NYU-NET Technical Handbook


Published on

Published in: Technology, Education
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

NYU-NET Technical Handbook

  1. 1. NYU-NET Technical Handbook Help & Information > Computer Security > Documentation > Multi-User Guidelines Search the ITS Site NYU-NET TECHNICAL HANDBOOK Submit First Edition, Revised, August 26, 1994 [Ed: This document is for reference only. Much of the information contained within is now outdated. Please note especially that ACF is now known as Information Technology Services. If you have questions about the accuracy of information contained within this document, please write to its.pubs@nyu.edu.] Table of Contents q Audience q Acknowledgment q 1. Introduction q 2. Overview of NYU-NET r 2.1 Description r 2.2 Connection to Internet r 2.3 The Management of NYU-NET r 2.4 The Network Operations Center q 3. History of the NYU-NET Infrastructure q 4. Standard Practices and Policies r 4.1 Local Network Manager Obligations r 4.2 Network Changes r 4.3 Security Issues r 4.4 Internet Access r 4.5 Host Configuration Issues q 5. Major Protocol Suites on NYU-NET r 5.1 TCP/IP r 5.2 DECnet and Related Protocols r 5.3 Novell IPX/SPX r 5.4 AppleTalk q 6. Configuration Guidelines r 6.1 Summary of Requirements r 6.2 Network Management Aspects - SNMP q 7. Configuration Guidelines: TCP/IP Hosts r 7.1 General Points r 7.2 Fundamental TCP/IP Information r 7.3 Unix Workstation r 7.4 Apple Macintosh r 7.5 IBM PC q 8. Configuration Guidelines: Routers r 8.1 General Router Issues r 8.2 IP Router Configuration q 9. Configuration Guidelines: AppleTalk Routers r 9.1 General Configuration Aspects r 9.2 Shiva Fastpath Configuration r 9.3 Novell NetWare Configuration q 10. Configuration Guidelines: Novell NetWare r 10.1 NetWare File Server r 10.2 NetWare PC Client http://www.nyu.edu/its/security/handbook.html (1 of 55)8/31/2006 1:23:12 PM
  2. 2. NYU-NET Technical Handbook q 11. Guidelines for Setting Up Departmental LANs q 12. NYU-NET Purchasing Guidelines r 12.1 Advisory: Peer-to-Peer Networking r 12.2 Advisory: Network Modem Products r 12.3 Standard Brands on NYU-NET q Glossary q Appendix A: A Description of NYU-NET q Appendix B: Obtaining Network Names and Numbers q Appendix C: Notes on Peer-to-Peer Networking at NYU q Appendix D: MacTCP - Availability and Installation q Appendix E: Recommended Readings q Addendum 1.9: Changes to the NYU-NET Technical Handbook q Addendum 2.0: Primary NYU-NET Contacts q Addendum 3.0: NYU-NET Architecture Diagram q Addendum 4.0: NYU Staff with Network Responsibilities q Addendum 5.0: Recent NYU-NET Developments q Addendum 6.0: List of TCP/IP Subnets q Addendum 7.8: Current Microcomputer Networking Software q Addendum 8.0: AppleTalk on NYU-NET q Addendum 9.0: Viruses and Novell NetWare q Addendum 10.0: NetWare 4 and NYU-NET. q Addendum 11.0: Policy on Internet Access Audience The primary audience for this handbook is NYU staff members responsible for planning, purchasing, configuring, and managing the systems and network infrastructure devices which collectively form NYU-NET, New York University's campus-wide data communications network. Acknowledgment Portions herein are based on internal ACF networking documentation developed by Bill Russell, senior networking engineer. Technical review has been performed by staff of the Academic Computing Facility's technical services group. This document has also been reviewed for accuracy and acceptability by representatives of the university's Data Communications Task Force. Corrections or suggestions should be directed to Gary W. Chapman; send electronic mail to chapman@nyu.edu. 1. Introduction This handbook describes technical aspects of NYU-NET, the university's campus-wide data communications network. Two basic kinds of information are contained here: q technical details relevant to configuring various types of devices and systems attached to the network, and q descriptions of standard practices and policies that must be observed on a large and complex network like NYU-NET. Chapter 4 on Standard Policies and Practices, in particular, describes many of the obligations of computer and network managers at New York University. In the 1990s, a communications network like NYU-NET is a complex and evolving system: countless hardware and software components are used by a rapidly increasing number of students, faculty, research, and support staff as an integral part of their academic lives. NYU-NET intermixes computer and communications technologies spanning two decades of technological evolution, with no end of new developments in sight. As a cooperative venture -- both at the level of human use and at the level of interrelated hardware and software components -- every new addition or modification to NYU-NET must fit into the established system in a conformant, seamless fashion. It is the task of the university's computing and networking staff to preserve the smooth running of http://www.nyu.edu/its/security/handbook.html (2 of 55)8/31/2006 1:23:12 PM
  3. 3. NYU-NET Technical Handbook NYU-NET while extending its use and its capabilities. The primary audience for this handbook are such staff members: network and system managers responsible for planning, purchasing, configuring, and managing the systems and network infrastructure devices which collectively form NYU-NET. These staff members are often referred to here as "local network managers." The Network Operations Center (NOC) of the Academic Computing Facility is the focal point for NYU- NET coordination, information, and central network management activities. To reach the NOC: Via E-Mail (preferred): noc@nyu.edu Via Telephone: (212) 998-3450 or 998-3333 (the ITS Helpline) This first edition of a NYU-NET handbook does not attempt the impossible: a complete description of all technical aspects of configuring and managing elements of the network. It does attempt to touch upon the most fundamental issues relating to configuration of the most popular protocols and kinds of devices currently used on the network. Please note that some portions of this handbook, especially its addenda, are subject to frequent update as changes to NYU-NET take place. The handbook, and the latest versions of these sections, may be obtained electronically via anonymous ftp from acfcluster.nyu.edu in files nyunet/handbook. * It will also be available from the NYU Gopher-based Campus-Wide Information System in the NYU- NET section (gopher to gopher.nyu.edu, port 70). 