|
Home > LITS > About LITS > LITS Annual Reports > Annual Report 2003-04 > Networking
Networking
LITS Annual Report 2003-2004
Networking, an overview
Networking is responsible for the design and maintenance of the college network and the system administration of many of the host computers that reside on that network. The network and systems are maintained in a state of high reliability and security. We maintain efficient means for users to interact with these systems. This often requires installation or creation of new software applications. It also involves many aspects of instruction for end users and other staff members within LITS, including application development questions.
Summer 2003
Webmail and computer system upgrades
Webmail had been very successful the previous year. Success often begets problems in computing as systems strain to keep up with the new load. The main communications computer system called MHC (mhc.mtholyoke.edu) was slowing down to uncomfortable levels and our hypothesis was that it was the result of running Horde's IMP Webmail program on that system.
Until 2003, we had planned on upgrading both MHC and AMBR with the last round of Alpha computers. HP had announced that the Alphas would be manufactured into 2006 after which they would be on maintenance mode for some number of years. The impetus for upgrading was not because of overall system performance, but was for the need to increase disk space and have multiple Gigabit Ethernet interfaces. (They currently are 100 Mbps interfaces.)
The load levels in the Spring of 2003 on MHC were unexpected and suggested that a faster system would be advised. However, we decided instead to begin moving functions off of MHC, such as the web serving of IMP and Webshell, onto Linux-based servers which can be outfitted for a fraction of the cost. Maintenance is done by having redundant systems rather than by paying a company to be ready to fix a system.
The other options besides Linux included HP and SUN. We have experience with HP, but they are very expensive and seem to have more problems with some of the open source applications we rely on than other systems. We have no experience with SUNs and they run a version of UNIX that is more like HP and less like Digital UNIX, so there would be more conversion issues. Our experience with Linux has been very good for many of the ancillary UNIX services, such as our Web server, course management server (WebCT), course catalog, and Usenet news server.
Moving Horde's IMP and Webshell to a Linux system has worked very well. The Linux system has also proven up to the task of working in a heavily loaded production environment. Based on our work with these systems, we have a roadmap of converting the Digital UNIX systems to Linux systems over the 2004/2005 academic year. The conversion will occur a little before the expiration of the 5-year maintenance on the Digital UNIX systems.
Webshell IP registration
The popularity of desktop-based email programs (e.g., Netscape or Mozilla mail, Outlook, etc.) and Webmail (IMP) had been decreasing the number of people who were initially logging into MHC. The IP registration for students who were connecting computers in the residence halls was often the only reason the student needed to log into MHC and more and more often there were support questions because students no longer understood the concept of a menu-driven program. A Web-based interface was needed.
There are a several web-based network registration systems freely available. I talked in detail with the UNIX system manager at Smith College about the one they were using and we already had a number of the conditions in place for a successful Web-based NetReg program.
In the typical NetReg scenario, the unregistered computer can only get to a registration page. Our strategy has always been to allow the unregistered computer to have full network access on campus but be blocked from off-campus access.
Because we had put Horde's IMP and Webshell on a very powerful Linux system, we were able to encorporate an authenticated and automatic network registration system that worked very similarly to the manual one we had previously used at the login shell prompt. Linux has some very powerful IP filtering mechanisms that allowed us to invent a mechanism whereby off-campus web requests were vectored to a network registration Web page, but on-campus network access was not affected.
We got the entire system working the week before students arrived back. The first day that the major use of the system occurred, it broke. Systems under load can look quite different from when there is little load. We were able to fix the problem within an hour and things worked very well from then on.
The students saw two major improvements. First it was easier to follow as a web-based application. We had very few support calls relative to the shell login based program. Second, the registration effect occurred within 5 minutes. Previously the registration request was submitted and it was processed manually. We did them quickly at the beginning of the year, but there had still been a wait. Finishing the process almost before one was able to reboot the computer system was a great advantage.
This system also set the stage for coping with the next crisis.
Fall 2003
The student arrival in September means that Networking becomes heavily involved with:
•Answering questions from students and colleagues.
