NetBar - Carnegie Mellon's Solution to Authenticated Access for Mobile Machines

Erikas Aras Napjus Manager of Network Development erikas@cmu.edu

Introduction

As Carnegie Mellon moves toward more wide-spread student ownership of computers, a clear gap in our networking resources begins to appear. While students with machines in our dormitories have constant access to the network from their rooms, students who live off-campus (many undergraduates and all graduate students) have to rely on our computer cluster facilities for their computing needs while they are on campus.

This often means competition between the teaching needs of our clusters and student needs to "compute" while located on campus during the day. Clearly, as computers become more integrated with daily live at Carnegie Mellon, this competition becomes more and more of a problem.

One solution being proposed by some of our graduate schools is complete student ownership of computer resources. Instead of having computer clusters on campus to do work, each student would own a standard configuration notebook computer which they could plug into the campus network at a network docking station or, as we've named them, a NetBar. These NetBars provide students with their own portable machines with complete access to our networking resources without requiring more than power and a 10-BASE-T ethernet feed (no costly computers, no difficult-to-configure software, etc.)

Even beyond the graduate schools, we've found the desire for NetBar-type services to be strong among undergraduates who live both on- and off-campus. To that end, we've already constructed two small, experimental NetBars as supplements to two of our recently renovated undergraduate computer clusters.

Difficulties

Unlike our typical network connections, though, there many other constraints on the NetBar model of network connectivity:

Troubleshooting. We've found that most of our network problems are caused by users when they first attach to the campus network; with NetBar, users will be constantly attaching and detaching, so we'd like to provide the best possible isolation for these activated outlets. This ideally means attaching NetBar connections to switches instead of hubs and isolating whole NetBar sites behind routers for maximum problem isolation.

Security. Unlike our typical LAN connections, where a user has a static IP address, hardware address, and network outlet, NetBar connections are inherently dynamic. We'd like to know who is using any given address at any given time to be able to track down individuals in case of security problems.

Authentication. Clearly, Carnegie Mellon has no interest in providing Internet access for the entire City of Pittsburgh. Unlike a typical network connection, NetBar outlets will be located throughout campus, generally in publically-accessible spaces. We'd like to use Kerberos to authenticate users when they attach to the network via NetBar to ensure they are legitimate members of the CMU community.

We've found, through the Common Solutions Group, that many different universities have similar (or even stronger) demands for secure, authenticated NetBar connections at their locations. And, in theory, this also applies to a larger community than higher education. Right now, though, there is no off-the-shelf solution to provide this type of connectivity.

Alternative Solutions

The University of California has proposed a solution based on DHCP and Kerberos using customized hubs capable of providing the basic security necessary to isolate users until they have authenticated. This proposed strategy has been written up in a number of white papers published on the Internet. They have been in touch with hub vendors in order to get software modifications to support authenticated connections.

We've been a bit wary of the hub proposal, particularly since it requires a vendor to change software on one of their products. Instead, when we noticed the demand for NetBar-type services, we searched for commodity technologies which could be used to provide the necessary security, authentication, and isolation for this project. After some consideration, this sounded like an ideal application for VLAN technology and ethernet switches, preferably using inexpensive ethernet switches that are readily available today.

Our Solution

Basically the idea here is to isolate all of the NetBar ports on a "non-connected" VLAN. When a user attaches to the network and starts up their machine, they get an IP address from a DHCP server located on the "non-connected" VLAN. They then must authenticate to a server on that network with their Kerberos username and password, at which point the server communicates with the switch they've attached to via SNMP and moves them to an "attached" network with full network connectivity. When they disconnect (link status drops), the port is moved back to the "non-connected" VLAN.

Status Update

Given our existing experience with the Catalyst 2808/2828 line of ethernet switches, we built the initial prototype of this system to utilize Cisco products. At this point, most of the software development for this effort has been completed and we have begun looking toward a test deployment in three or four buildings over the next couple of months. If all goes well, we'd like to branch out over the coming years to offer more NetBar services throughout campus.

Most of the key software components for this project have already been developed and can be readily released to the public domain. Kerberos has been implemented and released to public domain by MIT. The DHCP server has been developed by Network Development and has been publically available for over a year. Finally, the NetBar software has been developed and, after a successful test deployment, would also be released to the public domain.

The biggest problem with the project to date is getting financial buy-in from departments who want to deploy NetBar-type services, particularly the graduate schools. Compared to equipment which could be granted by other networking companies (or even the cost of shared 10-BASE-T ports), switched ethernet ports 2828 are quite expensive. As prices drop, however, this technology should become more viable. In the short term, we are attempting to work through these financial issues.