Minutes from the NWG meeting held 10

Minutes from the 2^nd NWG
10 November 2000
Centro de Calculo, La Laguna

Present
Apologies
Security Meeting
ORM Network Group Meeting
Connectivity and Transfer Tests
Actions
Backup Link Between La Palma and Tenerife
AOB
Date for Next Meeting

Present

Diego Sierra	(DS)
Don Carlos	(DC)
Claudio Moreno	(CM)
Juan Cortina	(JC)
Luis Hernández	(LH)
Carlos Martin Galan	(IAC)

Apologies

None received.

Security Meeting

Creation Of Working Group
Analysis Of The Current Situation
Development Of A Security Plan For IACNET

The order of agenda was changed to facilitate the schedule for the IAC representatives, the discussion on security issues was moved forward.

CMG presented proposed IAC plan of action for the study and implementation of security policies for IACNET (i.e. all networks administered under the IAC domain). Plan consisted essentially of three parts.

Creation of a working group with representation of all existing UIs to study current situation in the first instance.
Analysis of current security situation.
Development of a security plan for implementation across IACNET.

Translation of the plan follows (originally presented in Spanish):

Creation Of Working Group

To understand all the problems related to the security of IACNET it would be desirable to create a working group, with members from all the UIs. This would include the various telescopes, both Residencias, the main installation in La Laguna, GTC and the department of Astrophysics at the University of La Laguna.

The initial tasks of the working group would be;

Establish a minimum level of security for each UI
Notification of incidents of attack or intrusion
Develop a local security plan for each UI, and propose common security measures for IACNET.
Advise and assist those responsible for security of each UI, especially those UIs that do not have personnel dedicated to security issues.

To establish good communications within the security working group the following measures are proposed:

Create a distribution list for the group to notify UIs of any incidents
Hold regular meetings to asses the progress and adapt the security plan to changing needs.

Analysis Of The Current Situation

Once the security group has been created it would be necessary to analyse the current security situation of IACNET, this would include the following.

Analysis of communications of each UI with the exterior

(i) IP filter tables on all router

(ii) Analysis of exterior connection services (mail, telnet etc.)
Analysis of the internal communications between UIs (i.e. all members of IACNET).

It has already been established that there is a large difference between the security measures taken by each of the UIs that vary from having all services open to the exterior, to having nearly all services blocked.

This has generated a lack of trust in communications between respective members of the IACNET, something which should change if all the networks present on IACNET were considered secure.

Development Of A Security Plan For IACNET

Once an analysis of the current security situation has been undertaken, the group would then draw up a plan where a minimum set of global security measures, would be recommended for IACNET, with the aim of.

Providing a minimum level of security for all UIs, including those that do not have any personnel dedicated to security issues.
Make the most of common services on IACNET.
Make communications between secure constituents of IACNET easier.

The plan should contain;

Minimum security level for all UIs.

Identify all external communications services and establish a minimum security level for each.
Specify a mechanism for controlling access to these services.
Specify services that communicate UIs and specify the reliability of the mechanisms.
Measures for the detection of sweeps and attacks.

Once the plan was outlined by CMG, discussions became more general and it was pointed out by CMR that in effect the security group already existed. Since all those present at the NWG were in fact responsible for the area of security. The group agreed to keep the discussion of security issues within the NWG.

JC then produced a more detailed proposal written by Toni Coarasa (MAGIC), about general security for all IACNET members. The plan included various measures similar to those already implemented by the IAC, including a firewall and DMZ, to place common secure services (web servers etc). The plan also proposes the removal of certain insecure services (telnet, ftp for example), and placing these services on insecure servers within the DMZ. The report is included in its entirety at the end of these minutes.

At this point CMG left the meeting and general NWG business began.

ORM Network Group Meeting

Representative from GranTeCan (GTC) left, with DS, information about their future network requirements. Summary of their plans are that they will have a 155 Mb link from the mountain top to the new offices, and a 60 – 350 Kb link to the outside world. Their network plans appear to be autonomous and independent of any existing structure.

Clarification was asked for by various members as to the nature of the plans for the new offices regarding network connectivity and maintenance of service but little could be said at the meeting about this.

Agenda from Previous Meeting

All members of the NWG meeting read and approved the minutes from the last meeting.

Progress report on actions from the last meeting

DS : Network documentation continues as an ongoing item, changes in the existing network topology have complicated this task somewhat. Details of the changes made are, REDIRIS have upgraded the link to the USA to 155 Mbs, and 45 Mbs to the rest of Europe. The proxy network has been upgraded to 45 ATM, and an additional 17 Mbs line has been installed to feed directly into internet 2.