•Helping configure machines that do not network properly. •Making house calls to fix bad data ports which often are not bad.
•Dealing with a variety of user issues related to networking for faculty and staff as well as students as the load on all the systems jumps.
Insecure Windows and the Nachi virus
September 2003 had a very nasty surprise. A vulnerability in the Windows 2000 and Windows XP operating systems allowed intruders to gain access to machines that were plugged into the network.
The Nachi virus did not require any intervention by the user of the system to infect a computer. All that was required was that the computer was not patched with the fixes that Microsoft was providing. Most machines were not patched; most machines became infected.
The Nachi virus shut down many networks at many institutions and businesses. We saw a number of problems, but it did not shut us down. The largest problems were:
•False "bad resnet dataport" complaints because often the initial startup of the computer would fail to connect to the network.
•The environmental controls used by Facilities (including street lamp control) failed to work reliably.
We encorporated virus scanning and computer system quarantining into our network registration system.
We also created programs that students could run to patch their computers and to harden their computers against other attacks. These things allowed us to specifically warn people about the status of their computer system (patched or not, infected or not) and to partially isolate infected computers. It was a lot of work but we were able to get a handle on the situation without it destroying the network.
Just as we were getting a good handle on the vulnerable computers, Microsoft announced that the first set of fixes were inadequate and there was another vulnerability which needed to be patched. Things started all over again.
All told, for at least the first six weeks of the semester, the primary focus of Networking and TSR was computer security, which involved system scanning, virus tracking, and operating system upgrades or replacements.
The network registration system proved to be a multiple benefit, and without it, we could not have responded as well to the virus problem as we did.
We learned was that the high level of network broadcasts seemed to cause a higher rate of problem for those computers that were attached to the older network electronics. Often these machines would fail to obtain their IP number and we were plagued with false reports of bad dataports. Because these reports occurred with much higher frequence on the older electronics, we accelerated our planned efforts to upgrade the network electronics over the next few semesters to upgrading all during the fall semester.
Resnet connections
In 2002, by Friday September 13, 78% of the resident students had gotten on the network and registered their computers. This was a number that we did not reach in 2001 until November. By October, that number was 87% of the residents, and it edged up to a bit more than 90% by the end of the calendar year.
This pattern repeated in 2003. By Friday September 12, 2003, 83% had registered, and by October, 88% had registered. By December, 92% of the residence hall students had registered a computer.
Thus the rate of registration was not greatly increased by the network registration system, but the support calls related to the older shell ip-request program were avoided. Things may have gone better without the tremendous virus problem.
From 1995 though the class of 2006, we surveyed every new student. In 2003 (class 2007) we changed the method of handing out accounts so could not survey them. However, similar data could be obtained from the computer registration data. The details of the data may be found elsewhere. Beginning with '07, the numbers are based on the December registration data. This may account for the jump in percentage.
| Class |
1999 |
2000 |
2001 |
2002 |
2003 |
2004 |
2005 |
2006 |
2007 |
| % with computer |
48 |
50 |
57 |
68 |
74 |
79 |
84 |
89 |
95 |
Spring 2004
Network electronics replaced
In preparation for more virus problems, in January we replaced all the older (1997/1998) network electronics with Cisco 2950 switches. While this change solved some problems, it introduced some others due to the more complex configuration of the electronics. With the help of UMass technicians, we were able to sort out those issues.
Spring infection, Sasser worm/virus
The Spring semester began with another Microsoft system vulnerability and massive infections. The major virus had the nice feature of causing the machine to shut down, so it got the attention of the owner of the machine right away. Given our earlier experiences, we were able to contain this one more quickly than in the Fale.
Spam and virus filtering and tagging Spamassassin/MimeDefang is an open source product that is commonly used to filter to tag spam and in other ways get better control of an email system.
We put this in place in Feb 2004 primarily to stop the virus. We also began to tag messages with a "spam score" to allow individuals to use the filtering capability in a number of desktop email clients to get a handle on spam.