2. Overview of NYU-NET 2.1 Description NYU-NET is New York University's campus-wide data communications network. A computer network - especially one the size of NYU-NET - is a complex assemblage of wiring, network infrastructure devices, computer systems, and software which together allow for communications between the connected computers - and therefore between computer users. The different kinds of communications which take place between computers and computer users are, collectively, termed "network services". Examples include: electronic mail, data file transfer, access to local and remote library catalogs and databases, and access to campus-wide information systems. As of January 1993, NYU-NET interconnects more than 3500 computer systems located in over 40 NYU buildings. The network encompasses the Washington Square campus, the Dental Center, and Medical Center facilities in Manhattan and Sterling Forest. NYU-NET is a rapidly evolving and growing communications network, with steady addition of new locations, infrastructure devices, computers, services, and users. A good way to understand NYU-NET is as a hierarchy of computer networks: small departmental networks in buildings; buildings tied together at each campus; each campus connected to the other campuses; and the whole of NYU-NET connected to the national and international communications network, the Internet. See Appendix A for a more technical definition and description of NYU-NET. Addendum 3 contains an overview diagram of some major NYU-NET elements. 2.2 Connection to Internet NYU-NET is one of the thousands of computer networks which, together, comprise the Internet. Universities, private companies, government agencies, research installations and, increasingly, private individuals are interconnected via this world-wide network of networks. More than 1.3 million computers are connected world-wide to the Internet with the number growing at an apparently geometrical rate. 2.3 The Management of NYU-NET NYU-NET and its link to the world-wide Internet are managed by the Academic Computing Facility's network operations staff at our Network Operations Center - in cooperation with the cross-university Data Communications Task Force and scores of local, departmental network management staff. The network, therefore, is maintained in a collaborative, cooperative fashion by computer and networking experts from many divisions of the university. The Academic Computing Facility operates the Network Operations Center, which contains a variety of monitoring and fault-detection tools used to maintain NYU-NET; the staff works closely with computing professionals from around the university to ensure the smooth workings of the network, http://www.nyu.edu/its/security/handbook.html (3 of 55)8/31/2006 1:23:12 PM
  4. 4. NYU-NET Technical Handbook and to quickly solve problems if they arise.The ACF also provides many educational, consulting, installation, and management services for members of the community who wish to learn about and begin to use NYU-NET, and to departmental representatives who wish to attach departmental computers to the campus-wide network. 2.4 The Network Operations Center A network operations center is a fundamental resource for managing a large and diverse internet like NYU-NET. It is concerned, from a central vantage point, to: q Maintain network standards The NOC seeks to ensure that technical standards are established, understood and observed throughout NYU-NET in order to guarantee the integrity and smooth functioning of the network. Central coordination for network-related naming and numbering is an important component of this function. q Assist in solving network-related problems The NOC is directly responsible for some of the network infrastructure and its services (e.g. gateways to external networks, central name service), but a large portion of the network is under the direct management control of school and departmental network managers. The NOC does not have the resources to solve all manner of network problems for local network managers: the NOC staff will assist to the degree possible, with special concern for problems in any area of the network which may negatively affect others. In such cases, the NOC acts as a coordinating intermediary amongst the involved staff. 3. History of the NYU-NET Infrastructure The origins of NYU-NET date back to the early 1970's - the days of early experiments with networking and the establishment of the government-sponsored ARPANET, the forerunner to today's worldwide Internet. Staff at the Courant Mathematics and Computing Laboratory were involved in those early days with research and experimental implementation to explore the feasibility and capabilities of computer networking. In the early 1980's, New York University was among the first institutions to install Ethernet technology, attaching DEC VAX mini-computers to a Warren Weaver Hall cabling system which represented the first portion of NYU-NET. In 1982-83, cabling was extended to 715 Broadway. Protocols in use in this period were XNS, DECnet, and IP. By late 1983 a fiber-optic link replaced the original coaxial cable between Warren Weaver Hall and 715 Broadway, and in 1984 a T1 microwave link was established between the Square and the Business school down-town. NYU-NET had become a full multi-media, multi-protocol network. In 1985, NYU decided to install its own voice telephone system, managed by the Office of Telecommunications. A Data Task Force - forerunner to today's Data Communications Task Force - was established to investigate the possibility of using the occasion of the telephone system installation to also provide data communications infrastructure wiring from offices to phone closets throughout the campus. The Task Force recommended and supervised the installation of a multi- purpose broadband cable plant, initially connecting 35 buildings. This CATV cable system - a.k.a. the "broadband" - is managed by a Network Operations Group (NOG); it has become a backbone cable for NYU-NET at Washington Square, providing a 5 MB Ethernet channel as well as a channel for point-to-point SNA connections via broadband modems and up to 23 cable television channels. Since this time, many additions, modifications, and enhancements have been made to the NYU-NET wiring infrastructure, including: q fiber-optic cabling links to the Third North Residence, and to the Dental and Medical Centers q fiber-optic cabling links amongst many buildings at the Medical Center q additional broadband points of presence added in several Washington Square buildings q fiber-optic link to the newly-acquired Fairchild Building on 12th St. q establishment of leased-line links to the Public Health Research Institute and the Sterling Forest outpost of Environmental Medicine q establishment of numerous Ethernet and LocalTalk installations within NYU buildings and departments For the most part, NYU-NET is currently a bridged, as opposed to routed, local area network. In the early 1990s, however, NYU-NET is making a transition to a fully-routed network. 4. Standard Practices and Policies Because our network is managed in distributed fashion, local computer and network managers must http://www.nyu.edu/its/security/handbook.html (4 of 55)8/31/2006 1:23:12 PM
