Network Engineering

1
Network Engineering Telecommunications Section
Update

• Jim Van Dyke - Asst. Section Manager
• December 10, 2001

2
Topics

• Introduction to NETS
• NETS Web Site
• Network Coordination Advisor Board
• Current wireless deployment
• NCAR VPN
• NETS Future Projects

3
Introduction to NETS

• Who are we?
• http//www.scd.ucar.edu/nets/intro

4
NETS Web Site

• http//www.scd.ucar.edu/nets
• How to submit a NETS work request
• http//www.scd.ucar.edu/nets/forms/

5
Network Coordination Advisor Board

• Helps define priorities
• NCAB Policies
• http//www.ucar.edu/ncab/

6
Wireless at NCAR

• NCAR current wireless projects
• LAN
• WAN
• Details of NCAR wireless work at
• http//www.scd.ucar.edu/nets/projects/wireless/

7
NCARs Wireless LAN

• Covering all the conference rooms now
• Cover most office space eventually
• NETS is the FCC of NCAR (no rogue wireless
  devices)
• Guest authentication via web page
• VPN access required in the future

8
Old Wireless Model

• Staff-only network
• inside the firewall
• provides access to all the same services that
  staff have access to in their offices
• Guest/visitor network
• outside the firewall
• only in conference rooms and their immediate
  vicinity
• Access to each is controlled via regularly
  changing encryption keys

9
New Wireless Model

• One network only
• Access via VPN for UCAR staff
• Guest access via web page registration
• Reason for requirement WEP is insecure

10
NCARs Wireless WAN

• 802.11b link between ML and MFS
• Backed up by a T-1 link
• Potential backup links to Jeffco, PS and FL

11
Futures / other general wireless issues

• 802.11b standard extensions coming
• will extend 802.11b speed to 22Mbps
• IEEE 802.11a
• operates in the 5-GHz bands
• data rates up to 54Mbps
• unlike 802.11b DSSS, 802.11a uses OFDM

12
NCARs security perimeter

• Who is inside?
• Most users on UCAR campuses
• Dial-in users connecting to UCAR dialups
• Who is outside?
• Users at UCAR divisions that have elected to
  remain outside the perimeter
• Dial-in users connecting to external ISPs
• Anyone else on the Internet at large

13
(No Transcript)
14
NCAR VPN Solution

• A conceptual diagram of what we wanted to achieve

15
(No Transcript)
16
NCARs VPN client solutions

• Windows
• Cisco IPSec client W9X-WXP and Linux
• Linux
• FreeS/WAN option available
• Macintosh and Solaris
• No current solution
• Cisco client solution supposedly coming soon
• Obtain software via Greg Woods

17
Cisco VPN solution

• Cisco IPSec client
• Establishes IPSec tunnel to Cisco VPN
  Concentrator 3015 (and closes off all other
  network access when enabled)
• We require a group ID and password to establish
  tunnel (can also use certificates)
• We then validate the user on their UCAR
  gatekeeper password via RADIUS

18
Legal issues

• Cisco VPN client issues
• From the legal point of view, we have four
  classes of users
• UCAR employees who install the software onsite
• UCAR employees who download the software to their
  home systems
• Remote users within the US
• Remote users outside the US

19
Linux VPN solution

• FreeS/WAN (www.freeswan.org)
• Known to work with Linux and BSD
• Must recompile the kernel
• Linux client must comply with CSAC security
  standards for fully exposed hosts (disabling
  services or using ipchains to block access IP
  firewalling must be enabled in the kernel)

20
VPN and Wireless

• Addresses the WEP insecurity issue
• CSAC will require this soon

21
NETS Future Projects

• Voice over IP (VoIP)
• Routers Upgrade
• New Connections to FRGP
• New Building

22
Conclusion

• Details and more information on NETS Projects
  page
• http//www.scd.ucar.edu/nets/projects
• Questions?

23
NETS