Home :: Content

Enhanced ASU Internet Border Security - Version 2.0 - DHCP NAT


NAT.jpg
Quick View
Summary: 

To this point, all installation work related to the DHCP NAT project was completed on schedule.  The project had been waiting for the completion of the Bio-Design Cisco firewall implementation.  Bio-Design has put that project on hold.  We will proceeding with DHCP NAT implementation at Bio-Design. 

==================================================================================================================== 

Version 2.0: The work will begin by implementing a NAT translation pool at the ASU border to the Internet for the new buildings summer 2008.

The scope will include all four ASU Campuses:  Tempe, West, Poly, Downtown.

 

Start Date: 
March 1, 2008
Go Live: 
April 22, 2009
End Date: 
May 29, 2009
Current Milestone: 
Post Implementation Review
Stage: 
Recently Released - Completed in last 3 months.
People
Sponsor/Champion: 
Adrian Sannier, Vice President and University Technology Officer
Lead Customer: 
Scott Banks
Project Manager: 
Sharan Johnson
Contact for more information: 
Sharan.Johnson@asu.edu
Associate VP University Technology: 
Bob Nelson
University Technology Director: 
Dave McKee
More Info
Source: 
Internal
Priority: 
Medium
Scope: 

The UTO Office of Information Security at Arizona State University (ASU) has reviewed the current network infrastructure and determined that enhancements are necessary. Enhancing the ASU Internet border security will position UTO to meet the current growth of the University and to reduce the cost of operation.

The "Enhancing ASU Border Security Project" will have four versions: 1.0 through 4.0. The implementation will be a phased approach to eliminate impact to the University community. A network outage announcement will be sent before changes are made.

Version 2.0: The second phase will begin by moving to a NAT (Network address Translation) environment. All services will still be available.

In cases of unauthorized access (such as web services, web hosting, peer to peer (P2P) and wireless access points) these services will no longer work. There will be a mechanism for registering those systems that have a business need to host or provide Internet web services.

UTO will be implementing a stricter access policy at our border with the Internet. That means that UTO will NAT all IP (Internet Protocol) addressees in the following networks:

  1. Wireless Networks
  2. UTO Sites (University Technology Office Sites)
  3. ResNet (ASU Residence Halls)
  4. DHCP (Dynamic Host Configuration Protocol)

During this phase, the University will realize gains in these areas:

  • Reduced management requirements
  • Reduction of unauthorized web servers and services
  • Recovery of IP address resources

 

All Milestones and Schedule: 

Testing in Lab environment (Completed)

For New Buildings (Summer 2008)

  • ResLife - Vista Del Sol -- August 18, 2008  (Completed)
  • ResLife - Taylor Place Tower One -- August 8, 2008  (Completed)
  • Cronkite Channel 8 -- July 1, 2008  (Completed)
  • UPSI - University Public Schools Initiative -- August 1, 2008  (Completed)
  • ASU Polytechnic - Academic Complex -- June 16, 2008  (Completed)

For Wireless Networks:



Initiate NAT IP addressing for ASUW Wireless June 18, 2008  (Completed)

Initiate NAT IP addressing for Wireless remaining ASU Campuses July 3, 2008  (Completed)



 For Wired Networks:



Initiate NAT IP addressing for ResNet -- July 9, 2008  (Completed)

Initiate NAT IP addressing for DHCP ASU West Campus -- July 23, 2008   (Completed)

Initiate NAT IP addressing for DHCP Polytechnic Campus  -- July 30, 2008  (Completed)

Send communication to customer community -- September 30, 2008  (Completed)

Initiate NAT IP addressing for DHCP Downtown Phoenix Campus, SkySong, Research Park, Community Service Building -- October 15, 2008   (Completed)

 Initiate NAT IP addressing for DHCP for buildings routed from the Computing Commons -- October 29, 2008   (Completed)

    • BOOKSTORE - ASU Bookstore

    • CPCOM - Computing Commons

    • ECA - Engineering Center A Wing

    • ECB - Engineering Center B Wing

    • ECD - Engineering Center D Wing

    • ISTB1 - Interdisciplinary Science & Technology Building I

    • LAW/LAWLIB - Armstrong Hall; Ross-Blakely Law Library

    • PEBE - Physical Education Building East

    • PEBW - Physical Education Building West

    • SRC - Student Recreation Complex

    • UASB - Undergraduate Academic Services



     Initiate NAT IP addressing for DHCP for buildings routed from the Goldwater Building -- November 12, 2008  (Completed)



    • ECG - Engineering Center G Wing

    • ENGRE (ERC) - Engineering Research Center

    • GWC - Goldwater Center

    • ISTB2 - Interdisciplinary Science & Technology Building II

    • ISTB5 - Interdisciplinary Science & Technology Building V

    • NOBEL - Daniel E. Noble Science Library

    • PSA - George M. Bateman Physical Science Center A Wing

    • PSB - George M. Bateman Physical Science Center B Wing

    • PSC - George M. Batemen Physical Science Center C Wing

    • PSD - George M. Batemen Physical Science Center D Wing

    • PSE - George M. Batemen Physical Science Center E Wing

    • PSF - George M. Batemen Physical Science Center F Wing

    • PSH - George M. Batemen Physical Science Center H Wing

    • PSY - Psychology Building

    • PSYN - Psychology North

    • SCOB - John W. Schwada Classroom Office Building

    • SHS - Speech & Hearing Science Department



    Initiate NAT IP addressing Initiate block for DHCP for buildings routed from Coor Hall Building -- December 3, 2008  (Completed)