  5. 5. NYU-NET Technical Handbook understand, and agree to follow, the basic practices and policies in effect on NYU-NET. 4.1 Local Network Manager Obligations The managers of portions of NYU-NET must be quickly reachable by the NOC, via phone and/or E- mail, in the event of a network emergency - for example a malfunctioning device negatively affecting other systems, or a security event such as a system break-in, or virus epidemic. In the event of a sufficiently serious network event caused from within a locally managed sub-network of NYU-NET, the NOC staff might be forced to disconnect that sub-network from the rest of the network until the problem can be resolved. Local network managers must have electronic mail accounts to assist in communications with the NOC.Local network managers should take a lively interest in computer and network security issues. The sections below on Security Issues and Host Configuration Issues describe the basic security standards on NYU-NET; more detailed security measures can be explored with the NOC and ACF staff members who have significant experience in this area. Personnel changes which affect management of the network must be communicated to the NOC. 4.2 Network Changes The NYU-NET Network Operations Center must be notified of the attachment of new wiring extensions to NYU-NET and of the procurement of any "network infrastructure devices" prior to their attachment to NYU-NET. Such devices include all: q repeaters q hubs/concentrators q bridges, routers, and brouters q network modems/asynchronous gateway devices q hosts, workstations, file servers capable of routing All such devices must be procured with SNMP capabilities and then configured with SNMP enabled in order to participate in basic NYU-NET management efforts. When a computer or network infrastructure device (such as a hub, bridge, or router) is ready for attachment to NYU-NET, an Internet name and numeric address must be assigned by the Network Operations Center, or by an authorized NYU-NET sub-domain authority. The "database" of such Internet names and numbers is part of the "DNS" (Domain Name Service). This rule applies to all equipment, including Novell NetWare file servers, with the general exception only of Macintoshes being attached to a LocalTalk network (which are 'named' and 'numbered" for TCP/IP purposes via the router which attaches them to NYU-NET). 4.3 Security Issues The Network Operations Center maintains liaison with the Internet CERT/CC (Computer Emergency Response Team Coordination Center at Carnegie Mellon University) and receives advisories and alerts relating to computer and network security events and issues. Any departmental or school network manager who wishes may receive copies of these advisories. (Send request via E-mail to noc@nyu.edu). Local network managers are, in a general sense, responsible for security concerns within the portion of NYU-NET which they manage - and therefore should seek to ensure good system security within their domains. It must be realized that a given hosts's lack of integrity can potentially affect the integrity of other systems on the campus network. Basic security guidelines for local network and system managers are as follows: q Recognize that physical security is a key to good system and network security: locate systems (including file servers and shared-access hosts) in physically secure (locked!) locations whenever possible. q Attempt to create or utilize secure communications pathway for network cabling in so far as is practical. q Restrict "root" or "supervisor" privileges to the minimum number of system users; turn off the ability to perform remote logins as "root" on UNIX systems. When initially configuring a new system and its accounts, provide users with the minimum necessary privileges; add account privileges over time as necessary. q All user accounts should require both "username" and "password" authentication - avoid use of "anonymous" accounts whenever possible. Give all accounts an expiration date, and purge expired accounts after a reasonable amount of time. Actively discourage users from sharing their user names/passwords with others. Require passwords to be periodically changed, and whenever possible prevent old passwords from being re-used. When possible, require passwords to be non-trivial and of substantial length. Disable accounts of staff members who leave your department or the university. If cross-network password encryption is a viable option, use it. q Recognize that peer-to-peering networking (as in Macintosh System 7 file sharing between http://www.nyu.edu/its/security/handbook.html (5 of 55)8/31/2006 1:23:12 PM
  6. 6. NYU-NET Technical Handbook microcomputers) presents potential problems if microcomputer users do not configure their machines to prohibit 'guest' access: individual machines within departments must be carefully set up to require username/password access. Otherwise, the date on hard disks will be available to snoopers (playful or otherwise) anywhere on the network. A related problem arises when microcomputer Telnet programs are run: this programs typically allow FTP access to the microcomputer; such access should be limited through use of username/ password controls. q Employ anti-viral software on all microcomputer systems. Free software for Macintosh and IBM PC-type microcomputers is available from the ACF). Be sure to obtain updates of these programs as they become available. q Speak to NOC and ACF staff members about security issues specific to the platforms in use in your area. 4.4 Internet Access Anonymous - i.e. unauthenticated - access from NYU-NET to the rest of the Internet is prohibited: access to machines and services outside of NYU-NET may ONLY be made available to known and authorized account holders on shared-access machines within NYU. NYU-NET practice extends this policy to include microcomputers belonging to well-known members of the community - users who have registered their computers with the domain name service authority (hostmaster@nyu.edu) or with delegated sub-domain name service authorities within divisions of the university. In particular, laboratorymicrocomputers which do not require user login authentication (username/ password login to a file server for example) are prohibited from direct Internet access.Local network managers are obligated to follow procedures in accordance with this policy. 