Mount Holyoke College
Directories
Login
Calendar
Campus Map
 
 
About | Admission | Academics | Student life | Athletics | Offices | Giving | News & Events
Clapp tower from Miles Smith
Links with Logins
Requests

Information and Policies >

Networking, an overview

Networking is responsible for the design and maintenance of the college network and the system administration of many of the host computers that reside on that network. The network and systems are maintained in a state of high reliability and security. We maintain efficient means for users to interact with these systems. This often requires installation or creation of new software applications. It also involves many aspects of instruction for end users and other staff members within LITS, including application development questions.

Philosophical approach

Network and systems operations is guided by a philosophical orientation that sees the network and its operation as a fundamental part of the College environment, supporting not only the business and academic aspects of the College, but also the co-curricular life of the students, faculty, and staff.

The electronic life of the community is seen as an extension of the physical life and is normally governed by the same principles. In our physical life, there are constraints of our behaviors. So it is in the electronic life. There are sometimes special considerations for the electronic life, and many of these are discussed in our policy and acceptable use documents.

The network is a shared community resource. It is not an infinite resource so unfettered use is not possible. As a shared medium, the behavior of one individual should not adversely affect that of other individuals.

Privacy of electronic behavior is important. Safety, security, and the general operations of a community resource must be balanced with privacy concerns.

Issues in networking

In network operations and management, there are a number of issues that must be considered. Vigilance must be maintained as new issues may arise at any time. Some of the major issues networking deals with:
  • Bandwidth and excessive bandwidth users
  • Viruses, worms
  • Attacks on systems and intrusion detection
  • Copyright infringement
  • General electronic behavior problems
  • Access to vs control of resources
  • Peer to peer operations
  • Access to the network
  • Guest access to the network
  • CALEA and cooperation with law enforcement
  • Regulatory compliance
  • Privacy and security

Network operations and management

  • Accessing the network
    Access to the network may be either a local physical or wireless connection or a connection via the Internet. We no longer provide modem connections.

    Off-campus network connections may be restricted for some services. For selected individuals with specific academic or business requirements, we provide a VPN service or remote desktop access software.

  • Connecting to the network, physical or wireless
    Computers attaching to the network should be up-to-date with their operating system patches and should be running some form of anti-virus software with the latest definitions. Anti-spyware software is recommended. College owned computers are provided with such software.

    All devices connecting to the network should be registered and a responsible party identified. We do provide some exception for temporary guest access, but the registration for these one-day registrations is not authenticated in any way.

    Personally owned computers of Mount Holyoke College faculty/staff/students, running Windows or Macintosh OS on campus, should have McAfee anti-virus software installed with the latest anti-virus definitions. McAfee is also provided for faculty/staff home computers.

  • Network Access control, registering and removal
    • Registering for wide area network use
      Computers need to be registered in order to obtain off-campus network access. Computers owned by the College and provided to faculty and staff are registered by computing staff.

      A faculty or staff member can register a personally owned computer via an authenticated web form. There is no check to determine if the computer is up-to-date with operating system patches and anti-virus

      Student computer registration requires that the student run an agent to verify that the computer is up-to-date with operating system patches and College-supplied anti-virus software.

      A guest may register for one to seven days. For greater than one-day access an email address is required, but there is no verification of that email address.

      Guests with wireless computers may use a special network called "MHC guest" which provides limited wide-area network capability without authentication (web, ssh, ftp).

      For details of the history of network access controls, see Appendix B.

    • Removal from the network -- quarantining
      The network is a shared resource and a single machine on the network has the capability of disrupting the operation of the network. A computer that is misbehaving on the network may be restricted on the network or removed from the network. Depending on the severity and the impact of the problem, we might:
      • Quarantine the computer to allow only on-campus services.
      • Shut down the port to which the computer is connected.
      • Prevent the MAC address from obtaining an IP number at all. This method is normally used for guest computers for which we do not have contact information.
      We prefer the method of quarantine that allows the student to continue to access on-campus resources. Being restricted from off-campus access is sufficient to have the student get the problem fixed but also allows the student to access on-campus resources for academic work.

  • Monitoring the network
    We use a number of tools and processes to monitor the network, graph its usage on various network devices, and detect nefarious operations. Data are collected from campus switches, routers, and various computers on the network.

    • Within campus traffic
      Network bandwidth (the amount of network traffic) is measured and graphed for many of the various network components. Long term data for the graphs are not maintained since this information is used primarily for troubleshooting and to understand general traffic patterns and usage. (Network statistics are shown here in a new window or tab.)

    • Off campus traffic
      Network traffic is also measured at the campus border and data on overall usage is maintained. Traffic by individual IP number is also maintained by source and destination addresses as well as overall amount. The source and destination data are not considered public but are also not considered to be network content (see "Content" section below).

