Network Infrastructure

This page sketches a broad overview of services that will be available on the CAL network, and how they will be provided.

Physical Network

The physical network will be gigabit ethernet over copper run through several floors of Pupin Hall?. Please see Physical Infrastructure for more details.

User Directory

Users of the CAL network will be indicated by being listed in the fully-replicated CAL LDAP Domain, provided by a pair of machines running OpenLDAP servers.

User Authentication

Users and machines in the CAL network will be able to authenticate to each other using MIT kerberos, version 5. This authentication database will also be fully replicated across two machines.

Network Trust

The CAL network will run its own X.509 Certificate Authority, which can be used to provide a reasonable level of security for services which are TLS or SSL aware. At the moment, the plan is to use this certificate authority primarily to certify machines or services. However, it can be expanded to provide authentication for end users as well (providing S/MIME encrypted e-mail or symmetric TLS connections, for example).

There will also be a CAL Archive-Signing GPG Key, which will be used when publishing software for use by the Configured Workstations.

Since Configured Workstations will effectively trust both the CAL Certificate Authority and the CAL Archive-Signing GPG Key, the private components of these two keypairs must be handled in a secure fashion.

Intranet Communication

The dominant communication protocol on the CAL network will be IPv4, with IPsec used to authenticate communications between machines. Each machine will have a public IP address. Servers will be statically configured, and workstations will be dynamically configured using DHCP. Ideally, each CW could be assigned a unique IP address linked to its MAC address.

Internet communication

Two of the servers will act as gateways to the rest of the internet. Their upstream will be a CUIT switch, and they will be configured to only pass specific traffic inbound. Almost all outbound traffic (and its reciprocating replies) should be permitted.

Mail Services

Each user account in the CAL network will get an IMAP mailbox, initially configured with 1GB of storage. The mailbox will be accessible via IMAP, but will require TLS for access. A webmail interface (secured via HTTPS) will also be provided.

The mail will filtered for spam and viral content before delivery. This will probably all be handled by a single Mail Server

File Services

User accounts will be given 5GB quotas on an NFSv3-accessible share from a common fileserver. The Configured Workstations will be the only machines allowed to connect directly via NFSv3 to this fileserver. Other access to this data will be provided via scp or sftp, through a shell server.

Printing

There are several printers throughout [[Pupin Hall]]. Any user account in the system should have unlimited print access to these machines. One of the servers will be configured to provide CUPS access to every printer. Configured Workstations should be configured to speak to the CUPS server.

Monitoring

Each service provided by the network should be monitored regularly, and the monitoring services should report via e-mail or pager to a designated system adminstrator or two.

Name Service

We'll rely on CUIT to provide DNS for the network. Their DHCP-supplied DNS servers are currently:

  • 128.59.1.3
  • 128.59.1.4

To register hostnames with them, we should probably use the ACIS dns web form. fancier DNS RR requests should probably just go to hostmaster@columbia.edu