4.5 Host Configuration Issues In accordance with Internet requirements for electronic mail service, every host computer system involved in SMTP mail delivery must have an electronic mail address of the form: postmaster@hostname from which users and network authorities at other institutions can seek assistance in answering mail- related questions and solving mail-related problems involving that host. As RFC-1123 "Requirements for Internet Hosts" states: 'A host that supports a receiver-SMTP MUST support the reserved mailbox "Postmaster".' As a rule, it is expected that inquiries to "postmaster" be answered within twenty-four hours of receipt. The ACF maintains a staff "postmaster" function for the university at large, reached by the SMTP mail address postmaster@nyu.edu. All network-attached hosts which present a text-based display upon user login (e.g. traditional terminal-type access to VMS, UNIX machines) should provide a banner notification to users of the system, according to the following form: "Access to this computer system is restricted to authorized account holders and its use is limited to approved educational, research or administrative activities." The recommended form of this notification is expected to change in recognition of legal and security aspects of computer use (and misuse). Check the addenda to this handbook to see if an updated recommendation for banner notifications is available. 5. Major Protocol Suites on NYU-NET A communications or networking protocol is a set of rules describing how hardware and software elements of the network exchange information. A protocol suite is a set of interrelated protocols. Many such protocols and protocol suites have been (are being) developed, and NYU-NET, unlike some networks, does not mandate use of only a single protocol suite. NYU-NET is a multi-protocol network. (It should not be thought, however, that NYU-NET is suitable now or in future for all networking protocols. The viability of Netbios, for example, is highly questionable given its non-routed design.) The primary protocol suites in use on NYU-NET are TCP/IP, DECnet, Novell IPX, and AppleTalk. 5.1 TCP/IP TCP/IP represents, in a sense, the most important protocol suite on NYU-NET: the widest range of network services utilize TCP/IP protocols and virtually all network communications to and from the external Internet are conducted using these protocols. TCP/IP protocols can be viewed as occupying one of three basic levels, where higher-level protocols/ services (i.e., the "application" and "transport" protocols) rely on the lower-level protocols: http://www.nyu.edu/its/security/handbook.html (6 of 55)8/31/2006 1:23:12 PM
  7. 7. NYU-NET Technical Handbook Application: TELNET FTP SMTP SNMP NFS RIP DNS BOOTP Transport: TCP UDP Network: IP Physical: [Assorted media access protocols, such as Ethernet 2, 802.3 Ethernet, FDDI, 802.5 Token Ring, etc.) Protocol... Is an acronym for... providing... TELNET -- terminal emulation FTP File Transfer Protocol error-free file transfer SMTP Simple Mail Transport mail transfer SNMP Simple Network Management network management Protocol sharing disks among computer NFS Network File System systems RIP Routing Information Protocol routing information exchange OSPF Open Shortest Path First routing information exchange IS-IS Intermediate System - routing information exchange Intermediate System DNS Domain Name Service name/numbering information BOOTP Boot Protocol obtaining network info at machine boot time reliable byte-stream data TCP Transmission Control Protocol transmission UDP User Datagram Protocol unverified packet delivery IP Internet Protocol connectionless, best-effort packet delivery service TCP/IP also contains various support protocols used by IP over broadcast media. These protocols are NOT routable: if two cable segments are connected by an IP-level router, these protocols are not bridged (passed) through the router - even if the router bridges all other protocol types: ARP Address Resolution Protocol find MAC-level address when host knows IP addr RARP Reverse Address Resolution Protocol acquire IP address when know Mac- level address Two protocols are defined for asynchronous (serial) communications support of IP: SLIP (serial line internet protocol) and PPP (Point-to-Point Protocol). SLIP is a de facto (not official) standard protocol, with numerous host and microcomputer implementations. PPP, an emerging standard as defined in RFC-1331, "provides a method for transmitting datagrams over serial point-to-point links... and is comprised of three main components: q A method for encapsulating datagrams over serial links. q A Link Control Protocol (LCP) for establishing, configuring, and testing the data-link connection. q A family of Network Control Protocols (NCPs) for establishing and configuring different network-layer protocols. NCPs, such as for Novell NetWare's IPX/SPX, are currently in development. http://www.nyu.edu/its/security/handbook.html (7 of 55)8/31/2006 1:23:13 PM
  8. 8. NYU-NET Technical Handbook 5.2 DECnet and Related Protocols DECnet is a collection of protocols providing all the normal network service requirements. It was originally developed on and for DEC computer systems but the specifications for all of DECnet and many of the related protocols are publicly available and they have been implemented on many other systems, all the way down to MS-DOS and Apple Macintosh microcomputers. Application level protocols include CTERM for remote login over a wide area network, DAP for transparent file access, MAIL-11, MAILbus Transport, and X.400 for electronic mail transport. These are layered on NSP, the Network Services Protocol, which provides Session and Transport layer services which are in turn layered on various transport protocols such as Asynchronous or Synchronous DDCMP, Ethernet, Token Ring, etc. The level of DECnet currently implemented on NYU-NET is DECnet Phase IV which supports two levels of routers, adaptive least-cost routing, and a maximum of 63K nodes. A new level of DECnet being planned is DECnet Phase V which moves many services to the OSI networking protocol suite (including FTAM, X400, etc.) DECnet also include a set of auxiliary protocols such as MOP and Remote Console which exist to support downline loading, upline dumping, and remote operation of various devices, most often network infrastructure elements. DECnet protocols can be routed, but the auxiliary protocols such as MOP are parallel to the routing layer and typically must be bridged. Associated with, but not actually part of, the DECnet protocol suite are a set of high performance local area network protocols. These protocols are designed to sit directly on a Data Link (or Data Link + lower-network) layer protocol such as Ethernet. These