University IssuesUniversity Issues

William Annis - University of WisconsinWilliam Annis - University of Wisconsin David Brumley - Stanford UniversityDavid Brumley - Stanford University Robyn Landers - University of WaterlooRobyn Landers - University of Waterloo Kathy Penn - University of MarylandKathy Penn - University of Maryland Jon Finke - Rensselaer Polytechnic Jon Finke - Rensselaer Polytechnic

InstituteInstitute

FormatFormat

Begin

Open Topic_List_Cursor;

Loop

fetch Topic_List_Cursor into Topic,Presenter;

exit when Topic is Null;

Introduce(Presenter, Minutes =>1);

PresenterDiscusses(Topic, Minutes => 10);

PanelRebuts(Topic, Minutes => 5);

AudienceComments;end loopend;

Topics:Topics:

Managing GrowthManaging Growth• William AnnisWilliam Annis

Computer Security and Incidence Computer Security and Incidence ResponseResponse• David BrumleyDavid Brumley

Residence NetworkingResidence Networking• Robyn LandersRobyn Landers

Backups - Procedure and PolicyBackups - Procedure and Policy• Kathy PennKathy Penn

Managing GrowthManaging Growth

William Annis William Annis Biomedical Computing Group - U Biomedical Computing Group - U

WisconsinWisconsin• Statisticians - Grads, Faculty and Post DocsStatisticians - Grads, Faculty and Post Docs• Solaris (20 Servers, 40 desktops), 40 XtermsSolaris (20 Servers, 40 desktops), 40 Xterms• Citrix NT for NT applicationsCitrix NT for NT applications• Web and database servers.Web and database servers.• 2 FT Admins, 1/2 Manager, 3/4 Student2 FT Admins, 1/2 Manager, 3/4 Student

When I started:When I started:

No admin, just parts of staff and an No admin, just parts of staff and an occasional grad studentoccasional grad student

Machines acting as file servers al over Machines acting as file servers al over campuscampus

Strange, uncommented code kept us Strange, uncommented code kept us runningrunning

How we changed:How we changed:

Wrote a large documentWrote a large document Centralized everythingCentralized everything One OS versionOne OS version cfengine squashes irregularitiescfengine squashes irregularities

The change:The change:

Took two years -- will be done RSNTook two years -- will be done RSN Initial steps noisy and obviousInitial steps noisy and obvious Users still not quite sure of the Users still not quite sure of the

centralized computing conceptcentralized computing concept Admin brain-retooling took a whileAdmin brain-retooling took a while

Computer Security and Computer Security and Incidence ResponseIncidence Response

David Brumley David Brumley dbrumley@stanford.edudbrumley@stanford.edu

Stanford UniversityStanford University• Fiber to Internet (100 MB/S single duplex); Fiber to Internet (100 MB/S single duplex);

OC12 to Internet2 (600MB/S full duplex); up OC12 to Internet2 (600MB/S full duplex); up to 2.6 gigabit internally (full duplex)to 2.6 gigabit internally (full duplex)

• 505 Active subnets, 53216 registered nodes505 Active subnets, 53216 registered nodes• 18116 PCs, 9305 Macs, 2629 Unix18116 PCs, 9305 Macs, 2629 Unix• 2299 Network Infrastructure, 711 Other2299 Network Infrastructure, 711 Other• 1997 Printer, 338 Unknown, 258 X-terminals1997 Printer, 338 Unknown, 258 X-terminals

Residence Hall NetworkingResidence Hall Networking

Robyn Landers Robyn Landers rblanders@math.uwaterloo.carblanders@math.uwaterloo.ca

University of Waterloo, Math Faculty, UndergradUniversity of Waterloo, Math Faculty, Undergrad

• Mostly Sun(22) servers, X Mostly Sun(22) servers, X terminals(200)terminals(200)

• WinCenter (PC apps on X terminals)WinCenter (PC apps on X terminals)• Network Appliance NFS serversNetwork Appliance NFS servers

– Unix, PC home directoriesUnix, PC home directories

• SGI (14), PC ( 90) and Mac(120)SGI (14), PC ( 90) and Mac(120)

%cc hello.world.c%cc hello.world.c

eh.ooteh.oot

Nice starting point:Nice starting point:www.adm.uwaterloo.ca/infohous/resnetwww.adm.uwaterloo.ca/infohous/resnet

Techie details:Techie details:www.ist.uwaterloo.ca/cn/Residence/www.ist.uwaterloo.ca/cn/Residence/

tech.htmltech.html

Getting ConnectedGetting Connected

policy agreementpolicy agreement fill out form, incl. MAC addressfill out form, incl. MAC address forms hand-entered into spreadsheetforms hand-entered into spreadsheet scripts extract info into DHCP tab and scripts extract info into DHCP tab and

router ARP entriesrouter ARP entries

Rate LimitingRate Limiting

cron job queries router every 12 minutescron job queries router every 12 minutes compute traffic volume per IPcompute traffic volume per IP