Another open source program that fit with this system was ClamAV which can block email with virus attachments. Since August 2001 we have appended "-VirusRisk" to attachment names that are Windows executable programs. This has reduced email as a virus vector by making it difficult for someone to open such an attachment and run it.
ClamAV is able to identify attachments as having a virus and block them.
The ClamAV filtering is extremely good. During the school year, there were about 3000 blocked virus messages per day. In addition, there were about 30 messages per day that were not identified but which might have been viruses and which had "-VirusRisk" appended.
Webadvisor in production
This ISIS Webadvisor application, authenticating using LDAP, went into production use. This was used for student review of courses in this phase.
System usage data
The web-based email client, IMP, continues to grow in popularity, as does other desktop email clients using IMAP. The long-predicted decrease in number of interactive logins to MHC from residence halls finally occurred. It is interesting to note, however, that as the 2003/2004 academic year progressed, the number of interactive logins from the dorms did show a bit of an increase in spite of the overall increases in IMAP and IMP connections.
| |
Different Users |
Different Users |
Different Users |
|
Logging in |
Desktop Mail |
IMP |
| TOTAL |
DORM |
IMAP |
POP |
TOTAL |
|
| Nov 01 |
3827 |
1672 |
601 |
340 |
917 |
|
| Dec 01 |
3757 |
1634 |
600 |
350 |
923 |
|
| Mar 02 |
3901 |
1713 |
617 |
348 |
941 |
71 |
| Apr 02 |
3746 |
1705 |
625 |
340 |
934 |
53 |
| May 02 |
3874 |
1714 |
611 |
334 |
920 |
98 |
| Nov 02 |
4015 |
1902 |
716 |
295 |
983 |
924 |
| Dec 02 |
3968 |
1810 |
713 |
289 |
974 |
1211 |
| Mar 03 |
3927 |
1838 |
716 |
289 |
978 |
1362 |
| Apr 03 |
3897 |
1865 |
718 |
286 |
977 |
1320 |
| May 03 |
3899 |
1823 |
711 |
286 |
966 |
1630 |
| Nov 04 |
3863 |
647 |
855 |
237 |
1062 |
2559 |
| Dec 04 |
3810 |
640 |
860 |
232 |
1065 |
2631 |
| Mar 04 |
3793 |
731 |
921 |
211 |
1103 |
2914 |
| Apr 04 |
3724 |
753 |
904 |
213 |
1081 |
2844 |
| May 04 |
3670 |
681 |
921 |
203 |
1093 |
3070 |
The number of machines for which there were Copyright Infringement Notices decreased from the previous year.
| |
Sep |
Oct |
Nov |
Dec |
Jan |
Feb |
Mar |
Apr |
May |
Jun |
Jly |
TOTAL |
| 2002/03 |
1 |
1 |
5 |
4 |
4 |
10 |
10 |
34 |
1 |
0 |
0 |
72 |
| 2003/04 |
4 |
7 |
4 |
2 |
2 |
2 |
9 |
10 |
11 |
0 |
3 |
55 |
Internet2 and connectivity
In April 2004, the second DS3 for Internet2 was installed. Because of the risk of disrupting traffic flow, we delayed the actual change in the router hardware and configuration until right after finals in June 2004.
General
During this tumultuous year, there were a number of other tasks that had progress or were accomplished.
•The Five College Fiber Optic project is continuing well. Fiber was purchased, contracts were signed, and the process of permitting was started.
•A Blackberry BES and Exchange server were set up but it was concluded that the general level of support would too high for the limited use that was expected. This topic may be revisited in the future.
•A number of system upgrades occurred. SAM, the statistical analysis machine, was upgraded from a 1994 Ultrix system to a modern Linux system running SAS, primarily for Economics. TAP, a system used for network monitoring and intrusion detection, was upgraded.
•A system with disks dedicated to backing up other systems was installed (STOW).
•Fiber was installed in 15 Woodbridge for future network connectivity in the cultural house.
•D-Space experimentation indicated that this was not yet ready for production use.
|