protocols have been optimized for local services and generally offer very high performance even under heavy loads. There is some work underway to experiment with layering them on top of IP. The remote terminal protocol from this family is LAT (Local Area Terminal) which includes both name services and bi-directional support, and is especially efficient at handling the case of many users on a single terminal server sending data to the same host. The remote data access protocol suite in the family is commonly called LAD/LAST (Local Area Disk/ Local Area Storage Transport). It supports access to shared read-only blocked storage devices such as CD-ROMs and single-Writer multiple-Reader disks, with support recently added for sequential allocation and use of tape devices. The principle use of LAD/LAST services on NYU-NET are the DEC Infoservers which are used to provide general access to CD-ROMs as well as remote booting and paging disk services to DEC X-window terminals. LAT and LAD/LAST protocol spaces define 255 valid groups. Group numbers must be centrally assigned and service names other than DECnet names (already coordinated) must be coordinated through the NYU-NET Network Operations Center. LAT and LAD/LAST services need to be bridged at this time. Another important DEC protocol used on NYU-NET is the Local Area VMScluster (LAVc) protocol. This layers the DEC software which permits a group of VMS systems to act like one large system in all important respects onto an Ethernet transport layer. It too must be bridged. The LAVc protocol defines two subranges of a 16-bit cluster number space. This number space is password protected, but for best performance it should be coordinated. 5.3 Novell IPX/SPX (Novell NetWare) Novell NetWare, and associated products, use a variety of protocols collectively referred to as the "IPX/SPX" protocols. IPX, the Internetwork Packet Exchange, is a network-layer protocol, responsible for forwarding IPX packets through IPX routers (such as Novell servers) and to end clients and servers. SPX, the Sequenced Packet Exchange, is one of two transport-layer protocols and is occasionally used for client-client guaranteed packet delivery. More commonly, clients use the NetWare Core Protocol (NCP) packets atop a simple "Packet Exchange Protocol" for client<->server communications: http://www.nyu.edu/its/security/handbook.html (8 of 55)8/31/2006 1:23:13 PM
  9. 9. NYU-NET Technical Handbook A variety of other protocols are used: RIP the Routing Information Protocol used by IPX routers to exchange routing information Error used to tell a destination IPX socket of an error Echo used to test end-to-end connectivity between nodes SAP the Service Advertisement Protocol, used by servers to advertise services (such as file or print services) or clients to find such services on the network Netbios not a part of the "IPX/SPX" protocol suite, but implemented by Novell on top of IPX in order to provide compatibility for applications which are built to rely on Netbios capabilities. The "NetWare Core Protocols" form a programming API for providing services to end-user applications. NCP is used to provide basic operating system services such as file and queue system access, as well bindery access, locking and synchronization capabilities, and printer access. In recent years, NetWare systems have come to also support AppleTalk and TCP/IP protocols for native support of Apple Macintosh and Unix-based clients and for network management purposes. The NetWare Management System, for example, uses a combination of IPX and SNMP-based services for locating and monitoring network nodes. 5.4 AppleTalk AppleTalk is Apple Computer's proprietary (but licensed) network architecture, closely modeled on the OSI 7-Layer Reference Model: http://www.nyu.edu/its/security/handbook.html (9 of 55)8/31/2006 1:23:13 PM
  10. 10. NYU-NET Technical Handbook There is often confusion over the differences between AppleTalk-related terms; here are the "Talk" terms and their meanings: AppleTalk Apple's networking protocols (and software) for communications among computers systems, printers, and other peripherals attached to a network. LocalTalk the name given to AppleTalk protocols when they are utilized over Apple's low-cost, medium- speed (230,400 bps) coaxial cabling system (or third-party twisted-pair equivalents). The "localtalk" icon in a Macintosh's Network Control Panel directs the system to use the built-in LocalTalk hardware (the printer port). EtherTalk the name given to AppleTalk protocols when they are utilized over Ethernet media. The "EtherTalk" icon (or icons) in a Macintosh's Network Control Panel directs the system to use an Ethernet interface on the system for network communications. Ethernet a packet delivery system (and data link-level protocol) for local area network, developed by Xerox, Intel, and DEC; today run at 10 megabits per second. Note: In the MacTCP Network Control Panel, both "EtherTalk" and "Ethernet" icons are typically found. In this context, "EtherTalk" refers to encapsulating TCP/IP inside of AppleTalk packets on the Ethernet; "Ethernet" refers to direct use of IP on "top" of Ethernet - the norm on NYU-NET. 6. Configuration Guidelines 6.1 Summary of Requirements http://www.nyu.edu/its/security/handbook.html (10 of 55)8/31/2006 1:23:13 PM
  11. 11. NYU-NET Technical Handbook Computer hardware elements on NYU-NET fall into two categories: q End-user computing systems (e.g. microcomputers, workstations) q Infrastructure devices (e.g. repeaters, hubs, bridges, routers, file servers capable of routing) Both kinds of computing devices must be configured for proper cooperative use on NYU-NET. Later sections of this document go into some degree of detail, but since many particulars vary from device to device or vendor to vendor, it will sometimes be necessary for network managers to consult with the Network Operations Center (NOC) to determine various configuration parameters. Infrastructure devices, in particular, require special care from time of selection through configuration and ultimate attachment to NYU-NET in order to guarantee that they have no negative impact on the network. Both end-users and local network managers must observe the following general rules: q When a new end-user computing system, such as a UNIX workstation or PC, is intended for attachment to NYU-NET, its networking software must be properly configured. Most important, TCP/IP connectivity requires assignment by the NOC of a numeric address and name for the system. See the section below on Congiguration Guidelines: TCP/IP Hosts and Appendix B: Obtaining Network Names and Numbers. q File servers, such as Novell NetWare file servers, also require careful configuration