• daily total (150 Mb/day)daily total (150 Mb/day)• running average (25 Mb/day)running average (25 Mb/day)

exceed limit => external access cut offexceed limit => external access cut off web page where students can check their web page where students can check their

own statsown stats reduces accidental and intentional misusereduces accidental and intentional misuse manual intervention in case of policy abusemanual intervention in case of policy abuse

Privacy and SecurityPrivacy and Security

access control on hosts that have resnet access control on hosts that have resnet infoinfo

can’t use DHCP info to track down can’t use DHCP info to track down student’s personal info, for examplestudent’s personal info, for example

students can view only their own usage students can view only their own usage statsstats

Interesting ProblemsInteresting Problems

student set up rogue DHCP serverstudent set up rogue DHCP server some MS W98 network drivers locked up some MS W98 network drivers locked up

after receiving DHCP answerafter receiving DHCP answer some W98 needed a vendor tag set in some W98 needed a vendor tag set in

DHCP entry (value irrelevant)DHCP entry (value irrelevant) forging mail and newsforging mail and news client-side denial of service -- client grabs client-side denial of service -- client grabs

all the IPsall the IPs server spoofingserver spoofing

Uninteresting ProblemsUninteresting Problems

syntax errors in DHCPtab from manual syntax errors in DHCPtab from manual entryentry• now have automatic checkernow have automatic checker

wall jacks fail from abusewall jacks fail from abuse

Non-ProblemsNon-Problems

automatic rate-limiting prevents automatic rate-limiting prevents network overloadnetwork overload

students learn and share local sources, students learn and share local sources, reducing need for off-sitereducing need for off-site

What’s coolWhat’s cool• auto rate limiting (Perl. Uses no vendor-specific auto rate limiting (Perl. Uses no vendor-specific

features. Router just needs to keep and report features. Router just needs to keep and report traffic stats so you can query it.)traffic stats so you can query it.)

• web page where studens check their usageweb page where studens check their usage What would be niceWhat would be nice

• on-line D.I.Y. registrationon-line D.I.Y. registration• use the D in DHCPuse the D in DHCP

Other implementationsOther implementations• Stanford’s Secure Public InterNet ACcess HandlerStanford’s Secure Public InterNet ACcess Handler

http://spinach.stanford.edu http://spinach.stanford.edu

SummarySummary

Backup -- Procedure and Backup -- Procedure and PolicyPolicy

Kathy Penn Kathy Penn kpenn@isr.umd.edukpenn@isr.umd.edu

Institute for Systems Research, U Institute for Systems Research, U MarylandMaryland• 900 Grad Students, 60 Faculty, 40 Admin 900 Grad Students, 60 Faculty, 40 Admin

StaffStaff• 175 Unix 175 Unix (mostly Sun), 100 PCs & Macs(mostly Sun), 100 PCs & Macs

• Sys Admin staff - 5 FTE, 5 Student Sys Admin staff - 5 FTE, 5 Student • 3 Class C Subnets, but routers run by 3 Class C Subnets, but routers run by

University networking departmentUniversity networking department

BackupsBackups

Everyone does themEveryone does them Everyone does restoresEveryone does restores Everyone verifies backupsEveryone verifies backups But does everyone know how?But does everyone know how?

Document Your Document Your ProceduresProcedures

How to do the actual backupsHow to do the actual backups How to do the restoresHow to do the restores Have someone step through the Have someone step through the

instructionsinstructions Don’t forget Why, Where, WhichDon’t forget Why, Where, Which

Document Your PoliciesDocument Your Policies

For staff and usersFor staff and users How frequently backups are madeHow frequently backups are made How frequently archival copies are How frequently archival copies are

mademade How long archives are keptHow long archives are kept What do you NOT backup, and whyWhat do you NOT backup, and why

Restoration InformationRestoration Information

How do users request restores?How do users request restores? If they can do their own restores, how?If they can do their own restores, how? How long do restores take?How long do restores take? Who can request restores?Who can request restores?

IANAL (I Am Not A Lawyer)IANAL (I Am Not A Lawyer)

Check with your central University Check with your central University policypolicy

Check with University lawyersCheck with University lawyers Document Everything -- especially your Document Everything -- especially your

policiespolicies

These Slides Will Be These Slides Will Be Available Near You Soon!Available Near You Soon!

Http:www.rpi.edu/~finkej/u-issues/Http:www.rpi.edu/~finkej/u-issues/