure Public InterNet ACcess HandlerStanford’s Secure Public InterNet ACcess Handler
http://spinach.stanford.edu http://spinach.stanford.edu
SummarySummary
Backup -- Procedure and Backup -- Procedure and PolicyPolicy
Kathy Penn Kathy Penn [email protected]@isr.umd.edu
Institute for Systems Research, U Institute for Systems Research, U MarylandMaryland• 900 Grad Students, 60 Faculty, 40 Admin 900 Grad Students, 60 Faculty, 40 Admin
StaffStaff• 175 Unix 175 Unix (mostly Sun), 100 PCs & Macs(mostly Sun), 100 PCs & Macs
• Sys Admin staff - 5 FTE, 5 Student Sys Admin staff - 5 FTE, 5 Student • 3 Class C Subnets, but routers run by 3 Class C Subnets, but routers run by
University networking departmentUniversity networking department
BackupsBackups
Everyone does themEveryone does them Everyone does restoresEveryone does restores Everyone verifies backupsEveryone verifies backups But does everyone know how?But does everyone know how?
Document Your Document Your ProceduresProcedures
How to do the actual backupsHow to do the actual backups How to do the restoresHow to do the restores Have someone step through the Have someone step through the
instructionsinstructions Don’t forget Why, Where, WhichDon’t forget Why, Where, Which
Document Your PoliciesDocument Your Policies
For staff and usersFor staff and users How frequently backups are madeHow frequently backups are made How frequently archival copies are How frequently archival copies are
mademade How long archives are keptHow long archives are kept What do you NOT backup, and whyWhat do you NOT backup, and why
Restoration InformationRestoration Information
How do users request restores?How do users request restores? If they can do their own restores, how?If they can do their own restores, how? How long do restores take?How long do restores take? Who can request restores?Who can request restores?
IANAL (I Am Not A Lawyer)IANAL (I Am Not A Lawyer)
Check with your central University Check with your central University policypolicy
Check with University lawyersCheck with University lawyers Document Everything -- especially your Document Everything -- especially your
policiespolicies