Network Operations and management
Networking, an overview
Networking is responsible for the design and maintenance of the
College network and the system administration of
many of the host computers that reside on that
network. The network and systems are maintained in a state of
high reliability and security.
We maintain efficient means for users to interact with
these systems. This often requires installation or creation of new
software applications. It also involves many aspects of
instruction for end users and other staff members within LITS,
including application development questions.
Network and systems operations is guided by a philosophical orientation
that sees the network and its operation as a fundamental part
of the College environment, supporting not only the business
and academic aspects of the College, but also the co-curricular
life of the students, faculty, and staff.
The electronic life
of the community is seen as an extension of the physical life
and is normally governed by the same principles.
In our physical life, there are constraints of our behaviors.
So it is in the electronic life. There are sometimes special
considerations for the electronic life, and many of these are
discussed in our
policy and acceptable use documents.
The network is a shared community resource. It is not an infinite
resource so unfettered use is not possible. As a shared medium,
the behavior of one individual should not adversely affect that of
Privacy of electronic behavior is important.
Safety, security, and the general operations of a community resource
must be balanced with privacy concerns.
Accessing the network
Access to the network may be either a local physical or wireless
connection or a connection via the Internet. We no longer provide
Off-campus network connections may be restricted
for some services. For selected individuals with specific academic
or business requirements, we provide a VPN service or remote desktop
Connecting to the network, wired or wireless
Computers attaching to the network should be up-to-date with their
operating system patches and should be running some form of anti-virus
software with the latest definitions.
College owned computers and student registered
computers must be running the College-provided anti-virus software.
Anti-spyware software is recommended.
All devices connecting to the network should be registered and a
responsible party identified. We do provide some exception for temporary
guest access, but the registration for these one-day registrations
is not authenticated in any way.
Personally owned computers of Mount Holyoke College faculty/staff/students,
running Windows or Macintosh OS on campus, should have McAfee
anti-virus software installed with the latest anti-virus definitions.
McAfee is also provided for faculty/staff home computers.
Network Access control, registering and removal
- Registering for wide area network use
Computers need to be registered in order to obtain off-campus network
access. Computers owned by the College and provided to faculty and
staff are registered by computing staff.
A faculty or staff member can register a personally owned computer
via an authenticated web form.
There is no check to determine if
the computer is up-to-date with operating system patches and
Student computer registration requires that the student run an
agent to verify that the computer is up-to-date with operating
system patches and College-supplied anti-virus software.
A guest may register for one to seven days. For greater than
one-day access an email address is required, but there is no
verification of that email address.
Guests with wireless computers may use a special network
called "MHC guest" which provides limited wide-area network
capability without authentication (web, ssh, ftp).
For details of the history of network access controls, see
- Removal from the network -- quarantining
The network is a shared resource and a single machine on the network has
the capability of disrupting the operation of the network.
A computer that is misbehaving on the network may be restricted on the
network or removed from the network. Depending on the severity and
the impact of the problem, we might:
We prefer the method of quarantine that allows the student to continue
to access on-campus resources. Being restricted from off-campus access
is sufficient to have the student get the problem fixed but also allows
the student to access on-campus resources for academic work.
- Quarantine the computer to allow only on-campus services.
- Shut down the port to which the computer is connected.
- Prevent the MAC address from obtaining an IP number at all.
This method is normally used for guest computers for which
we do not have contact information.
Monitoring the network
We use a number of tools and processes to monitor the network, graph its
usage on various network devices, and detect nefarious operations.
Data are collected from campus switches, routers, and various computers
on the network.
Internet traffic bandwidth control
We consider network traffic outside of the Five College area to
be Internet traffic. There are direct costs for bandwidth
(megabits/second) each month for our Commodity Internet and
our Internet2 connections.
Over the years, the amount of bandwidth required by the campus community
has dramatically increased. (See Appendix A for
A large portion of the bandwidth is consumed by students and usage drops
dramatically during vacations. This is not surprising since students
make up the bulk of our users. We have learned that the student network
traffic can overwhelm the available bandwidth, adversely affecting the
College academic and business uses of the network.
We have employed three methods of bandwidth control:
Bandwidth shaping basic rate limiting
The amount of total traffic for the range of IP numbers assigned
to students is capped
at a percentage of the total bandwidth.
Rate limiting bandwidth shaping by IP
Individual IP numbers in the student range are restricted to a
maximum number of megabits per second.
Using these methods, we have avoided the expensive purchase of a
bandwidth shaping appliance. See Appendix C
for historical details.
The Internet, the Mount Holyoke community, and the world
Determining when more network bandwidth is required
There are two primary methods of determining when more network
bandwidth is needed.
- Wait until the network slows down sufficiently to
- Watch the bandwidth graphs routinely and watch
the capacity and trends.
The first method is unpleasant. Not only is one's own work
hindered by network responsiveness, but one has to field
complaints of many frustrated individuals while solutions
to the problem are developed. Unfortunately, this method can occur
when novel and unexpected network uses come into being, as
they did in 2000 with the rapid increase in music sharing.
The second method is clearly preferable.
When an increased level bandwidth is predicted,
rather than increase bandwidth, it is possible to decrease
the bandwidth requirements by managing the existing bandwidth.
We have accomplished this by various forms of bandwidth
shaping and rate limiting as described above.
Bandwidth use is monitored and graphed and these graphs
are routinely checked to evaluate trends and usage in
relation to overall capacity of the off-campus link
to the Internet.
Industry trends or trends based on anecdotal evidence
are also considered, such as the increase
in purchasing movies and TV shows that began to become
popular in 2007.
It is very desireable to avoid discovering the need
for more bandwidth by experiencing severe network degredation.
This occurred throughout the Five College area in 2000 with the
rapid growth in music sharing.
When graphs show the amount of traffic for a
significant portion of the day is at or approaching the maximum
amount of bandwidth