12/10/2001

1Supercomputing • Communications • Data

NCAR Scientific Computing Division

NETS

Network Engineering & Telecommunications

Section Update

Jim Van Dyke - Asst. Section Manager

December 10, 2001

12/10/2001

2Supercomputing • Communications • Data

NCAR Scientific Computing Division

NETS

Topics

Introduction to NETS

NETS Web Site

Network Coordination & Advisor Board

Current wireless deployment

NCAR VPN

NETS Future Projects

12/10/2001

3Supercomputing • Communications • Data

NCAR Scientific Computing Division

NETS

Introduction to NETS

Who are we?http://www.scd.ucar.edu/nets/intro

12/10/2001

4Supercomputing • Communications • Data

NCAR Scientific Computing Division

NETS

NETS Web Site

http://www.scd.ucar.edu/nets

How to submit a NETS work requesthttp://www.scd.ucar.edu/nets/forms/

12/10/2001

5Supercomputing • Communications • Data

NCAR Scientific Computing Division

NETS

Network Coordination & Advisor Board

Helps define priorities

NCAB Policieshttp://www.ucar.edu/ncab/

12/10/2001

6Supercomputing • Communications • Data

NCAR Scientific Computing Division

NETS

Wireless at NCAR

NCAR current wireless projects LAN

WAN

Details of NCAR wireless work at: http://www.scd.ucar.edu/nets/projects/wireless/

12/10/2001

7Supercomputing • Communications • Data

NCAR Scientific Computing Division

NETS

NCAR’s Wireless LAN

Covering all the conference rooms now

Cover most office space eventually

“NETS is the FCC of NCAR” (no rogue wireless devices)

Guest authentication via web page

VPN access required in the future

12/10/2001

8Supercomputing • Communications • Data

NCAR Scientific Computing Division

NETS

Old Wireless Model

Staff-only network inside the firewall provides access to all the same services that staff

have access to in their offices

Guest/visitor network outside the firewall only in conference rooms and their immediate

vicinity

Access to each is controlled via regularly changing encryption keys

12/10/2001

9Supercomputing • Communications • Data

NCAR Scientific Computing Division

NETS

New Wireless Model

One network only Access via VPN for UCAR staff Guest access via web page registration

Reason for requirement = WEP is insecure

12/10/2001

10Supercomputing • Communications • Data

NCAR Scientific Computing Division

NETS

NCAR’s Wireless WAN

802.11b link between ML and MFS

Backed up by a T-1 link

Potential backup links to Jeffco, PS and FL

12/10/2001

11Supercomputing • Communications • Data

NCAR Scientific Computing Division

NETS

Futures / other general wireless issues

802.11b standard extensions comingwill extend 802.11b speed to 22Mbps

IEEE 802.11aoperates in the 5-GHz bandsdata rates up to 54Mbpsunlike 802.11b DSSS, 802.11a uses

OFDM

12/10/2001

12Supercomputing • Communications • Data

NCAR Scientific Computing Division

NETS

NCAR’s security perimeter

Who is inside?Most users on UCAR campuses Dial-in users connecting to UCAR dialups

Who is outside? Users at UCAR divisions that have elected

to remain outside the perimeter Dial-in users connecting to external ISPs Anyone else on the Internet at large

12/10/2001

13Supercomputing • Communications • Data

NCAR Scientific Computing Division

NETS

12/10/2001

14Supercomputing • Communications • Data

NCAR Scientific Computing Division

NETS

NCAR VPN Solution

A conceptual diagram of what we wanted to achieve

12/10/2001

15Supercomputing • Communications • Data

NCAR Scientific Computing Division

NETS

12/10/2001

16Supercomputing • Communications • Data

NCAR Scientific Computing Division

NETS

NCAR’s VPN client solutions

Windows Cisco IPSec client – W9X-WXP and Linux

Linux FreeS/WAN option available

Macintosh and Solaris No current solution Cisco client solution supposedly coming soon

Obtain software via Greg Woods

12/10/2001

17Supercomputing • Communications • Data

NCAR Scientific Computing Division

NETS

Cisco VPN solution

Cisco IPSec clientEstablishes IPSec tunnel to Cisco VPN

Concentrator 3015 (and closes off all other network access when enabled)

We require a group ID and password to establish tunnel (can also use certificates)

We then validate the user on their UCAR “gatekeeper password” via RADIUS

12/10/2001

18Supercomputing • Communications • Data

NCAR Scientific Computing Division

NETS

Legal issues

Cisco VPN client issuesFrom the legal point of view, we have four

classes of users:UCAR employees who install the software

onsite UCAR employees who download the software

to their home systems Remote users within the USRemote users outside the US

12/10/2001

19Supercomputing • Communications • Data

NCAR Scientific Computing Division

NETS

Linux VPN solution

FreeS/WAN (www.freeswan.org)Known to work with Linux and BSDMust recompile the kernelLinux client must comply with CSAC security standards for fully exposed hosts (disabling services or using ipchains to block access; IP firewalling must be enabled in the kernel)

12/10/2001

20Supercomputing • Communications • Data

NCAR Scientific Computing Division

NETS

VPN and Wireless

Addresses the WEP insecurity issueCSAC will require this soon

12/10/2001

21Supercomputing • Communications • Data

NCAR Scientific Computing Division

NETS

NETS Future Projects

Voice over IP (VoIP)

Routers Upgrade

New Connections to FRGP

New Building

12/10/2001

22Supercomputing • Communications • Data

NCAR Scientific Computing Division

NETS

Conclusion

Details and more information on NETS “Projects page”http://www.scd.ucar.edu/nets/projects

Questions?