Restricted/Limited Access Network project meeting

Monday, June 24, 2013; 3:00 p.m.; AISB-208

Invited

Phil Benchoff, Jacob Dawson, Marc DeBonis, William Dougherty, Brian Jones, Ron Keller, Jeff Kidd, Philip Kobezak, Greg Kroll, Steve Lee, Randy Marchany, Christine Morrison, Rich Sparrow, Lucas Sullivan

Agenda

  1. Review action items and comments from 20130513 - May 13, 2013 RLAN Project Status Meeting
  2. Overview of CSDI pilot and discussion of how it "fits" with RLAN processes being implemented (Marc)
  3. Status of outstanding RLAN connections/orders
  4. Do we know the correct ports for the RLAN users in the ISB and have they already been enabled?
  5. Is there a timeline for getting the RLAN VPN up? (see Jacob's comment below)
  6. Is there a way we can verify the number of hosts talking on the RLAN VLAN (tagging packets) in the student services building? Is that something that we can request an update of every so often? The purpose would be to track the number of fully online RLAN hosts.
  7. Can the ITSO get read-only access or can a copy of any ASA whitelist changes be sent somewhere? (see Steve's comment below) (It would probably be appropriate for Iron to show the current rule entries via a query eventually.)
  8. Tasks/Activities that need to be completed by July 2013 in order to end phase I of this RLAN project
  9. Discuss plans/milestones for phase II of RLAN project
  10. Open Forum

Attended

Jacob Dawson, Marc DeBonis, Brian Jones, Ron Keller, Philip Kobezak, Greg Kroll, Steve Lee, Randy Marchany, Rich Sparrow, Lucas Sullivan

Meeting Notes

  1. Review action items and comments from 20130513 - May 13, 2013 RLAN Project Status Meeting
    1. Action item: Greg will add this [end user support] to the agenda for the Communications and Collaboration Steering Committee meeting on 5/21/2013.
      1. Brian spoke to William about support plans for RLAN users. It was decided that support would follow current business processes. Users that call in with problems during normal business hours (8am-5pm, M-F) will be treated as any other user with network problems. Non-normal business hours calls, unless urgent or from university executive offices, will be told someone will get back to them during normal business hours.
    2. Action item: Rich thought that by tomorrow (5/14/2013) or the next day dates should be set [for Registrar office RLAN connections] and he will work with Ron and O&P to get the orders completed.
      1. Done. Unfortunately Registrar's office schedule is preventing their use of the RLAN.
    3. Action item: Rich will contact Marc and discuss the CSDI pilot and it's relationship to the RLAN pilot. Greg will invite Marc to the next RLAN meeting to give an overview of how the CSDI pilot works and how it corresponds or fits with the RLAN processes being implemented.
      1. Done.
  2. Overview of CSDI pilot and discussion of how it "fits" with RLAN processes being implemented (Marc)
    1. Cyber Security Desktop Initiative (CSDI) uses Secure Socket Tunneling Protocol (SSTP) connections
    2. Clients are IP-Sec'd to DNS, etc.
    3. Clients Virtual Machine (VM) is destroyed each time they logout. Everything from that session is saved to a Storage Area Network (SAN).
    4. Users can still get out to the Internet.
    5. CSDI uses blacklists on a Microsoft Threat Management Gateway (TMG)
    6. John Krallman has asked for a business case write-up in order to cost this service to customers.
    7. Currently no one is using this service in a production environment. There are a few selected individuals in a few departments testing it.
    8. Marc diagrammed the pieces and interactions between the hardware used in the pilot.
    9. CSDI does have an ethernet connection to the RLAN available to it in the machine room.
  3. Status of outstanding RLAN connections/orders
    1. All 106 pilot RLAN connections are installed, except for AISB see below.
  4. Do we know the correct ports for the RLAN users in the ISB and have they already been enabled?
    1. Not completed because the RLAN order was written using current ports which are being used for UC phones. So either UC phones need to be moved or users need another ethernet port.
    2. ITSO said they approve the AISB RLAN connections.
    3. Vivian needs to identify new ports to use. Action item: Rich will contact Vivian to resolve.
  5. Is there a timeline for getting the RLAN VPN up? (see Jacob's comment below)
    1. See comment
    2. The ITSO is OK with using the current VPN authentication mechanism for the RLAN.
    3. For now (pilot) users will have to login to the RLAN VPN to get assigned an IP address from a dedicated pool of addresses.
    4. Will have to tweak the ASA to allow a user to login to the regular campus VPN and get authorized to get to RLAN that way.
  6. Is there a way we can verify the number of hosts talking on the RLAN VLAN (tagging packets) in the student services building? Is that something that we can request an update of every so often? The purpose would be to track the number of fully online RLAN hosts.
    1. Not discussed
  7. Can the ITSO get read-only access or can a copy of any ASA whitelist changes be sent somewhere? (see Steve's comment below) (It would probably be appropriate for Iron to show the current rule entries via a query eventually.)
    1. See comment
    2. Change control must be maintained
  8. Tasks/Activities that need to be completed by July 2013 in order to end phase I of this RLAN project
  9. Discuss plans/milestones for phase II of RLAN project
    1. Action item: Greg will send email regarding these last 2 agenda items rather than wait 2 weeks to discuss.
  • No labels

