Policy and expectations for SLAC Visitors subnet

Policy and expectations for the SLAC Visitor and Wireless networks.

Les Cottrell Page created: February 11, 2002. Last Update: 7 July 2007(Ken Martell). Version 1.1

Central Computer Access | Computer Networking | SCS | Network Group | WWW support

This page provides the policies and expectations for the Visitors subnet at SLAC.

General guidelines for all SLAC subnets

By policy, unless approved by SLAC networking, we do not provide spare ports in offices, in case a casual user might want to connect to the SLAC network. Such ports are generally made available in public areas and are on the Visitors subnet. If extra ports are required in offices then the requester will need to justify and provide an account to charge. An example of such a requirement is for an office or area that is typically used by students or visitors who are at SLAC for a short time.
Shared hubs must not be placed on switched ports to add extra connections. Not only does this violate the policy on No Tampering with Telephone, Networking cables or Equipment, but also adding such hubs causes problems with the switch ports, and reduces security since they facilitate sniffing of passwords etc. Existing shared hubs installed or approved by SLAC networking are an exception, and we are working to replace these as the budget becomes available.
Only people who have read and agreed to the SLAC appropriate use document may use computers on SLAC subnets. A SLAC userid and password is required to access many of SLAC's computer services. A corollary is that, computers with guest accounts with no password are not allowed inside the SLAC firewall, since they could access SLAC protected services,
SLAC printers are strongly encouraged to be placed with an address in the SLAC Internet Free Zone (IFZ).
We are reviewing where to place hosts that run an unsupported operating system (e.g. Windows 98 or Debian Linux), at the moment we encourage that they be placed on the Visitor's subnet.

Visitor subnet

For more on the Visitor's network, see: The SLAC Visitor Network.

The Visitors subnet is located outside the SLAC firewall. Thus its security is the same as connecting to an ISP. It is the responsibility of users of the Visitors subnet to protect their communications, e.g. by using a Virtual private Network (VPN). Do NOT use applications (such as POP/IMAP/FTP/telnet) that will put unencrypted passwords onto the network.
The Visitors subnet is meant for light casual use, including mobile SLAC user, visitors such as occasional collaborators, conference/meeting attendees, vendor demonstrations, and people not registered at SLAC.
We monitor the utilization of the Visitor subnet looking for capacity issues, so we can add more capacity when needed. We also scan it for vulnerabilities such as unencrypted passwords.
Like other networks at SLAC, the Visitor network receives best efforts service. If a critical problem is reported we will try and address the issue in a timely fashion. Priority for addressing problems will naturally go to networks which are more critical to the SLAC mission.
The Visitor subnet is different from other subnets:
- Hosts do not have to be registered, hosts are automatically given dynamic IP addresses and names by DHCP. This makes it harder to track down problems, so problems may take longer to solve.
- Server ports, apart from appropriately registered ports, are blocked to the Visitor subnet so servers should not be placed on this subnet. The following servers are supported on the visitor's subnet: anonymous DHCP, Citrix terminal server, wireless access server.
Given the above caveats, do not place mission critical applications on the Visitor subnet.
SLAC supported printers can be accessed from the visitor's subnet using printserv.slac.stanford.edu (alias lpd01), see Printing using LPR in Windows. We are reviewing whether to allow printers on the visitor's subnet.
Hosts on the visitor network that are seen as possible 'scanning hosts', including those that might be running SKYPE as a supernode (or some other P2P software) will be put in the penalty box and have their network speed and throughput drastically reduced.

Wireless access

To avoid interference with other wireless deployments such as ongoing SLAC research activities sensitive to wireless networking frequencies, and to insure interoperability and maintain network security and reliability, anyone interested in wireless networking technologies must contact SCS Networking before initiating any wireless access point purchases or starting any SLAC wireless deployment planning. The wireless access ports are only placed on the Visitor subnet and so fall under the policies and expectations above. For more information on the wireless network see: Wireless Networking at SLAC.

The wireless network is a shared medium, so:
- There is a limit of << 11 Mbps on the aggregate bandwidth for an access point.
- Passwords and other information can be sniffed.
The maximum bandwidth available to a host depends on distance from the access point, attenuation and noise and typically is in the 1-4 Mbits/s. range.
It is the user's responsibility to install, configure and make the wireless application work.

[ Feedback | Reporting Problems ]

Owners: Cottrell and Buhrmaster