    • AED - Architecture & Environmental Design Library

    • ART - Art Building

    • COOR - Lattie F. Coor Hall

    • ED - H. B. Farmer Education Building

    • EDB - I. D. Payne Hall

    • GHALL - Dixie Gammage Hall

    • MCENT - A. J. Matthews Center

    • MOUER - Mouer Building

    • MUSIC - Music Building

    • SSV - Student Services Building

    • STAUF - Stauffer Communication Arts

    • TOWER - Town Center

    • WILSN - Wilson Hall

Initiate NAT IP addressing for DHCP for buildings routed from the Old Main Building -- January 7, 2009 (Completed)



• CP - Central Plant

• BYENG - Brickyard

• FULTN - Fulton Center

• GGMA - Grady Gammage Memorial Auditorium

• GIOS - Global Institute of Sustainability (formerly the Nursing Building)

• ICA - Intercollegiate Athletics Building

• LL - G. Homer Durham Languages & Literature Building (Wings A - C)

• LSA - Life Sciences Center A Wing

• LSB - Life Sciences Center B Wing

• LSC - Life Sciences Center C Wing

• LSE - Life Sciences Center E Wing

• MAIN - Old Main

• SHESC (ANTHRO) - School of Human Evolution & Social Change (formerly Anthropology)

• SS - Social Sciences Building

• TOWERS - University Towers

• USB - University Services

• WFA - Wells Fargo Arena

Initiate NAT Ip address for DHCP in off campus locations March 11, 2009 (Completed)

  • Centerpoint
  • Grace Lutheran Church
  • Material Services Building
  • Tempe Towncentre
  • University Center (1130 East University
  • Resnet admin segments in Cholla, Manzanita, Palo Verde, San Pablo

 

Initiate NAT IP addressing for DHCP for buildings routed from the College of Business -- February 25, 2009 (Complete)

• Discovery Hall (formerly the Agricultural Building)

• BA - Business Administration

• BAC - Business Administration C Wing

• IRISH - Irish Hall

• LIB - Charles Trumball Hayden Library

• MU - Memorial Union

• INTDSA/B - Interdisciplinary A & B

Re-base line Project -- (Completed)

Initiate NAT IP addressing for DHCP for Biodesign buildings A & B -- May 29, 2009 (Complete)

Implementation Version 2.0 Completion Date -– May 29, 2009 (Complete)

Post Implementation Review –- May 29, 2009

     

Deliverables: 

Version 2.0: The second phase will begin by moving to a NAT (Network Address Translation) environment. All services will still be available.

In cases of unauthorized access (such as web services, web hosting, peer to peer (P2P) and wireless access points) these services will no longer work. There will be a mechanism for registering those systems that have a business need to host or provide Internet web services. UTO will be implementing a stricter access policy at our border with the Internet.

That means that UTO will NAT all IP (Internet Protocol) addressees in the following networks: Wireless Networks UTO Sites (University Technology Office Sites) ResNet (ASU Residence Halls) DHCP (Dynamic Host Configuration Protocol)

During this phase, the University will realize gains in these areas: Reduced management requirements Reduction of unauthorized web servers and services Recovery of IP address resources.

 

Risk & Threats: 

Outstanding Issues:

Hosts that are dual attached and are routing between the ASU network and a private networks need to have valid routes in order to work correctly.

Host based firewall will need to allow the NAT address access.

The networks that ASU is currently using for the NAT are listed below.

  • 10.140.0.0 through 10.143.255.255 Wireless NAT
  • 10.200.0.0 through 10.223.255.255 Wired NAT

Nat users that need access to Remote Desktop applications will need to utilize a VPN. This service can be access using ASURITE at http://sslvpn.asu.edu.

UTO Network Communications are the stewards of the IP address space at ASU. You can reserve RFC 1918 address space for private non-routed network by submitting a CRM request or via an email to netcomm@asu.edu.

 

Biodesign move to NAT delayed due to firewall implementation project, currently schedule for April 1 completion.

Resolved Issues:

Cedar Crestone - The VPN that they employ cannot handle the ASU NAT solution. The Issue was resolved with a routing change on June 3rd, 2008.

Issue with sciqwest/sunrise purchasing system and Webauth. The Issue was resolved with a patch to Webauth on August 15, 2008

Dependencies: 
Biodesign Cisco Firewall Implementation
Links
RFC1918 - Address Allocation for Private Internets
RFC1631 - The IP Network Address Translator (NAT)
Biodesign Cisco Firewall Implementation
Syndicate content