Contact Chase

An Overview of the DirectConnect Internet Connection Process and Network Access Control Systems

This following is intended to be a brief overview of how the many systems involved in the DirectConnect Internet Connection Process interact with one another. Detailed descriptions of several of the involved systems can be found on their individual project pages which can be accessed via links in the "Related Projects" section of the sidebar. This description is intended to reflect the most recent structure of the system and does not discuss the previous procedures these systems have replaced. The first section simply defines important terms and information needed in order to understand how the system works. The second section gives an overview of how these systems interact with one another and what sort of functionality the NAC provides.

Names, Roles, and Definitions

Campus Housing - Consists of all on-campus residence halls and the off-campus university-owned Lewis and Clark Village apartments at the University of Montana, Missoula.

DirectConnect - The network and Internet service provided to thousands of University of Montana students living in campus housing. Available via wired network jacks provided for each student in their assigned room.

Dirty Pool - The nickname for the quarantined network segment of the DirectConnect network. All new devices are quarantined in the dirty pool until they have fulfilled the device registration requirements. While in the dirty pool devices have no access to the Internet or any other network resources. These restrictions are enforced by the network's hardware. The only accessible server to devices in the dirty pool is DCOWeb (see below) which will guide the user through the registration process. Devices in the dirty pool network can be identified by IPv4 addresses whose first two octets are 10.247. Devices will generally only reside in this pool until they complete the setup process and, therefore, only are leased addresses for time periods of less than thirty minutes.

Clean Pool - The nickname for the network segment of the DirectConnect network where devices which have been authenticated and registered are assigned. All new devices must first pass through the dirty pool and complete the registration process to gain access to the clean pool. These devices have full unrestricted access to the Internet and local network resources. Devices in the clean pool can be identified by IPv4 addresses whose first two octets are 10.248.

Banner - The proprietary database used by the University of Montana to manage student information such as personal information, unique student identifiers (e.g. Student ID and NetID), housing assignments in campus housing, class schedules, grades, and much more.

Banner Dump - A daily incremental export of changes made to the banner database that are sent to SAIT's DCOHome system (see below) so it can update its own database with the updated student personal information and housing assignments.

Student ID - A unique nine digit identifier assigned to each University of Montana student.

NetID - A unique identifier assigned to each University of Montana student used as a username when accessing many campus network resources.

Student Affairs IT - A department within the University of Montana's Division of Student Affairs. SAIT is responsible for providing technical support to all university students and university staff within the Division of Student Affairs. SAIT is also responsible for managing, maintaining, and securing the hardware and software used to provide the DirectConnect Internet service.

DCOHome - An internal custom-built web application used by Student Affairs IT. While this system contains a vast number of modules the ones relevant to the DirectConnect NAC System include:

  • Student Information: A database of student personal information is maintained for all students who have lived in or currently live in university housing. This includes personal information such as name, student ID, NetID, phone numbers, email addresses, and the present and past housing assignments.
  • Network Device Information: A database of devices currently using or previously used on the DirectConnect Internet service. This includes records of the device's identifiable information such as MAC address and operating system as well storing relationships between each device and the student who owns it.
  • DHCP Logs: A database of associations between devices used on the DirectConnect service and their assigned IP address during their time on the network. This also builds associations between when a device was being used and the physical location from where it was getting network access.
  • DHCP Pools: A database of independent DHCP ranges available for each physical building making up the University's campus housing. Each building was assigned two unique ranges of IP addresses. One for the dirty pool and one for the clean pool.
  • DHCP API: A private API used to communicate with the Wendigo DHCP server (see below).
  • Bans: A system used to ban or quarantine devices from the DirectConnect network for a variety of reasons including virus infections, DMCA violations (see below), unauthorized hardware, or malfunctioning hardware. Bans could target individual devices or all devices associated with an individual student.
  • Talos: A custom-made network interface control system used to enable and disable specific interfaces on network switches throughout the DirectConnect network via a web interface built into DCOHome that has information about the buildings, room numbers, and students associated with each switch interface.