    • Content
      In general, network traffic monitoring is content neutral. In normal operations, we do not look for specific network payloads. In the course of an investigation of health/safety issues, misconduct, illegal activity, or system/network problems, some network traffic content may be observed by specific system managers or, if appropriate, provided in cooperation with Public Safety and law enforcement. These procedures parallel those regarding file information found in the document, Conditions of account.

    • Computer system monitoring
      At the computer system level network traffic is monitored for password attacks or other nefarious processes, such as spamming. As above, this monitoring is also content neutral in normal operations.

    • In depth monitoring
      More in depth monitoring may occur in the event of an investigation relating to system operations, College business/academic issues, health and safety concerns, misconduct, or criminal activities.

      Further information on privacy and security of data and information can be found in the computer and network access policy documents.

  • Internet traffic bandwidth control
    We consider network traffic outside of the Five College area to be Internet traffic. There are direct costs for bandwidth (megabits/second) each month for our Commodity Internet and our Internet2 connections.

    Over the years, the amount of bandwidth required by the campus community has dramatically increased. (See Appendix A for details.)

    A large portion of the bandwidth is consumed by students and usage drops dramatically during vacations. This is not surprising since students make up the bulk of our users. We have learned that the student network traffic can overwhelm the available bandwidth, adversely affecting the College academic and business uses of the network.

    We have employed three methods of bandwidth control:

    • Bandwidth shaping — basic rate limiting
      The amount of total traffic for the range of IP numbers assigned to students is capped at a percentage of the total bandwidth.
    • Bandwidth quotas
      Individuals are given a maximum daily amount of traffic (such as 5 gigabytes) per day. Once that amount is reached, no more off-campus traffic is permitted until midnight.
    • Rate limiting — bandwidth shaping by IP
      Individual IP numbers in the student range are restricted to a maximum number of megabits per second.

    Using these methods, we have avoided the expensive purchase of a bandwidth shaping appliance. See Appendix C for historical details.

  • The Internet, the Mount Holyoke community, and the world

    • The College is perceived by the world electronically to an ever increasing degree.
      • The web presence on the network needs to not only be appealing, but it must also be responsive. That requires adequate bandwidth.
      • The extent to which a campus is "wired" and the amount of bandwidth it provides has become a significant factor for the various organizations that publish college rankings.

    • Type of network traffic by content
      • Curricular
      • Co-curricular
      • Business
      • College "presence" (primarily web)
      Since we do not monitor by content, it is not possible to completely differentiate these kinds of traffic. Within a short period of time, individuals might engage in both co-curricular and curricular or business activities.

      While it would be technically feasible for us to extract traffic statistics to specific off-campus sites such as weather.com or cnn.com, the effort involved and the lack of benefit for such data precludes our doing so.

    • At one time, the network was seen as serving the educational and business needs of the College. While these are still critical services, the members of the College community, especially students, view the co-curricular aspects of the network as having paramount importance to their life at the College

  • Determining when more network bandwidth is required

    REVISE SECTION

    There are two primary methods of determining when more network bandwidth is needed.
    1. Wait until the network slows down sufficiently to be noticed.
    2. Watch the bandwidth graphs routinely and watch the capacity and trends.
    The first method is unpleasant. Not only is one's own work hindered by network responsiveness, but one has to field complaints of many frustrated individuals while solutions to the problem are developed. Unfortunately, this method can occur when novel and unexpected network uses come into being, as they did in 2000 with the rapid increase in music sharing.

    The second method is clearly preferable.

    When an increased level bandwidth is predicted, rather than increase bandwidth, it is possible to decrease the bandwidth requirements by managing the existing bandwidth.

    We have accomplished this by various forms of bandwidth shaping and rate limiting as described above.

    Bandwidth use is monitored and graphed and these graphs are routinely checked to evaluate trends and usage in relation to overall capacity of the off-campus link to the Internet. Industry trends or trends based on anecdotal evidence are also considered, such as the increase in purchasing movies and TV shows that began to become popular in 2007.

    It is very desireable to avoid discovering the need for more bandwidth by experiencing severe network degredation. This occurred throughout the Five College area in 2000 with the rapid growth in music sharing.

    When graphs show the amount of traffic for a significant portion of the day is at or approaching the maximum amount of bandwidth

    Other schools have purchased expensive appliances which try to determine network traffic by content and throttle traffic based on content and decisions about the value of the traffic. We have tried to avoid this kind of solution.

