The Technical Services Stuff in IT Services A brief tour of the technical and service offering plethora – who knew???? Technology Training Services October 2009
Course Goals • To help you integrate into IT Services by gaining the technical and service-oriented knowledge needed to be more productive. • To improve your awareness of and promote the services, resources, and tools that the various groups within IT Services provide (to the campus at-large and also within IT Services). • To provide a functional overview of the services and products, and how they interrelate across computing organizations and why they are important to the campus as well as IT Services.
Course Agenda The technical overview of the services provided by each of the main divisions within IT Services • Strategic Planning • Human Resources • Architecture • Research Computing • Computing Services • Communication Services • Client Support • Business Services
Administrative Guide Policies • Policies: http://adminguide.stanford.edu/ • Admin Guide 1: University Code of Conduct • Admin Guide 61: Administrative Computing Systems • Admin Guide 62: Computer and Network Usage Policy • Admin Guide 63: Information Security • Admin Guide 64: Identification and Authentication Systems • Admin Guide 66: Chat Rooms and Other Forums Using Stanford Domains or Computer Services • Admin Guide 67: Information Security Incident Response • Admin Guide 81.1: Telecommunication Services • Admin Guide 81.3: Provision of Mobile Equipment and Related Services • Admin Guide 84: Credit Card Acceptance and Processing
HIPAA and FERPA HIPAA (Health Information Privacy and Security) http://hipaa.stanford.edu/ Protects the privacy of an individual’s health information and govern the way certain health care providers and benefits plans collect, maintain, use and disclose protected health information (“PHI”). Be sure appropriate procedures are maintained to ensure that the HIPAA privacy and security rules are followed. FERPA (Family Educational Rights and Privacy Act) http://ferpa.stanford.edu Provides students the right to consent to disclosures of personally identifiable information contained in the student’s education records. Students, faculty, and others with questions regarding student records should contact the Office of the University Registrar. page 5
Security Issues • Important security concepts all IT Services employees need to know and understand: • Admin Guide 63 • Data Classification (Confidential, Restricted, Prohibited) http://www.stanford.edu/group/security/securecomputing/dataclass_chart.html • Encryption • Passwords: always use a secure connection when sending your password! • Kerberos • Secure Socket Layers (SSL) and Secure SHell (SSH) • Stanford Desktop Tools • Computers: be aware of how to encrypt the contents of your computer! • Stanford Whole Disk Encryption: (SWDE) http://www.stanford.edu/services/encryption/wholedisk/index.html • Windows: http://securecomputing.stanford.edu/pc_file_encryption.html • Mac: FileVault (System Preferences > Security > FileVault)
Computing Services Authentication: SUNet IDs • Stanford University Network IDentifier • 3-8 character identifier • Permanent – cradle to grave – but aliases allowed! • Not private and not anonymous • Your “golden key” to online services • Password – change every 180 days • http://sunetid.stanford.edu
Computing Services Authentication: Workgroup Manager • Workgroup Manager • Web application • Defines groups of community members for use on restricted web pages or applications • Workgroups are: • Lists of members in a group • Identified by their SUNet IDs • Given a name that uniquely identifies them. • Replicated into the Active Directory (AD) – more on AD later! A workgroup may also contain subgroups!
Computing Services Authentication: Types of Workgroups • 3 types of workgroups: • System-maintained workgroups: stanford:student (students) stanford:academic (faculty and students) stanford:faculty (faculty) stanford:administrative (staff and faculty) stanford:staff (staff) stanford:stanford (students, faculty, and staff) • Department workgroups (often identified by the department’s assigned stem) organization:businessaffairs_its gsb:affiliates helpdesk:consultants • Individual workgroups (identified by the owner’s SUNet ID preceded by a tilde ~) ~jdoe:book_exchange ~instr:friends ~santa:naughty_children • Using workgroups (with Webauth, for example) in a .htaccess file: AuthType WebAuth AuthType WebAuth AuthType WebAuth require privgroup stanford:staff require privgroup its:directors require privgroup ~instr:friends
Computing Services Authentication: Kerberos • Kerberos: • A network authentication system for use on physically insecure networks. • The heart of Stanford’s campus-wide network security infrastructure. • Prevents eavesdropping or replay attacks. • Provides for data stream integrity (detection of modification) • Prevents unauthorized reading of data using cryptography systems such as the Data Encryption Standard. • Is the official method for authentication at Stanford(see Admin Guide 64)
Computing Services Authentication: Kerberos–A Screencast on How It Works From Password to Service Request to Service Ticket Screencast Played Here
Computing Services Authentication: Establishing Kerberos Credentials • Windows: • Network Identity Manager (NIM) • Stanford Desktop Tools • http://www.stanford.edu/services/ess/pc/docs/kerberos/ • Macs: • Kerberos for Macintosh (runs in the background) • Stanford Desktop Tools • http://www.stanford.edu/services/ess/mac/docs/kerberos/ • Unix: • kinit • http://unixdocs.stanford.edu/loggingin.html • How does it work? • User runs NIM (Windows) or Stanford Desktop Tools (Windows/Mac) or kinit • User logs in with valid SUNet ID and corresponding password • Kerberos credentials are established!
