Attendees:

Irwin, Ben, Kent, Jeff, Bernard, Les

Current state

  • Was only wireless network for many years.
  • Have lot of SLAC access on visitor network
  • Many users by-pass secure wireless
  • May not be appropriate for SLAC business
  • Does not allow/block by application policy
  • Is visitor encrypted, could lead to capture of items.
  • No inbound to visitor (blocked at visitor router ACL) and no intra access (i.e. no servers).
  • Bandwidth to whole visitor is 1Gbps aggregate, not an issue so far.
    • Plan to upgrade to 10Gbps but a problem uses old technologies (some protocols no longer supported), needs re-architecture.
  • SLAC secure wireless is 4Gbps aggregate, not a problem now based on monitoring
  • Mission critical for customers who come here from offsite

Way forward

We are wrapping  up perimeter project.

  • Do we declare victory
    • Few months down the road do visitor
    • Then another project that may need justification
    • or do we include this under the current approved project.
    • If we do nothing how do we justify?
      • Our visitor goes through PANs and PANs block URL categories such as porn (like BlueCoats used to).
      • Can’t justify as it’s preferred by users to by-pass things.
    • Benefits
      • Visitor is a clumsy way for people to debug their own problem
      • They need an escape valve
    • Update visitor documentation security discussion to add
      • PAN threat protection
      • CFM application, Kent will investigate, probably, needs testing, check documentation
      • Broad Outbound connectivity
      • Anything on border ACL policy inbound or outbound?
      • Add no inbound and no servers

Need to align with Stanford.

  • Causes problems to DoE visitors with Stanford filters. Maybe a router ACL.
    • Kent check what technologies are used to apply policies to the visitor, contact Dave Macia.
    • Rate limit bandwidth

Enable everyone to access secure wireless to all SLAC IDs

Enforce minimum security for unmanaged devices.

May allow a machine

LLNL treats as hotel network apart from things perceived as a threat, also some categories not allowed

LCLS has their own visitor network.

  • Action item for Guillaume to see if he knows anything, also Amedeo or Veracci

Cloudpath a gateway for network, go to a captured portable and push certificate to the machine.

  • How to move this forward, need Guillaume
  • Does not support wired ports on visitor since they do not go through the wireless controller.
  • Apple TVs (15) are therefore a concern since must be wired
    • Shows up over wireless so visitors can project via wireless

Jeff run splunk on visitor network.

  • No labels