NOTE:
The NAS website is no longer being updated. The information on
this page may be out of date and/or incorrect.
For more current information on this page's topics, see:
January 1999 Netnuggets
Subject: NAS News: admin registration, free classes, mailhost, ...
Contents:
1) Authentication and authorization procedures for networks and
network administrators are changing. Some admins still need netids.
2) CCSO/NAS will cover the cost for FAST3 NAS classes.
3) mailhost.uiuc.edu should no longer be used.
4) Terminal Server FAQ under development.
5) Networking staff & DNS changes; call 4-1600 to identify your current designer.
6) Dialup Appletalk
* * *
1. CCSO's recent efforts to provide Internet Security Scan
(ISS) service (see https://www-s2.cso.uiuc.edu/iss/iss.cgi)
has drawn attention to the need for us to review the authentication
and authorization procedures for networks and network administrators.
In the early days of networking on campus, some network administrators
primarily performed the clerical function of keeping track of what
IP addresses were assigned to which computers, while others addressed
in-depth computer support, network management, and security issues.
As UIUCnet has grown, an informal system of tracking network contacts
has evolved among CCSO groups involved in managing the campus network,
including the Network Design Office (NDO), the Network Operations Center
(NOC), the Network Adiminstrator Support Group (NAS), and the DNS Host
Manager. This has resulted in conflicting information about some
networks between these various groups in CCSO. At the same time, the
role of network administrators has evolved to place them in a position
of much greater responsibility to control or protect the security of and
access to the growing web of information servers in campus units.
Additionally, with the advent of VLAN technology, one network may have
segments in multiple buildings.
We recognize that the importance of control and access to unit network
management is critical in today's environment. Therefore we are
formulating plans to implement new procedures and policies to track and
designate network administrators. Current goals are:
1. For each campus network, identify one official Network Administrator
with authority to use authenticated network management services and to
designate backup administrators and other contacts.
2. For each campus network, identify one University "unit" with ultimate
responsibility for the network, and the title or person responsible
for selecting the Network Administrator.
3. Provide a mechanism for the network administrators to designate
the services (ISS, DNS host registration, Router Reports, Outage
Notices, etc.) they wish to authorize for backup administrators or
designated network contacts.
4. Implement one definitive central database of Network Administrators,
other contacts, and authorized services.
5. Provide mechanisms for better periodic review and updates of this
information and access to it by all the parties involved.
For purposes of this document, "campus network" is a single combination of
assigned name, IP subnet address, and netmask (e.g., "uiuc-dcl-staff",
130.126.112.0, 255.255.254.0). If that network spans multiple buildings,
it will still be necessary to have one "owning unit" and one Network
Administrator for the entire network.
Since current plans involve Bluestem authenticated WWW forms for some
of these functions all network administrators will be required to have
a network id. This should only impact a handful of network administrators
who are not directly employed by the campus. I will be contacting these
individuals in the near future.
In order to simplify and automate this process to some degree we'll be
preparing a Bluestem authenticated WWW form to survey our current list
of network contacts for verification of the current Primary network
administrator. For those networks where all the contacts agree as to
who is the primary administrator, that person will be our contact for
gathering the additional information we'll need to achieve the goals
stated above.
For those networks where there is some disagreement about the identity of
the Network Administrator, there will be a slower process of manually
contacting each unit, perhaps including a requirement for documentation
(such as a letter on unit letterhead) officially designating this
information.
Based on the efficiency of this process, and feedback from networked
units, we hope to implement a periodic (probably semiannual) procedure
requiring units to verify the authentication and authorization
information in our database either by bluestem WWW forms, or a
paper-based registration process. We hope that the bluestem forms will
give units better and more timely control over, and monitoring of, who
is provided CCSO network services for their networks.
* * *
2. The CCSO/NAS group will pay for NAS classes taken by registered
network administrators on campus. Enrollee's must provide an account
number to bill should they sign up and not attend. Should a last minute
schedule conflict arrise, a net admin. may send a substitute who is
either from the same department or a registered net admin in another
department, and CCSO/NAS will still cover the cost.
Unlike our old NAS classes that were only available to net admins, the
FAST3 NAS classes are open to anyone providing an authorized account
number to bill for the course fee. Now however, due to CCSO/NAS funding
these classes are again free to network administrators.
Only network adminstration classes (noted by "NAS" in the registration
code) are covered by this subsidy.
Course titles, descriptions, and schedules of classes that CCSO/NAS will
pay for are available at:
http://cbtserv.cso.uiuc.edu/advtrain/courses.htm
Please mention that you are a network administrator when registering.