in order to coexist on NYU-NET. See the section below on Novell NetWare file server configuration. q All new infrastructure devices to be attached to NYU-NET must be procured with SNMP capabilities, and then must be configured with SNMP enabled in order to participate in basic NYU-NET management. q The NOC must be notified prior to the attachment of new infra- structure devices. q Any proposed augmentation of the NYU-NET cabling system must be discussed with networking staff members at the NOC. 6.2 Network Management Aspects - SNMP SNMP (the Simple Network Management Protocol) is the primary network management protocol used on NYU-NET. All capable systems should run an SNMP daemon (SNMPD) which allow the equipment to be asked questions about its setup, traffic counts, routing information, and so on. All new network infrastructure devices (e.g. hubs, bridges, routers) and hosts (including workstations and file servers) MUST be equipped at time of purchase with SNMP. If there is not a local, well-maintained, SNMP network management station used by a school or department network manager, then: 1. All SNMP-manageable devices which can send traps should be configured do so. 2. Traps should be sent to the NOC, to address If there is a local SNMP management console, then the following rules govern the sending of traps: 1. All SNMP-manageable devices which can send traps should be configured to do so. 2. Devices which can send traps to multiple management consoles should send to both the NOC ( and to the local console. 3. For devices which can only send traps to a single management console: r if the device is a network infrastructure device like a bridge or router, it should trap to the NOC ( r if the device is a purely locally managed device (e.g. a local workstation) it should trap to the local management console. The community string "public" is used on NYU-NET. 7. Configuration Guidelines: TCP/IP Hosts 7.1 General Points The precise details of network hardware and software configuration depend, in every case, on the specifics of machine hardware configuration, operating system version, and network software to be used. In general, however, it is necessary to follow these steps before connecting a TCP/IP-enabled machine to NYU-NET: 1. Prior to purchase, make sure that your networking hardware (typically Ethernet board plus cabling) is of the correct type for your local connection to the NYU-NET cabling system. For example, there are three different types of Ethernet connections: "thick", "thin", and http://www.nyu.edu/its/security/handbook.html (11 of 55)8/31/2006 1:23:13 PM
  12. 12. NYU-NET Technical Handbook "twisted-pair". 2. When a new machine (or network interface board) is ready to be installed, an Internet (IP) name and numeric address must be assigned. See Appendix B: Obtaining Network Names and Numbers for details on the procedure to follow. (This step is not necessary if you are installing a Macintosh on a LocalTalk network.) If you are installing a Macintosh on an Ethernet, see Appendix D which describes MacTCP and its installation, including the procedure used to obtain the Ethernet address (firmware address) of a Macintosh Ethernet interface. 3. The Academic Computing Facility and Network Operations Center wish to guarantee that all workstations and other TCP/IP devices be configured correctly for NYU-NET, and will provide assistance to assist departmental staff in configuring and attaching these devices to the network. 7.2 Fundamental TCP/IP Information for NYU-NET Q. What is the name of the network? A. NYU-NET. The Internet domain name for NYU-NET is "NYU.EDU". Q. What is the network number? A. NYU-NET is assigned a Class-B Internet network number: (in hex: 80.7A.00.00) Q. How are network addresses and names assigned? A. For TCP/IP address and name assignment, send E-mail to hostmaster@nyu.edu or to your local school authority for network address and name assignment. For details, see Appendix B: Obtaining Network Names and Numbers. Q. Is subnet routing done on NYU-NET? A. To a limited (but growing) degree. The numeric address space of NYU- NET's class B network ( is sub-divided into 254 8-bit subnets (128.122.x.0), where x can range between 1 and 254. For the most part, these are "logical" subnets, since the physical network segments for these subnets are not yet, for the most part, behind IP routers. As more routers are introduced, "logical" subnets become true, physical, routed subnets. Addendum 6 provides a complete listing of NYU-NET subnets which are currently in use, with indication of whether or not they are currently "logical" or "routed" subnets. Q. Within subnet "x", what addresses can be assigned to nodes on NYU-NET? A. Address 128.122.x.2 through 128.122.x.253 may be used. 128.122.x.0 means the subnet itself. 128.122.x.1 is the bridge/router connecting this subnet to NYU-NET 128.122.x.254 is reserved for test equipment 128.122.x.255 is reserved for IP broadcasting Q. What is the network mask? A. For logical subnets, (FF.FF.00.00). For routed subnets, (FF.FF.FF.00). Q. What is the broadcast address? A. For logical subnets, (80.7A.00.00) For routed subnets, 128.122.x.255 (80.7A.XX.FF) Q. Why isn't the broadcast address for logical subnets? A. Because of a technical problem with various implementations of TCP/IP that are derived from the BSD 4.2 UNIX distribution. Once the last group of Suns running SunOS 3.2 through 3.5 are gone from the bridged backbone, we will be able to switch universally to the official IP broadcast address form (all-1s in the host portion). http://www.nyu.edu/its/security/handbook.html (12 of 55)8/31/2006 1:23:13 PM
  13. 13. NYU-NET Technical Handbook Q. What is the default router for machines on NYU-NET? A. For logical subnets, (NYEGRESS.NYU.EDU) For routed subnets, 128.122.X.1 (the router which attaches subnet X to NYU-NET) Q. What domain are NYU-NET machines in? A. All NYU-NET machines are in the domain "NYU.EDU". But most machines are identified specifically in a "sub-domain" of NYU.EDU such as "med.nyu.edu" or "stern.nyu.edu" or "acf.nyu.edu". The use of sub-domains continues the hierarchical Internet naming scheme into NYU-NET, and allows greater precision in naming machines to indicate their ownership. Q. What are the official NYU-NET names servers? A. The Academic Computing Facility operates the primary NYU.EDU domain name servers: EGRESS.NYU.EDU CMCL2.NYU.EDU NYUNSB.NYU.EDU The Stern School of Business and the Medical Center also maintain domain names servers for their delegated subdomains MED.NYU.EDU and STERN.NYU.EDU. EXCHANGE.STERN.NYU.EDU CAMBIO.STERN.NYU.EDU MCCLB0.MED.NYU.EDU MCHIP00.MED.NYU.EDU In the case of machines in 'med.nyu.edu', the ACF's name servers (EGRESS, CMCL2, NYUNSB) act