DCOWeb - A multi-purpose server responsible for mediating connections with clients in the dirty pool. This server included two NICs in order to allow it to communicate with both the dirty pool and clean pool networks at the same time. The relevant services provided by DCOWeb include:

  • Web: Web pages responsible for presenting information to newly connected devices about the details of the connection process. Also includes registration forms and downloads used to get new devices connecting to the DirectConnect service registered.
  • Web API: An API used to facilitate communication between clients in the dirty pool running setup packages (see below) and the DCOHome APIs available only from the clean pool.
  • DHCP: See Wendigo.
  • DNS: A specially crafted DNS server responsible for providing DNS resolution to all devices in the dirty pool. All DNS requests will, without exception, resolve to the IP address of DCOWeb itself.

Wendigo - The custom-made DHCP server responsible for providing all DHCP leases to all devices connecting to the DirectConnect service dependent upon their registration status.

Rogue DHCP Protection - A technique implemented in all networking equipment throughout the DirectConnect network to drop all DHCP Offer broadcasts except those sent from the Wendigo DHCP server. This prevents unauthorized DHCP providers from interfering with the stability of the DirectConnect network.

Setup Package - A custom-made OS-specific local client available from DCOWeb. These setup packages are run on a new device which guide the student through the steps needed to secure and register their device. Depending on the operating system of the device this can include enforcing and facilitating the installation of operating system updates or service packs, enforcing and facilitating the installation of campus-approved antivirus software, ensuring the user understands and agrees to the DirectConnect service's EULA, and gathering personal information about the owner in order to associate the device with the owner and to update the owner's personal information in the DCOHome database.

RTA - Resident Technology Assistant. RTAs are employees of Student Affairs IT and provide support for students getting devices connected to the DirectConnect service.

SolarWinds - A web-based network monitoring tool allowing RTAs to easily see the status of the hardware that makes up the DirectConnect network.

Game Consoles - Network devices which need special attention during the registration process in order to get connected to the Internet. These include most commonly Microsoft Xbox, Sony PlayStation, and Nintendo Wii devices.

Device Invalidation - A process used to forcefully unregister all devices which have gotten access to the clean pool and move them back to the dirty pool. Depending on the time of year game consoles will be excluded from this process. Most commonly this process is done prior to the beginning of each new academic semester and forces students to reaffirm that they are the owners of their devices and that their computers are running with the most recent system and antivirus updates. After this process is complete all devices not excluded from the process will be required to, once again, run the setup package for their device before being moved back to the clean pool.

DMCA Violation - The use of the DirectConnect service to illegally obtain copyrighted material is considered a student conduct violation and results in the temporary suspension of the student's DirectConnect network access rights. Notifications of DMCA violations are sent from copyright owners (such as the MPAA or RIAA) to the university's Security Officer who will then take the information provided (most notably public IP address, timestamp, and port) and use the firewall logs to determine the internal IP address associated with the external IP reported by the copyright owner as the individual responsible for the infringement. This external IP is associated with the internal IP via the process of Network Address Translation (NAT) performed by the campus firewall. This information will be sent to SAIT who will perform a lookup of that private IP address and its association with a device owner during the time of the infringement. Once the student is identified all of their network devices will be forcefully quarantined and the only information they will have access to is a page notifying them of the situation and the process to resolve the situation. They have no way to reenter the clean pool until they have completed this process.

Network Access Control Usage Overview

Primary Scenario - A student moves into their dorm room and wishes to access the Internet on their new laptop.

