Infrastructure
From Interlock Rochester Wiki
m (→Interlock Rochester Infrastructure) |
m (→Interlock Rochester Infrastructure) |
||
| Line 11: | Line 11: | ||
| [[Hackerspace_Security_System|Security]] || [[User:Antitree|Mark Manning]] | | [[Hackerspace_Security_System|Security]] || [[User:Antitree|Mark Manning]] | ||
|- | |- | ||
| - | | [[Network Infrastructure Group|Network]] || [[User:Ben Woodruff|Ben Woodruff]] || [[User:fvox13|Steve Smith]] [[User:IGadget|Rowan Hawkins]] | + | | [[Network Infrastructure Group|Network]] || [[User:Ben Woodruff|Ben Woodruff]] || [[User:fvox13|Steve Smith]], [[User:IGadget|Rowan Hawkins]] |
|- | |- | ||
|} | |} | ||
Revision as of 04:47, 8 January 2010
Contents |
Interlock Rochester Infrastructure
| Sub-group | Lead | Members |
|---|---|---|
| Power | ||
| Environment | ||
| Security | Mark Manning | |
| Network | Ben Woodruff | Steve Smith, Rowan Hawkins |
NOTE: This page contains information with regard to network/server setup for the final space, not the temporary one. For the temp space, power distribution can be done with extension cords, while network access will be ad-hoc in nature.
Power
Overhead cord reels are a solution, but they must not remain plugged in at their source when not in use in order to comply with fire code. Cable trays are not a good solution for power. (They are a pain in the ass.)
Environmental
The space will need to have environmental controls in the event that servers will be kept in location. The general operating temperature of servers and network equipment should be around 75F. In order to ensure this, the purchase of an AC system may be necessary depending on what projects we approve.
Things we may need to acquire:
Heater<-- Heat is included- Air Conditioner
- Dehumidifier
Thermostat/Thermometer<-- Usually bundled with AC
Recycling
We don't want to horde a bunch of stuff that will never get used, but things that are likely to get recycled (especially scraps of raw materials) we should hold on to. This not only potentially benefits the environment, it's in our best interest from a costs perspective as well.
Network
The network infrastructure group will create and maintain the network acceptable use policy. The policy will be approved by the board of directors and then signed by every member who wants access to any of the following networks.
In order to meet the demands of the group over time, the network will be segregated into 3 main segments: (in order of priority for setup)
Each main segment will have an associated color code for its jacks (as is seen above), both on the walls, as well as near the network equipment. Category 6 cabling would be preferred for the environment. Each wall plate should be 6 feet apart, and should contain at least 1 of each colored jacks. Every jack should had 2 drops associated with it.
| Network/Mask | Name | Description |
|---|---|---|
| 172.20.0.0/16 | Production | Supernet slice for all production networks |
| 172.20.0.0/24 | Core | Core Equipment (routers, switches, etc) |
| 172.20.10.0/24 | Servers | Servers (LDAP, DHCP, DNS, etc - assuming not provided by router) |
| 172.20.20.0/24 | Wired Hosts | Shared workstations |
| 172.20.30.0/24 | Wireless Hosts | Registered Member laptops |
| 172.20.50.0/24 | Wireless Guests | Event Participants, Class registrants, etc - May be partitioned into a separate network, see below |
| 172.25.0.0/16 | Playground | Network specific for individual projects. Should be sliced further to /24 and /26 networks as needed |
| 172.30.0.0/16 | Warzone | A place where invasive network attacks can occur. Will be a stub network with no regular Internet access |
Internet
We are currently voting on the options Steve presented (namely a 10/1 Business DSL connection from Frontier): http://groups.google.com/group/interlock-rochester/t/9ff36f644c27bfe
Other Options
- We are in discussion with other ISPs, including Cogent, Fibertech, Frontier, AFS, Netsville, Paetec, and TW Telecom. Discussion
Production
The production network will be the main segment and will provide network access to Interlock's members. This network will be subdivided into 5 separate subnets, to help manage IP growth, and secure vital systems. The production network will not be used to perform penetration testing or other white hat hacking (port scans, IP sweeps, DoS, etc). The production network must have reliable uptime, as that other members will be dependent on it.
Change Control
The infrastructure group will need to determine a method to log changes to the network. A consensus must be reached within the group before any change can be done on the production network. Change management will loosely follow ITIL Recommendations.
Access
Access to core network equipment and topology will be restricted to those in the infrastructure group.
Services
- RADIUS/LDAP Server
- Central Authentication repository
- Should be linked with Google Apps
- Web Server
- Host the wiki, website, etc
- CoLo Boxes
- Not intended to host production/high bandwidth websites
- Used for offsite backup
- DHCP Server
- IP addresses will only be given out to know and trusted network adapters.
- A device registration system, like RIT's start.rit.edu, would be useful
- DNS Server
- File Server
- Access via SFTP, SMB, or WebDAV possibly
- VPN Server
- Provide VPN access to the network. This needs to be decided as to whether this will be implemented, and the scope of the build.
- Streaming Music Server
- Use a AirPort Extreme AP to play music via AirTunes
- Image Server
- RIS or Ghost
Playground / Project
- 172.25.x.y
- Each project should claim an address space (ie 172.25.15.y) so we can tell what traffic is coming from which projects
- Temporary, dynamic, but more static and stable than the warzone
- Change management much more loose than production network but there should be some expectation of reliability so please at least check with someone unless you're very sure of what you're doing
- Access to the internet
- Area to play with an test new technologies (for example, play with VOIP/SIP)
Warzone
- 172.30.x.y
- No expectation of reliability
- Relatively open access to equipment / no change management
- No expectation of structure, very dynamic depending on project use etc, may use different IP address schemes if it doesn't connect to the other two networks in any way
- Expect to have equipment probed / pen tested
- No internet connectivity? Expect machines to be exploited / infected?
- "Rogue" access points allowed (maybe include DHCP message that states you'd better be sure you want to connect to this network - want to be friendly with our neighbors)
References
- NEC 210.52
Audio-Visual System
Audio
- Public Address system array across the ceiling
- Two speakers rigged to the top corners of the room
- Surround sound rigged to the top of the room (low priority)
- Inputs to an audio mixer/home receiver
- Sources: Microphone, CD/DVD, computers
Video
- Ceiling mounted projection
- Screen
- Sources: DVD, computers