as secondary name servers; med.nyu.edu hosts may be configured to use ACF name servers in case of local name service failure. The proper TCP/IP configuration for workstations (/etc/resolv.conf typically) and microcomputers with respect to domain name service depends, therefore, upon the location of the computer on NYU- NET. Q. What TCP/IP routing protocol is used on NYU-NET? A. RIP, the "Routing Information Protocol". Q. What external TCP/IP routers are there on NYU-NET? A. There are two routers to external networks: NYEGRESS.NYU.EDU NYSERNet/PSINet IP router connects network NYU-NET ( to network NYU-EXT- NET (, and thence to the rest of the Internet. Only routers and multi-homed network service hosts are found on NYU-EXT-NET. ENTRADA.NYU.EDU Router to ESnet (Energy Science network), to IP network 7.3 Unix Workstation All UNIX computers, including both workstations and minicomputers, come equipped for TCP/IP networking. You will need to consult the operating system documentation in order to learn the precise and full details (and commands) for performing the networking configuration. The examples below pertain to a traditional, BSD-type machine and attempt only to provide the "highlights" of performing its networking configuration. When first booting a UNIX machine, you can expect its console to display the q Ethernet device designation http://www.nyu.edu/its/security/handbook.html (13 of 55)8/31/2006 1:23:13 PM
  14. 14. NYU-NET Technical Handbook (e.g. "le0" for a Lance Ethernet Interface or "ie0" for a Intel Ethernet Interface) and the q firmware Ethernet address in the form NN:NN:NN:NN:NN:NN. The Ethernet device designation is needed (on some machines) for its configuration; when obtaining an IP name and number from the Network Operation Center (see Appendix B), report the firmware address. The basic steps which need to be accomplished are: q configure the Ethernet interface (set basic TCP/IP parameters) q configure the loopback address q configure for IP routing q configure the internet daemon (inetd) q configure the domain name resolver q edit configuration files Configure the Ethernet Interface In this example, the ifconfig (interface configure) command is used to assign the IP address, subnet mask and broadcast address to the interface. Given the following features, and assignment of IP address by the NOC, q Ethernet Interface: le0 q IP Address: 128.122.x.y q Name: newmachine.nyu.edu q Location: on logical subnet 128.122.x.0 then the correct netmask is and the broadcast address is The ifconfig command is: # ifconfig le0 128.122.xx.yy netmask broadcast If subnet "x", on the other hand, was a "routed" subnet (i.e. behind an IP router), then the correct netmask would be and the broadcast address would be 128.122.x.255: # ifconfig le0 128.122.x.y netmask broadcast 128.122.x.255 Configure the Loopback Address It is sometimes necessary to configure the IP address of the "loopback" interface, which is used for troubleshooting purposes. The ifconfig command for this purpose is: # ifconfig lo0 is used on all machines for the loopback address. If your machine has the netstat command installed, you can use it to identify and check the configuration of its network interfaces: # netstat -ain Ifconfig displays configuration and status information for a known interface, e.g. # ifconfig le0 might display something like: le0: flags=63< UP,BROADCAST,NOTRAILERS,RUNNING > inet 128.122.x.y netmask ffff0000 broadcast Configure for IP routing If the machine is diskless, you should set a default route. For example, on a BSD-based machine you can do this as follows. For a machine on a logical subnet: % /etc/route add default 1 For a machine on routed subnet X: % /etc/route add default 128.122.X.1 1 If the machine is not diskless, and you can spare a process slot and some memory and CPU cycles, http://www.nyu.edu/its/security/handbook.html (14 of 55)8/31/2006 1:23:13 PM
  15. 15. NYU-NET Technical Handbook you can run a routing daemon to listen (only) for dynamic routing information. Again, on a BSD- based machine you do this with the command: % /etc/routed -q This command will configure the machine to listen only, and not itself propagate IP routing information. Configure the Internet Daemon The internet daemon (inetd) is started at boot time, reading its configuration from the file /etc/inetd. conf. This file contains the identities of the TCP/IP services which the internet daemon will run upon client request. You should comment out the line which configures tftp, since tftp is rarely used and, if improperly configured, can represent a security hole. Configure the Domain Name Resolver The domain name resolver is software which allows TCP/IP applications to translate between IP names and numbers, e.g. to determine that the user command: # telnet ACF1 means to telnet to the IP address Typically, the resolver configuration is kept in the plain-text file /etc/resolv.conf and consists of only a few lines: # Sample domain name resolver configuration file # domain NYU.EDU nameserver nameserver nameserver A machine at the Medical Center or Stern School (which have their own primary name servers) would have a different /etc/resolv.conf file which first lists local nameservers. Edit Configuration Files TCP/IP implementations traditionally also use a variety of text configuration files, especially: q /etc/hosts q /etc/networks q /etc/protocols q /etc/services Since the advent of the domain name service (DNS) the importance of /etc/hosts is vastly reduced. The NOC discourages you from attempting to build up an old-style, huge hosts file. You should, however, make an entry in this file for the machine itself: # sample /etc/hosts file # 127.1 localhost 128.122.x.y newmachine.nyu.edu The /etc/networks file should contain, minimally, the following two lines: # sample /etc/networks file # 127 loopback-net 128.122 nyu-net The /etc/protocols and /etc/services files typically require no special configuration. 7.4 Apple Macintosh Every Apple Macintosh which is to communicate via TCP/IP on NYU-NET must be assigned an internet name and number by the Network Operations Center. See Appendix B: Obtaining Network Names and Numbers. The NOC strongly recommends the use of BOOTP to provide network-related information at boot/run- time to all microcomputers on the network. Information provided includes the IP address of the requesting microcomputer, as well as the identity of name servers and external routers - thereby reducing the necessity for management of ASCII configuration files on individual microcomputers. Use of BOOTP also assists network managers in limiting off-campus Internet access to authorized http://www.nyu.edu/its/security/handbook.html (15 of 55)8/31/2006 1:23:13 PM