    It is tempting to look at the co-curricular uses of the network and assert that this is not part of the mission of the College. It is easy to point out the many bad aspects of the Internet. It is a waste of time; it can be a dangerous environment. But students of today view the Internet as a significant part of life. The network is as much a part of the student environment as is her room, common areas, and other physical places she visits on campus. We therefore need to provide access and work to deal with the downside risks

    Maintaining a robust and responsive network environment for all individuals and the various network usages is important for attracting and retaining high quality students and faculty. That is essential to the primary mission of the College.

Appendix A
Internet Bandwidth changes

Date Connection
speed 		Remarks
April 2008 45 mb/s Internet2,
55 mb/s Commodity Internet 		Connected to 5-College fiber using Gigabit interface on new router.
April 25, 2007 45 mb/s Internet2,
55 mb/s Commodity Internet 		Connected to 5-College fiber using 100 mb/s switch connection
November 2006 45 mb/s Internet2,
30 mb/s or 40 mb/s Commodity Internet 		There was a jump from 15 to 30 mb/s and then to 40 mb/s in this time period.
April 2004 45 mb/s Internet2,
15 mb/s Commodity Internet 		Second DS3 installed
One DS3 for Internet2 and the other (partially used) for Commodity Internet.
October 8, 2002 15 mb/s Commodity Internet
remainder of DS3 for Internet2 		Joined Internet2
June 28, 2001 45 mb/s to UMass
10 mb/s to Internet 		Replaced two T1s with DS3
January 2000 3 mb/s Installed second T1 (1.5 mb/s each)
January 1997 1.5 mb/s Using full T1
Residence Halls have Ethernet
May 11, 1991 500 kb/s Joined Internet
Using fractional (one third) T1
May 1988 19.2 modem 5-College DECNet
No direct wide area connection
Email via BITNet through UMass

Appendix B
Registration and Network Access control, students

Since the inception of our residential network, we required students to register their computers in order to obtain any off-campus network access. In 1996 we had 80 registrations. Usage has grown from there.

In September 2003 Microsoft Windows NT, 2000, and XP suffered serious infections so severe that the infected computers disrupted network operations. We developed local programs to check whether anti-virus was running and to run public-domain programs to check a Windows computer for patch levels.

In September 2004, our network registration described to individuals how to run the check programs to get their computers up-to-date. Participation was pretty good, but not sufficient, and in September 2005 our network registration program required our locally developed check agent for Windows computer registration.

Our virus problems plummeted in 2005. Enforcing computer patch levels and anti-virus software usage for Windows computers was an incredible benefit that outweighed any issue of individual freedom to run a computer that was at risk of infection.

In the spring of 2006 we decided to move to a commercial agent to check computers. This change was motivated by the discontinuing of some of the public-domain software on which our programs, the time it took keeping up with changes, and our desire to check Macintosh computers as they became more popular.

Appendix C
Internet traffic bandwidth control

  • Bandwidth shaping — basic rate limiting
    In October 2001 we implemented basic rate limiting in our router. The limits were designed to cap the residential hall usage so that College functions (email, web, faculty/staff connections) would be less impacted by student use.

    This strategy worked well and we avoided the expensive purchase of a bandwidth shaping appliance.

  • Bandwidth quotas
    Traffic monitoring of individual IP numbers showed that a relatively few individuals were responsible for a large proportion of the bandwidth usage.

    In January 2004 we implemented a method of bandwidth quotas by IP number that was fully automatic, required no support, and involved almost no individual interactions. It worked like this:

    • Starting at midnight, the amount of traffic for each IP number was accumulated and recorded every 30 minutes.
    • If more than 2.5 Gigabytes of off-campus traffic had accumulated, a warning email was sent to the student user explaining about bandwidth and that the rate of usage was high.
    • If more than 5.0 Gigabytes of off-campus traffic had accumulated, the computer was quarantined to campus use only and an email sent explaining this.
    • At midnight, the counters were zeroed and any quarantine lifted.
    Because it was all automatic and very standard, it created few complaints or questions. However, in 2006, we began to hear a few complaints from students who were unable to fully download purchased movies or TV shows. We discontinued the bandwidth quarantine method in the fall of 2007.

  • Rate limiting — bandwidth shaping by IP
    By the fall semester of 2007, the majority of the traffic was inbound. This was a shift from a few years prior where most traffic was outbound, presumably music sharing.

    In March 2008 we implemented per-IP bandwidth shaping on the router. Rather than cutting someone off at a particular total bandwidth, this method slows down the connection to speeds comparable to what one might see on a home cable modem.

Back
Copyright © 1969 Mount Holyoke College • 50 College Street • South Hadley, Massachusetts 01075.
To contact the College, call 413-538-2000.
This page maintained by the Department of Networking. Last modified on May 9, 2008.