Computer Planning

Computer Planning & Goals Distance Access Subcommittee

3-Year Plan

April 9, 2001

Value Statement:

NDSU constituents should be able to access all campus computing services, for which they are authorized, at all times from any place.

Plans:

1. Maintain the modem pool and continue to monitor modem pool use.

2. Develop authentication procedures (LDAP, Kerberos) so users have access to appropriate services on and off campus.

· Implement options such as Digital Certificates when they become practical

3. Explore alternatives to the modem pool

· Contracting with an ISP

· Dropping modem pool and letting people choose an ISP (Will increase NDSU Internet bandwidth requirements)

4. Explore possibility of developing local exchange (LXP)

Recommendation 1: Maintain operation of the modem pool for at least the next 3 academic years.

Justification

In April of 2000, CPG recommended that the present modem pool and associated phone lines be maintained for at least three more academic years. They also recommended that alternative means to provide appropriate access to NDSU computing resources be explored. These recommendations were based upon the results of a survey completed by campus computer users completed in 1999. There is no evidence to suggest that demand for access via the modem pool has diminished in the last year. There are about 2,700 students in the residence halls; about 2000 have computers with Ethernet connections. If we assume that half of the off campus student population (3500-4000) plus half the 2,000 faculty and staff also want Internet access, we have a potential pool of 4500-5000 users of our modem pool. We know that a number of the “power” users have purchased other dial-in lines, possibly because NDSU dial-in lines have busy signals every night. We know that 2910 unique individuals used NDSU dial-in during the first 3 days of April 2001. The trend for power users to migrate away from the dial-in lines to higher speed alternatives would tend to reduce the number of dial-in users over time. But the trend for more students to get computers and Internet connections will balance that somewhat. A lot of the increase in off-campus student Internet users will come from departments that haven't been as Internet intensive in the past and a dial-in line will probably be fast enough for a lot of their web activity. So for the next several years there will continue to be a demand for dial-in lines.

This recommendation addresses the following visions of the NDSU IT Visions (9^th draft): “Develop and maintain IT and an IT support environment that is secure, stable and reliable within a dynamic environment” and “Apply information technologies to remove circumstances and location barriers to academic participation, degree completion and student success.”

Recommendation 2: Develop authentication and authorization procedures for all NDSU constituents.

Justification

Off campus users need to be able to access authorized campus computing services, this necessitates the development of authentication procedures. For example the library purchases search and other services from external vendors. Software support/update services are another example. In the library's case, vendors discovered that it is much easier to administer access based on the IP numbers of a customer’s network rather than relying on passwords which must be tracked and updated regularly and have a potential for abuse if the password is stolen. This system is also more convenient for the clients. However if a user accesses an external resource when connected to a personal ISP, the IP number does not fall inside NDSU's network and access to the external resource is denied, even though the student or faculty member is an authorized user. Our goal should be to use the same authentication method for off campus users as on campus users. Since Kerberos and LDAP are the strategic methods of authorization that we are implementing, they should be the methods used to authenticate and authorize off campus users.

This recommendation addresses: “Develop and maintain IT and an IT support environment that is secure, stable and reliable within a dynamic environment” and “Apply information technologies to remove circumstances and location barriers to academic participation, degree completion and student success.”

Recommendation 3: Decide between web proxy server and VPN.

Justification

VPNs (Virtual Private Networks) and an authenticating web proxy server both address the authentication and authorization issue by presenting an NDSU IP number to the external service, even though the user's real IP number belongs to an ISP. This means that the user’s packets must travel to NDSU before proceeding to the external service and that the packets from the external service must come back to NDSU before returning to the user. VPNs encapsulate the user’s packet inside another packet that is sent to NDSU rather than directly to the external service. This is referred to as tunneling and is a general solution that applies to all IP traffic. The VPN would require the user to authenticate before traffic is routed through the VPN.

Alternatively, an authenticating web proxy requires that the user authenticate to the web proxy. After that, it functions just like the caching web proxy that serves the campus computer clusters today. When the user clicks on a link or enters a URL manually, the browser sends the http request to the web proxy instead of directly to the site. In the case of the caching web proxy that currently serves the clusters, the request is compared to the cache and if the proxy already holds that URL it responds to the client without having to request the URL from the original site. If the cache does not hold the URL, the proxy fetches the URL on behalf of the client and then forwards it to the client. The function is the same for the authenticating proxy. Note that the authenticating proxy works because the external site sees the request from the proxy, which has an NDSU IP address. The main drawback to an authenticating web proxy server is that it only serves web traffic. But the trend is for most of the services that we purchase to be delivered over the web.

With a Digital Certificate based system an external user would be authenticated to a certificate granting authority, which may or may not be located at NDSU. The users system would then present that Digital Certificate to the external service for access. Digital Certificates are a preferable solution because they don't require the network traffic of external users to be routed through NDSU. However the external services don't all support the Digital Certificate option yet.

An authenticating web proxy server only supports web traffic but the way a user's traffic is routed can be managed in an auto.pac file that is read by the user’s browser. For example, a statement in the auto.pac file could direct traffic to www.groliers.com to the authenticating web proxy at NDSU. The user’s other traffic would go direct to other external sites.

A VPN is a more general solution but would probably cost more than an authenticating web proxy. A separate piece of network hardware would have to be purchased and located at NDSU or VPN software would have to be purchased and installed on a router at NDSU. An authenticating web proxy could probably be implemented on a PC running Linux. Also a VPN client might have to be purchased and installed by external users. Also the routing for the VPN would most likely be managed at the IP level rather than at the DNS name level. So for example to configure the VPN to route traffic for groliers through NDSU a file on the VPN equipment at NDSU would have a line with the IP network number 132.174.1.0 and a netmask for that network. Some work would be required to determine the correct netmask plus many services would have more than one network listed either for network redundancy or for network efficiency. Also if an external service decided to switch their Internet Service Provider their network number would probably change which would require a change to the file on the VPN equipment.