As a consequence of the work already done to improve existing connections, the link from La Laguna to Madrid will be improved at some point in the future, as a direct result of the improvement in the link from Madrid to the USA. The improved link was saturated very quickly as bottlenecks arose in the network at various points in Spain due to the increased demand in traffic.

IAC tender action for an improved link from La Laguna to La Palma seem to have stalled, as no firm date for the action has been given.

REDIRIS information can be obtained from www.rediris.es/red/informe . This URL gives information on the connectivity statistics for the whole of Spain, and it is suggested that members interested in overall connectivity statistics look at this URL for details.

DC has been given snmp access to the required IAC router and can therefore find out when the network fails. DC expressed his gratitude to DS for the access.

DC : Downtime figures are available for all NWG members on the web page address sent to NWG members shortly after the first meeting. There was also a marked lack of change in this web page since there have been no network outages for some time.

IS : Nothing done, although he has given CM a copy of the LJMU paper on network throughput, he has not as yet made the paper generally available. DC has been given a photocopy of the paper by CM, anyone else who requires a copy should contact CM, and he will send you one.

JC : Happy with current connectivity, and the security requirements have been sent and discussed in this meeting.

CMR : Network script never sent, for two reasons the first was the lack of random files to be provided by IS. The other is that after the first meeting and discussions with DS, an alternative (semi-commercial) piece of software was found by DS. Lack of time has prevented CMR or DS looking into this in any more detail.

Connectivity and Transfer Tests

JC showed more detailed studies of the network throughput from Germany to La Palma and Madrid. Poor transfer figures to Germany attributed to local problems of changing network topology, otherwise transfer figures much the same as previously discussed.

CMR stated that he had figures much the same as those obtained by IS, average throughput of approximately 120 Kbps, the tests continue to use chopped up FITS images as they are representative of the data type we would send across the net. The tests have been reduced in scope to just send 1Mb files from one place to another.

N.B. figure of 120 Kbps is largely independent of time.

DC stated his belief that the type of file did not matter as much as the fact that the same file be used all the time.

Backup Link between La Palma and Tenerife

DC expressed concerns about the lack of a backup link, should an incident similar to last years destruction of the cable by a fishing boat occur. DC went on to suggest the possibility of obtaining ISDN line from TELEFONICA, for routing through the microwave link, should the line between La Palma and La Laguna break again.

DS suggested that TELEFONICA might already have alternative plans in place for such an event in the future, but he was not too sure about this. LH then agreed to get in touch with TELEFONICA to see if such plans are already in place.

Actions

20000512.1 DS : Mail all present at meeting every time he is going to work on the network (On-going). Make statistics of downtime of link between La Laguna and Madrid available in the future. Network topology documentation (present and future) to be made available to all UIs once finished.

20000512.2 DC : Make last years network down time figures available to all. (Done)

20000512.3 IS : Make LJM network reliability/throughput paper available to all in postscript format and mail all UIs when ready. Make 1.0MB uncompressible file for CM to include in his script for UIs network throughput tests. Supply NWG with exact figure for acceptable level of connectivity. Send security requirements to NWG for security meeting as he will not be attending. (Done)

20000512.4 JC : Supply NWG with exact figure for acceptable level of connectivity. Send security requirements to all UIs as he will not be present at the security meeting (neither will the other HEGRA representative Toni Coarsa).

20000512.5 CM : Send network throughput test script to all

20000512.6 ALL : Think about requirements for network usage both current and future, ad the level of security required so that definite proposals can be sent to OSC.

200010112.1 LH : To contact Telefonica.

Any Other Business

DS showed network usage statistics obtained form the IAC routers, they show occasional saturation of the line largely due to the ING. Meeting then agreed to table a more formal and detailed discussion on current network usage, in the next meeting.

DC suggested the implementation of a general store to keep files and general network information for access to all group members.

DS suggested making such a store available on the IAC external web server although all members should be careful about exactly what is placed on such a web server since it is available to anyone.

DC will be attending the next OSC meeting where the minutes from this meeting will be distributed and he will also inform OSC of progress to date.

Date for Next Meeting

Date set for the next meeting 11^th May 2001 location La Palma SLO.

File location : http://www.ing.iac.es/~cfg/ormnwg/20001011.html

Minutes written by : Claudio Moreno
Revised and converted to HTML by : Don Carlos Abrams