12/10/ 2001 1 Supercomputing • Communications • Data NCAR Scientific Computing Division NETS Network Engineering & Telecommunications Section Update Jim Van Dyke - Asst. Section Manager December 10, 2001
12/10/2001
1Supercomputing • Communications • Data
NCAR Scientific Computing Division
NETS
Network Engineering & Telecommunications
Section Update
Jim Van Dyke - Asst. Section Manager
December 10, 2001
12/10/2001
2Supercomputing • Communications • Data
NCAR Scientific Computing Division
NETS
Topics
Introduction to NETS
NETS Web Site
Network Coordination & Advisor Board
Current wireless deployment
NCAR VPN
NETS Future Projects
12/10/2001
3Supercomputing • Communications • Data
NCAR Scientific Computing Division
NETS
Introduction to NETS
Who are we?http://www.scd.ucar.edu/nets/intro
12/10/2001
4Supercomputing • Communications • Data
NCAR Scientific Computing Division
NETS
NETS Web Site
http://www.scd.ucar.edu/nets
How to submit a NETS work requesthttp://www.scd.ucar.edu/nets/forms/
12/10/2001
5Supercomputing • Communications • Data
NCAR Scientific Computing Division
NETS
Network Coordination & Advisor Board
Helps define priorities
NCAB Policieshttp://www.ucar.edu/ncab/
12/10/2001
6Supercomputing • Communications • Data
NCAR Scientific Computing Division
NETS
Wireless at NCAR
NCAR current wireless projects LAN
WAN
Details of NCAR wireless work at: http://www.scd.ucar.edu/nets/projects/wireless/
12/10/2001
7Supercomputing • Communications • Data
NCAR Scientific Computing Division
NETS
NCAR’s Wireless LAN
Covering all the conference rooms now
Cover most office space eventually
“NETS is the FCC of NCAR” (no rogue wireless devices)
Guest authentication via web page
VPN access required in the future
12/10/2001
8Supercomputing • Communications • Data
NCAR Scientific Computing Division
NETS
Old Wireless Model
Staff-only network inside the firewall provides access to all the same services that staff
have access to in their offices
Guest/visitor network outside the firewall only in conference rooms and their immediate
vicinity
Access to each is controlled via regularly changing encryption keys
12/10/2001
9Supercomputing • Communications • Data
NCAR Scientific Computing Division
NETS
New Wireless Model
One network only Access via VPN for UCAR staff Guest access via web page registration
Reason for requirement = WEP is insecure
12/10/2001
10Supercomputing • Communications • Data
NCAR Scientific Computing Division
NETS
NCAR’s Wireless WAN
802.11b link between ML and MFS
Backed up by a T-1 link
Potential backup links to Jeffco, PS and FL
12/10/2001
11Supercomputing • Communications • Data
NCAR Scientific Computing Division
NETS
Futures / other general wireless issues
802.11b standard extensions comingwill extend 802.11b speed to 22Mbps
IEEE 802.11aoperates in the 5-GHz bandsdata rates up to 54Mbpsunlike 802.11b DSSS, 802.11a uses
OFDM
12/10/2001
12Supercomputing • Communications • Data
NCAR Scientific Computing Division
NETS
NCAR’s security perimeter
Who is inside?Most users on UCAR campuses Dial-in users connecting to UCAR dialups
Who is outside? Users at UCAR divisions that have elected
to remain outside the perimeter Dial-in users connecting to external ISPs Anyone else on the Internet at large
12/10/2001
13Supercomputing • Communications • Data
NCAR Scientific Computing Division
NETS
12/10/2001
14Supercomputing • Communications • Data
NCAR Scientific Computing Division
NETS
NCAR VPN Solution
A conceptual diagram of what we wanted to achieve
12/10/2001
15Supercomputing • Communications • Data
NCAR Scientific Computing Division
NETS
12/10/2001
16Supercomputing • Communications • Data
NCAR Scientific Computing Division
NETS
NCAR’s VPN client solutions
Windows Cisco IPSec client – W9X-WXP and Linux
Linux FreeS/WAN option available
Macintosh and Solaris No current solution Cisco client solution supposedly coming soon
Obtain software via Greg Woods
12/10/2001
17Supercomputing • Communications • Data
NCAR Scientific Computing Division
NETS
Cisco VPN solution
Cisco IPSec clientEstablishes IPSec tunnel to Cisco VPN
Concentrator 3015 (and closes off all other network access when enabled)
We require a group ID and password to establish tunnel (can also use certificates)
We then validate the user on their UCAR “gatekeeper password” via RADIUS
12/10/2001
18Supercomputing • Communications • Data
NCAR Scientific Computing Division
NETS
Legal issues
Cisco VPN client issuesFrom the legal point of view, we have four
classes of users:UCAR employees who install the software
onsite UCAR employees who download the software
to their home systems Remote users within the USRemote users outside the US
12/10/2001
19Supercomputing • Communications • Data
NCAR Scientific Computing Division
NETS
Linux VPN solution
FreeS/WAN (www.freeswan.org)Known to work with Linux and BSDMust recompile the kernelLinux client must comply with CSAC security standards for fully exposed hosts (disabling services or using ipchains to block access; IP firewalling must be enabled in the kernel)
12/10/2001
20Supercomputing • Communications • Data
NCAR Scientific Computing Division
NETS
VPN and Wireless
Addresses the WEP insecurity issueCSAC will require this soon
12/10/2001
21Supercomputing • Communications • Data
NCAR Scientific Computing Division
NETS
NETS Future Projects
Voice over IP (VoIP)
Routers Upgrade
New Connections to FRGP
New Building
12/10/2001
22Supercomputing • Communications • Data
NCAR Scientific Computing Division
NETS
Conclusion
Details and more information on NETS “Projects page”http://www.scd.ucar.edu/nets/projects
Questions?