Contents:

1) IRIS Documentation
2) Firewalls on the Campus Internet Access links
3) Networking Resources Page
4) Networking Basics Class

1. IRIS Documentation

A reference guide for users of IRIS is now available online at http://www-commeng.cso.uiuc.edu/nas/iris/IRISreference.html The page contains useful information on the various features and limitations of IRIS, and a link to Contact Manager.

2. Firewalls on the Campus Internet Access links

CCSO will be testing firewalls on the Campus Internet Access links. Why firewalls? CCSO does not currently run firewalls on campus exits. Firewalls in the traditional sense would not work on campus as there are just too many different network needs to create a "closed" firewall. Ours will run in "mostly open" mode, which means that they will allow nearly all network traffic to enter the campus network.

Our firewall administrator will decide what kinds of traffic are harmful to machines on campus. Port scans are one example, and systematic scans of every IP address on campus looking for a particular vulnerability are another. Administratively-blocked services such as Napster are a third. Also, sometimes we need to temporarily block all access to a specific machine on campus because it has been broken into and is performing a denial of service attack on a machine out on the Internet.

Currently, we can do some of these things with router access control filters, but this has an impact on the performance of the routers, because usually the access control filters are executed in the software of the router's control processor, and not by the hardware packet forwarding chips. Also, not everything a firewall can protect against can be coded in a router access list.

It is important to note that the security of individual machines is still of concern. And administrators of machines should not relax their security measures for machines. Since the firewalls will be in an open configuration, they will not increase the security of individual machines placed in departments. The firewalls will not see any traffic that is entirely internal to the University.

We will have what will appear as one firewall, but actually it will be four of them, sharing the load of all traffic entering and leaving campus. The actual meting out of the load will be done by two Foundry load balancing switches. The Foundry's will also detect if one of the firewalls fails, and redirect its load to the other three. This gives us very good redundancy and automatic failover. When placing the firewalls it will be ensured that what works before we put the firewalls in place, will work the same after they are in place.

Timing for placement is dependent on the arrival of hardware. There will be network disruption when they go in that will be unavoidable. Obviously, the semester break is a good target time since the insertion will be disruptive to connections to the outside world. We will keep you informed as work progresses, but please be diligent in deciding that some problem or other is being caused by the new firewalls.

3. Network Resources Page

A new URL that users working with a Macintosh network might find helpful is the Networking Resources page at http://www.apple.com/education/k12/networking/resources.html The topics covered include AppleCare Professional Support, Networking and Internet Products, MacMgr.com, Apple Tech Info Library etc.

4. Networking Basics Class on 02/16 in 1330 DCL

The first NAS training session for Spring 2001, will cover Networking Basics. The class will be held in room 1330 DCL, on Friday, February 16th, from 2pm to 5pm.