Visitor Access to UCInet Mobile Access

UCInet Mobile Access is UCI’s wireless (WiFi) network, accessible from almost anywhere on campus.  Normally, access to this network is restricted to devices previously registered by their campus (faculty, staff, student) owners.

However, the wireless network includes a system for limited, short-term access by visitors.  Called “Visitor Express Registration,” visitors may connect to the network, agree to certain terms of use, then be connected to UCInet for a 24-hour period up to seven times in a month.  Visitor use of UCInet is restricted to Web, email (IMAP and SMTP), and secure shell (SSH).

If visitors need longer access than Visitor Registration provides, a UCI faculty, staff, or graduate student may register the visitor’s device for up to 4 weeks using manual registration.  The visitor only needs to supply the MAC address.

UCI also supports the Eduroam standard, allowing visitors whose home institution also supports Eduroam to use that network ID to connect to UCInet Mobile Access.

OIT Upgrades Interface to the Internet

border router

Border Router

OIT used the holiday break as an opportunity to upgrade the border router and campus firewall, improving network performance and reliability.  The timing  was chosen to minimize the impact on the campus community who rely on UCInet Internet connectivity.

Prior to this project, UCI had a single system providing the link between UCInet and the Internet, and this device was also responsible for providing the campus firewall service.  This represented a vulnerability, in that hardware failure could result in loss of connectivity.

The border router was also aging, having been put into service in August of 2003, and Cisco had announced the end of maintenance for this model later this year.

The project replaced the components within the border router, added a second border router, distributed Internet services between them, and isolated the firewall service to its own redundant systems.  Tests have demonstrated a significant increase in network bandwidth as well.  Now if one of the two routers should go down, connectivity will be sustained by the redundant architecture of the new system.

The current arrangement also makes use of Cisco’s Virtual Switching System technology, allowing the two routers to be managed as a single service.

An upcoming goal is to house the two border routers in different buildings.  One will remain in Central Plant, and the other will be housed in OIT’s SSPA network vault.  This geographic distribution will further reduce the risk that loss of power or other facilities to a single building could interrupt UCI’s connection to the Internet.

Visitor Access to UCInet

UCInet Mobile Access

1-Day Access

Visitors to the campus who need temporary access to the internet with a laptop or mobile device may make use of Express Registration for the UCInet Mobile Access network.  In order to do this, the visitor should go to a wireless access location, open a web browser, and connect to any web page.  (See list of wireless locations). This will direct the visitor to our registration process.  Access is granted for 24 hours, and this access will only be granted seven times in a 30-day period. Visitor access is restricted to Web, email, and secure shell (SSH).

4-Week Access

There is a second option for visitors who need access to UCInet beyond the restrictions of Express Registration.  Manual Registration is a process by which UCI faculty, staff, or graduate students can authorize access for a visitor.  The authorizer will need to use his or her own UCINetID and password, and will need the MAC address (the unique address of the network card) of the visitor’s laptop or other mobile device.  More information on these two options can be found at the UCInet Mobile Access Registration page.

Longer-Term Access

Another option is available for guests whose visit to UCI will be longer than a month.  (Examples include visiting scholars, volunteer faculty/staff, or those who may be employees of a different UC campus but are teaching here.)  In these cases a faculty or management-level staff member may request a Sponsored UCInetID for the visitor.  This is essentially a normal UCInetID, but it is only valid for as long as the sponsor authorizes it — typically one to four quarters.  Note that the Sponsored UCInetID request form is now online and requires the sponsor to log in with his or her own UCInetID and password.

Eduroam

Visitors from participating educational institutions may choose to gain access to UCInet using their home-campus network identities via the Eduroam secure federated network access service.  For eligible visitors, this option may be a better choice given the requirements and restrictions of the alternatives listed above.

Register your Server

As the number and severity of security challenges continues to grow, NACS works hard to ensure that UCInet remains a useful, robust, and safe place to work. Towards that end, NACS now offers campus units the opportunity to block incoming network connections to their systems. Connections initiated from systems on your network will continue to work, so typical usage such as web browsing, email, instant messaging, and so forth, will be unaffected.

In order to support those services on your systems that do rely on incoming connections (such as web servers), NACS offers server registration. Using a simple form, you can identify which systems, and which services on those systems, need to be accessible from off-campus.

A number of departments are already using server registration in conjunction with inbound connection blocking in order to improve the security of their environments with great success. It is a good idea to begin using server registration, even if you are not yet contemplating inbound connection blocking. To learn more, or to get started, please visit:

http://www.nacs.uci.edu/network/servers/

Blocking Misbehaving Systems Protects UCInet

NACS is working hard to ensure that a robust and secure UCInet is always available to do the University’s business. To that end, we will occasionally deny access to systems which threaten the safe operation of the network.

Whenever a system connected to the UCInet is discovered attacking other computers, or engaging in other forms of inappropriate behavior (such as the illegal distribution of copyrighted material), NACS may block that system from further network access. Occasionally, NACS may also block systems that have not been patched in a timely manner against particularly nasty viruses.

There are two simple strategies you can follow if you suspect your system has been blocked. You can search the blocked systems list athttp://www.nacs.uci.edu/ucinet/blocked/ (usually, you’ll need to use an unblocked system to do that). Or, you can call NACS at (949) 824-2222. Our helpful consultants will explain why your system was blocked, and what to do to correct the problem. Generally, once you have taken the appropriate steps, the system can be unblocked within a few hours. Please note, however, that unblocking can only be performed during regular business hours except in emergency situations.

NACS is responsible for UCInet, but you are responsible for the proper operation of your own systems. By staying up to date on security patches, and by carefully abiding by the Computer and Network Use Policy at http://www.policies.uci.edu/adm/pols/714-18.html you can preserve your access to the UCInet and help guarantee a secure and reliable service for the entire campus.