1 Comment

  1. Greg Kroll

    Jun 21, 2013

    Email responses regarding questions 4-7 in agenda:

    From: Jacob M. Dawson dawson@vt.edu
    Sent: Monday, June 10, 2013 5:07 PM
    To: Lee, Steven
    Cc: Kobezak, Philip; Keller, Ronald; Jones, Brian; Marchany, Randolph; Sparrow, Rich; Kroll, Greg
    Subject: Re: RLAN - general questions

    We also need to deal with the question of authorization and authentication of the VPN Service. I can hack together a solution for the one user fairly quickly, using PID/pass and a cheesy authorization scheme, but we need something manageable for the long term, and we need to decide what credentials we should use. I'm in favor of PID/Pass because all users have those credentials and it's easy to get that out of LDAP, plus, with what they're looking at doing with the directory, moving forward, we could potentially access LDAP directly from the VPN server instead of running it through RADIUS first. In the mean time, it's still easy to have RADIUS do an SQL lookup and authenticate with ED-Auth, but we need to populate that DB somehow. That's a ITSO-NIS developer conversation that needs to happen and will require some work from the aforementioned devs. I believe Morgan would be the best person to start talking to about that.

    - Jacob

    On Jun 10, 2013, at 16:21 , "Dawson, Jacob" <dawson@vt.edu> wrote:

    I have requested addressing for the RLAN VPN out of the 172.26.0.0/16 RLAN allocation. Once addressing is available, we can configure an RLAN service on the VPN.

    - Jacob

    On Jun 10, 2013, at 16:21 , "Lee, Steven" <stlee@vt.edu> wrote:

    RLAN VPN timeline - punting to Jacob

    ASA whitelist changes? – Change requests come from ITSO, so I'm not sure what your asking for since you already have the information.

    steve

    From: <Marchany>, Randolph <marchany@vt.edu>
    Date: Monday, June 10, 2013 3:45 PM
    To: "Kobezak, Philip" <pkobezak@vt.edu>
    Cc: "Keller, Ronald" <rkeller@vt.edu>, Steven Lee <bjones@vt.edu>, Steven Lee <stlee@vt.edu>, "Marchany, Randolph" <marchany@exchange.vt.edu>, "Sparrow, Rich" <rsparrow@vt.edu>, "Kroll, Greg" <usdgk@vt.edu>
    Subject: Re: RLAN - general questions

    All, we need answers to Philip's questions ASAP since 7/1 is fast approaching. A quick reply is greatly appreciated.
    -r.
    On Mon, Jun 10, 2013 at 3:27 PM, Kobezak, Philip <pkobezak@vt.edu> wrote:

    Since we’re not having a meeting, I thought I would ask a few questions via email:

    Do we know the correct ports for the users in the ISB and have they already been enabled?

    Is there a timeline for getting the RLAN VPN up? Financial Aid has at least one employee with a work at home arrangement and might need that.

    Is there a way we can verify the number of hosts talking on the RLAN VLAN (tagging packets) in the student services building? Is that something that we can request an update of every so often? The purpose would be to track the number of fully online RLAN hosts.

    Can the ITSO get read-only access or can a copy of any ASA whitelist changes be sent somewhere? It would probably be appropriate for Iron to show the current rule entries via a query eventually.

    Thanks,
    Philip