Content Moved | Computer Lab Lockdown Tool | University of Waterloo

Skip to the content of the web site.

There is no PRIMARYNAV file: %PRIMARYNAV%.
Create it...

There is no %SECONDNAV% file.
Create it...

ISTNS.ComputerLabLockdownTool r41 - 13 Apr 2007 - 15:51:47 - PaulMcKone

Edit this Topic: ISTNS.ComputerLabLockdownTool View: Raw Text | Printable Version
Other topic actions: Attach Files/Photos | Delete, Rename, Compare...
Go to: PrimaryNav | SecondNav | WebPreferences | TWikiPreferences | Topics | Index
Topic revisions: Revision History | Total page history | Web Changes
Display with skin: uw2home | uw3home | uw2content | uw3content | plain

CaLFskin © 2005 University of Waterloo | Page revision history: r4 < r3 < r2 < r1

Computer Lab Network Lockdown Tool

The Computer Lab Network Lockdown Tool is available at https://istns.uwaterloo.ca/ona/lockdown.php

lockdown.JPG

This tool provides a way for computer lab administrators to lock down network access during exams, via a web based interface. The tool can be made available to specific userids, and/or specific IP names (e.g. a podium machine used by multiple instructors)

The tool requires pre-configuration for the given lab, and the degree of network lockdown (e.g. deny all traffic in/out of lab, or deny traffic in/out of UW). Once configured, lab administrators need only choose between "Lockdown" and "Open", and the pre-configured access control lists are applied, or removed, respectively.

Configuration

Network staff create an ACL on the switch, with the desired rules. The ACL can either be applied on an upstream router, or on a switch uplink, or even on all edge ports (for devices that support that).

Example ACL:

ip access-list extended "DENY_EXT" 
   20 remark "Allow on campus access" 
   22 permit ip 129.97.101.100 0.0.0.3 129.97.0.0 0.0.255.255 
   24 permit ip 129.97.101.104 0.0.0.7 129.97.0.0 0.0.255.255 
   26 permit ip 129.97.101.112 0.0.0.7 129.97.0.0 0.0.255.255 
   30 remark "Deny off campus access" 
   32 deny ip 129.97.101.100 0.0.0.3 0.0.0.0 255.255.255.255 
   34 deny ip 129.97.101.104 0.0.0.7 0.0.0.0 255.255.255.255 
   36 deny ip 129.97.101.112 0.0.0.7 0.0.0.0 255.255.255.255 
   40 remark "Allow the rest" 
   42 permit ip 129.97.101.0 0.0.0.255 0.0.0.0 255.255.255.255 
   exit 

The configuration tool at https://istns.uwaterloo.ca/ona/edit_table.php?table=lockdowns is then used to edit the lockdowns table and give a name and description to the lab lockdown entry, and supply details about the switch and interface the ACL is applied on.

Configuration Tool:

lockdowns.JPG

Users of the lab lockdown web interface do not need to be added to the ona admins table, but they, or the fully qualified domain name of the desired podium computer, need to be authorized through use of Administrator Group Memberships table in ona.

When a lab administrator uses the tool, it applies the ACL to the pre-configured interface.

If needed, multiple ACLs can be applied to multiple vlans, interfaces, and switches, for a given lab lockdown. This is done by adding multiple entries to the ona lockdowns table, all with the same name. However, it is recommended to keep things as simple as possible.