* * *
3. The server mailhost.uiuc.edu should no longer be used.
Years ago CCSO used to maintain this host as an SMTP delivery agent,
but this has not been a service for many years. Individuals should
use the host where they receive email as their delivery agent (e.g.
students.uiuc.edu or staff.uiuc.edu). Any system that is configured
as a host/server to receive mail, should also be configured as a
delivery agent. CCSO will continue to provide SMTP delivery at the
mailhost.uiuc.edu address for a short transition period.
* * *
4. Mark Notarus has been working on new terminal service documentation.
The main URL for his "CCSO Terminal Server Information Pages" is:
http://www-commeng.cso.uiuc.edu/termserv
which currently has links to two documents, one about the new Premier
dialup service, and the other is a new "Modem Support Frequently Asked
Questions" list.
* * *
5. Last October David Ruby left his Network Designer position in the NDO
to become Manager of the Instructional Computing Sites. Beth
Engelbrecht-Wiggans is now doing network design, and Heather Norton is
managing the DNS. If you are unsure which designer is currently
assigned to your building or network, call the main NDO number 244-1600
to find out. Remember all hub purchases need to be approved by your
designer.
For anyone who missed it, here's Beth's announcement:
Date: Fri, 13 Nov 1998 12:36:56 -0600 (CST)
From: engwig@uiuc.edu
Beth Engelbrecht-Wiggans will no longer be hostmgr@uiuc.edu. She will become
Network Designer. Hostmgr duties will be taken over by Heather Norton.
Heather comes to hostmgr from CCSO's Instructional Sites. Bruce Gletty,
Heather and Beth will do their best to make the transition as smooth
as possible.
It is especially important now for you all DNS requests to be sent to
hostmgr@uiuc.edu instead of engwig@uiuc.edu. Or better yet to
use the web page for registering. Heather really would like you all to use
the web page when ever possible.
https://www-s1.cso.uiuc.edu/hostreg
In the near future we hope to install 3 new DNS machines. A few weeks
ago we installed a new machine for argus.cso.uiuc.edu. It is sooooo fast
compared to the old hardware! Reloads take less than a minute. Named uses
around 155 meg of memory in steady state, and uses approximately 10% of the
CPU. The old argus never got to steady state without crashing the service.
The upgrade plan is to have 4 machines providing DNS services for the U of I.
Two of the machines (argus-128.174.5.58 and cyclops2-128.174.5.102) provide
campus DNS services and 2 machines (dns1-128.174.5.103 and dns2-128.174.5.104)
provide DNS services to the outside world. We will tell you when to use the
new secondary address (128.174.5.102 its name may change to cyclops at that
time). We could not re-use the 128.174.36.256 address, because of logistical
problems - so in the fullness of time you all will need to replace
128.174.5.102 for 128.174.36.256 in your nameserver lists.
This new DNS configuration allows us to seperate the load from the outside
world and campus. Machines outside of U of I that want to know about our
domains will be directed to dns1 and dns2. Our campus machines will still
point to argus and cyclops/2. These changes should provide us good DNS
service for several years.
* * *
6. Debbie Fligor recently announced support for AppleTalk over PPP:
Date: Wed, 30 Dec 1998 13:06:53 -0600
To: ccsp@postoffice.cso.uiuc.edu, macnet@life.uiuc.edu
From: debbie fligor
Subject: AppleTalk over PPP is alive and well
For those of you that were waiting for this, it slipped in quietly,
and hasn't had any real announcements. Since early 1998 AppleTalk
over PPP has been working on all of the CCSO terminal servers. There
are a number of packages out there for the Mac that will do AppleTalk
over PPP, and some of them are free. CCSO is not providing a site
license or support for any specific client product, so if you have
trouble getting a specific package to work, you'll need to get help
from the tech support of the software company.
For those of you running MacOS 8.x you can install Apple's ARA client
3.0, which will do AppleTalk over PPP just fine, as well as IP over
PPP (It's on the 8.5 CD for certain). If you've used OT/PPP in the
past, the configuration is the same for IP (ARA 3.0 replaces the
OT/PPP control panel with a "Remote Access" control panel that is
basically the same format, all other control panels stay the same).
Once you've got your IP up and working, all you need to do to add
AppleTalk is change the AppleTalk control Panel to "Remote Only"
_BEFORE_ you dial up. That's all. At least one late release of
OT/PPP said it was negotiating and AppleTalk address in the log, but
I never got it working. ARA 3.0 does work fine.
As I mentioned before CCSO, isn't providing software configuration
support for any specific product, so please don't call the NOC saying
it doesn't work, please help me set it up. If you do have a problem
with AppleTalk over PPP and you are sure it isn't your software (ie.
it was working fine yesterday but not today) please do let us know
(via the NOC), as it is a supported protocol on the terminal servers.
--
CCSO Network Administrator Support (NAS)
http://www-commeng.cso.uiuc.edu/nas/
admin-help@uiuc.edu