  16. 16. NYU-NET Technical Handbook members of the community. TCP/IP applications for Apple Macintosh rely upon Apple's MacTCP drivers: use of MacTCP frees the software developer from a great deal of work implementing the core TCP/IP protocols. The Academic Computing Facility has licensed MacTCP on behalf of New York University for use on machines connected to NYU-NET. See Appendix D: MacTCP - Availability and Installation for a detailed discussion of installing MacTCP on NYU- NET Macintoshes. The majority of Macintoshes on NYU-NET which utilize TCP/IP protocols do so with non-commercial (no cost!) software developed primarily at other universities on the Internet, including: q TELNET: Telnet from NCSA/BYU TN3270 from Brown University q FTP: Fetch from Dartmouth College q E-Mail: Eudora (originally from U. Illinois, now from Qualcomm, Inc.) Pegasus Mail with Clarkson University's Charon SMTP gateway q Gopher: Gopher Client to NYU Campus-Wide Information Service from University of Minnesota Here is a portion of a configuration file for NCSA/BYU Telnet, showing valid TCP/IP-related settings. Be sure to observe the FTP-related settings, as this version of Telnet also can act as an FTP server (incoming file transfer requests to your Mac); at a minimum, this capability should be password protected. http://www.nyu.edu/its/security/handbook.html (16 of 55)8/31/2006 1:23:13 PM
  17. 17. NYU-NET Technical Handbook 7.5 IBM PC Every IBM-type PC which is to communicate via TCP/IP on NYU-NET must be assigned an internet name and number by the Network Operations Center. See Appendix B: Obtaining Network Names and Numbers. The NOC strongly recommends the use of BOOTP to provide network-related information at boot/run- time to all microcomputers on the network. Information provided includes the IP address of the requesting microcomputer, as well as the identity of name servers and external routers - thereby reducing the necessity for management of ASCII configuration files on individual microcomputers. Use of BOOTP also assists network managers in limiting off-campus Internet access to authorized members of the community. The majority of IBM-type PCs on NYU-NET which utilize TCP/IP protocols do so with non-commercial (no cost!) software developed primarily at other university's on the Internet, including: TELNET: Telnet/TN3270 from Clarkson University NCSA Telnet MS Kermit from Columbia University FTP: Clarkson University FTP NCSA FTP E-Mail: NUpop from Northwestern University Pegasus Mail with Clarkson University's Charon SMTP gateway Gopher Gopher Client to NYU Campus-Wide Information Service from University of Minnesota The capabilities of all these software packages are based upon PC use of a "packet driver". The original packet driver concept was to develop Ethernet board drivers which would allow multiple http://www.nyu.edu/its/security/handbook.html (17 of 55)8/31/2006 1:23:13 PM
  18. 18. NYU-NET Technical Handbook protocols to co-exist in a PC - especially to allow a NetWare client to run TCP/IP software packages while attached to a file server. Packet drivers were originally distributed by Clarkson University, but are now distributed by Crynwr Software on a no-cost basis. It should be noted that many commercial TCP/IP software offerings for PCs are not compatible with Crynwr packet drivers; use of such software on a PC might preclude ready use of the non- commercial TCP/IP software listed above. For users of Novell ODI network board drivers, there is a special packet driver (ODIPKT) which allows packet driver-based TCP/IP software to run on top of ODI. A typical PC packet driver configuration (e.g. in autoexec.bat) would be: 1. wd8003e 0x7f 0x0A 0x300 0xCC00 2. winpkt 0x7e 0x7f Line [1] loads the packet driver for Western Digital Ethernet boards, grabbing software interrupt 0x7f for subsequent communications between software and the packet driver. In this particular case, the Ethernet board is set up for IRQ 10, I/O port 300, RAM (paragraph) address of CC00. IRQ 10 is a good choice on AT-class (or above) PCs, as it does not conflict with standard PC hardware devices (e. g. serial and parallel ports). Line [2] is a special packet-driver "shim" which is designed to allow the basic WD packet driver to function safely under Microsoft Windows. Note that software interrupt 0x7e is now used for applications to communicate with the packet driver. A TCP/IP application would then be configured for packet driver use. Here is a portion of a configuration file for Clarkson Telnet, showing valid packet driver and TCP/IP-related settings. Be sure to observe the FTP-related settings, as this version of Telnet also can act as an FTP server (incoming file transfer requests to your PC); at a minimum, this capability should be password protected. http://www.nyu.edu/its/security/handbook.html (18 of 55)8/31/2006 1:23:13 PM
  19. 19. NYU-NET Technical Handbook http://www.nyu.edu/its/security/handbook.html (19 of 55)8/31/2006 1:23:13 PM
  20. 20. NYU-NET Technical Handbook 8. Configuration Guidelines: Routers 8.1 General Router Issues Routers are networking devices which "route" or "forward" data packets from one machine to another and from one network to another network. There are many different kinds of routers, depending upon the specific functions desired and the type of software and hardware used to perform them. One special type of router is called a "brouter" - a device which "routes" some protocols, and "bridges" others. Above all it should be remembered that routers route specific protocols: there are IP routers for communications via TCP/IP; there are IPX routers for communications via the Novell IPX protocol; there are AppleTalk routers for communications via AppleTalk protocols used by Apple Macintosh computers. There are routers which only route one kind of protocol; there are multi-protocol routers which can handle many protocols simultaneously. Note the following facts: q Almost any UNIX workstation or minicomputer can be (mis)configured as a router. See the section above on Unix Workstation Configuration for basic guidelines in this regard. q Any AppleTalk device which interconnects AppleTalk networks may be an Appletalk router. A Macintosh can run software (e.g. Apple's Internet Router software) and become an AppleTalk router. q A Novell server is automatically an IPX router. A Novell server may also be configured as an AppleTalk or as an IP router. Routers and brouters require special care in their selection, configuration, and installation. The Network Operations Center must be advised of and consulted on all bridge, brouter, and router procurement and installation prior to purchase. http://www.nyu.edu/its/security/handbook.html (20 of 55)8/31/2006 1:23:13 PM