  1. Prior to the student's arrival on campus the student would have been giving a housing assignment in one of the dorms by the Residence Life Office. This information would be entered into the Banner database at that time.
  2. The banner dump process would have caused this new student and housing information to be shared with SAIT's DCOHome database during the daily exchange.
  3. Should, for any reason, the network interface assigned to this student be disabled, the Talso system can confirm the port is disabled and automatically enable the interface for use by the student prior to the date their housing assignment starts.
  4. Once they arrive and move into their dorm room the student will connect their laptop to the active wall-mounted network jack in their room using an Ethernet cable.
  5. Their computer will send out a DHCP Discover in order to dynamically receive an IP address.
  6. The Wendigo DHCP server running on DCOWeb will receive this request and collect information from the request including the device's MAC address and an indication of the device's physical location based on the origin of the packets. This information will be privately communicated to DCOHome via private web APIs.
  7. DCOHome will log all relevant information about the connection and will attempt to lookup the device from its database of devices associated with the DirectConnect network. In this case no existing records for this laptop will be found a new record will be created with parameters set to indicate that it is unregistered. Since this device is unregistered we know it must be assigned to the dirty pool when replying to the DHCP Discover.
  8. DCOHome will then lookup the pool of IP addresses assigned to the dirty pool of that student's building and select an unused IP address which will be leased to this device until they have completed the setup process. This information along with additional details (e.g. subnet mask, default gateway, and DNS servers) will be relayed back to Wendigo in response to its original query via their private API.
  9. Wendigo will turn around and issue a DHCP Offer with this information in response to the laptops original DHCP Discover. Assuming there are no issues a DHCP Request and DHCP Acknowledgment will also occur between Wendigo and the laptop to finalize this DHCP lease.
  10. At this point the laptop has been assigned an IP address in the dirty pool for the building where they are physically located and the DNS servers for the laptop have been set to those of DCOWeb. All of this has happened without any interaction from the student beyond plugging the network cable into the laptop.
  11. Now the student will open an internet browser and attempt to access a website or load their default home page. The DNS resolution for the domain they are trying to access will be poisoned by DCOWeb's DNS service and will be returned as the IP address for DCOWeb itself.
  12. The browser will use this IP address and send an HTTP request with an attempt to load the intended page. DCOWeb will respond with HTTP headers indicating that the site has been temporarily moved to the FQDN (fully qualified domain name) of DCOWeb. The browser will then redirect to the web service provided by DCOWeb. This page will contain instructions explaining the connection process to the student.
  13. DCOWeb will dynamically prepare the page to return to the browser based on the operating system of the device making the connection. In this case we will assume it is a laptop running Windows 7. A page will be displayed to the student indicating that to proceed they need to download and run the DirectConnect Setup Package for Windows.
  14. After downloading and launching the DirectConnect Setup Package for Windows this application will monitor the state of the computer while the student meets all the necessary requirements in order to proceed.
    • First, the application will use encrypted communication with the DCOWeb web APIs to detect if the machine running the software was in fact issued a valid lease by Wendigo and is currently in the dirty pool. Additionally it will automatically ensure that there are no unauthorized wired or wireless routers, switches, or hubs in use which are forbidden by the DirectConnect EULA and campus policy.
    • Next, the application will inspect the operating system of the device to ensure it is a supported major version. In this case a Windows 7 laptop will qualify as all versions of Windows after and including Windows 2000 are actively supported.
    • Next, the application will ask the student to read and agree to the DirectConnect EULA (End User License Agreement) and terms of use. They must confirm their acceptance before they can be registered.
    • Next, the application will ask the student to provide their Student ID and NetID as well as an updated telephone number. This information will be relayed to DCOHome via APIs available on DCOWeb to confirm that the Student ID matches the NetID which is enough private information to ensure the student is the one registering the device. At this time the student's telephone number is updated in the DCOHome database and a check is made to ensure this student is currently assigned housing in one of the residence halls.
    • Next, the application will inspect the system updates applied to the operating system and core software to ensure it meets the requirements of joining the DirectConnect network. In this case we will assume the Windows 7 laptop had yet to install updates and Service Pack 1. The application will provide download links to these updates hosted by DCOWeb and walk the user through the installation process.
    • Once that is complete, the application will inspect the system to detect if there are any antivirus applications currently installed. If so, and they do not match the authorized applications offered by SAIT, the student will be given the opportunity to uninstall their antivirus before being required to install a supported antivirus software.
    • Once all unsupported antivirus applications are removed, the application will ensure that the user installs one of the supported antivirus applications offered for free by SAIT. If necessary, download links for installation media hosted by DCOWeb will be provided and automatically and silently installed.
    • Once a supported antivirus is available, the application will ensure the antivirus is sufficiently up-to-date to allow the device access to the DirectConnect network. If needed, download links for these updates hosted by DCOWeb will be provided.
    • Then, once all of these requirements have been successfully met, the application will communicate the successful completion of the registration process to DCOHome via the APIs available on DCOWeb and the record for this device will be designated as registered and approved for access for the clean pool.
    • Finally, the application will initiate a process of releasing and renewing its IP leased IP address. This will initiate another communication with Wendigo for a new IP address and, this time, due to the changes in the DCOHome database for this device, will be leased an IP address in the clean pool with DNS servers that are not poisoned.
  15. This device will now have full unrestricted access to the Internet and local network resources available to members of the clean pool. At regular intervals the device will renew its DHCP lease with Wendigo and should, for any reason, the device or its owner be barred from using the DirectConnect network it will automatically be forced back into the dirty pool where it will be quarantined until the situation can be resolved.