Computing Services Authentication: Web Authentication (WebAuth) • Open-source web-based system for authenticating users (developed here!) • Protects web sites on the main Stanford web servers • Can be used with other Apache-based web servers • How does it work? • User visits a protected website • Login screen appears and user enters SUNet ID and password • User’s identity and Kerberos ticket carried in a cookie • https://weblogin.stanford.edu/help.html • http://webauth.stanford.edu
Computing Services Authentication: Web Login (WebAuth continued) • 2 keys are given to you when you log in: • a key to the specific web site or service you visited, • and a "master" key that opens other protected web sites. • The keys last until you quit your browser program, or until they expire – up to 10 hours later. • Be sure you have "turned in your keys" by quitting your browser before you leave your computer. • Otherwise other people can access websites as though they are you! • Note: • Using a protocol called SPNEGO, supported browsers can access protected web sites using Kerberos credentials obtained from your computer login instead of using the WebLogin screen. • For details, go to https://weblogin.stanford.edu/config.html
Computing Services Authentication: Shibboleth http://www.stanford.edu/services/shibboleth/ • Lets you access secured non-Stanford sites (only those who have joined a common federation) using your SUNet ID. • Lets Stanford web servers authenticate users from those non-Stanford institutions using their local authentication credentials. • Example: COManage – Internet2 Project • Still in development… • COManage is the Collaborative Organization Management Platform developed by the Internet2 Middleware Initiative. It is intended as a demonstration of the capabilities offered by tying together federated identity management (Shibboleth), groups management (Grouper), and (coming soon) privilege management into a cohesive support infrastructure for a variety of collaborative applications. • http://middleware.internet2.edu/co/ • http://comanage-dev.stanford.edu/
Computing Services Authentication: Guest Accounts • Based on email address • Uses Shibboleth as authentication • A Stanford Guest Account allows you to view specific Stanford web pages that normally require Stanford-Affiliated SUNet identification. A Guest Account might allow you to view and interact with web-authenticated department, individual, and group pages. The owner of the restricted pages can allow you to access them via your Guest Account. • Note: A Guest Account cannot be used to access any restricted data including HIPAA, FERPA, or PCI-regulated data. • http://www.stanford.edu/service/guest/ page 18
Computing Services Distributed File Systems – AFS (Andrew File System) • Stanford’s campus-wide file system • Allows users to efficiently share files across local and wide area networks • System is backed up nightly • University’s main web site and linked files hosted on AFS • http://www.stanford.edu/services/afs/
Computing Services Distributed File Systems – AFS disk space quota • 1 GB of disk space per users, group, or department • Can be used to store web pages, text files, computer programs, pictures and other digital data • Learn more:http://www.stanford.edu/services/disk-space/ • Request group/dept space or increase quota:http://tools.stanford.edu/
Computing Services Distributed File Systems – OpenAFS • Lets you access AFS space on a desktop computer as a shared drive • http://www.stanford.edu/services/openafs/ Mac Windows
Computing Services Distributed File Systems – Copying Files to AFS • For step-by-step instructions on copying files to AFS, visit http://filetransfer.stanford.edu/ • OpenAFS • SFTP (Fetch/SecureFX) • WebAFS is a new, web-based method to easily copy files to AFS • http://afs.stanford.edu/ • http://www.stanford.edu/services/afs/webafs/userguide/
Computing Services Distributed File Systems – Workgroup Integration • Workgroups can be integrated with AFS, Mailing Lists, and the Active Directory • https://tools.stanford.edu/cgi-bin/workgroup-admin
Computing Services Distributed File Systems • Common Internet File System (CIFS) • CIFS (Common Internet File System) = “file servers” • Also known as “Server Message Block” • Also known as the “Windows File Sharing” • At Stanford, we use the CIFS protocol to provide access to a central file service. • Can be used to share and store files for groups and departments. • Authentication is via Kerberos and NTLM version 2 (Windows NT LAN Manager) • http://www.stanford.edu/services/storage/lowcost/cifs/
Computing Services Backup, System Security, and Anti-Virus • Backing Up: • Desktop/laptops (e.g., Mozy, Iron Mountain (BaRS being deprecated)) • Basically outsourced with a Stanford rate - CRC can help if part of a CRC contract • Servers (e.g., AFS) - Using TSM (looking at disk to disk backup solutions) • System Security: • BigFix – http://www.stanford.edu/services/bigfix/ An OS patch management service which distributes critical security updates to Windows PCs and Macintoshes. • PC Security Self-Help - http://www.stanford.edu/group/security/securecomputing/ • OS Updates • Windows: http://windowsupdate.microsoft.com/ • Apple: http://support.apple.com/ • Linux/Unix • Anti-Virus: Sophos (Stanford site-licensed anti-malware software, providing protection from both viruses and adware/spyware) • http://ess.stanford.edu/pc/sophos.html • http://ess.stanford.edu/mac/sophos.html
Computing Services Business Applications Support Support for ITS internal business apps and campus-wide enabling applications • Pinnacle (Billing), OrderIT, MyITServices • General Enterprise/IT Support Systems • Remedy/HelpSU - tickets; reporting • CMDB (Content Management DataBase) – at Stanford, we use Remedy • Calendaring • Zimbra information: http://www.stanford.edu/services/emailcalendar/ • Docushare • A content and document management system • http://docushare.stanford.edu • Infra • Change Management system used to create, approve, schedule, and provide notification of change requests related to IT systems hardware and software • http://changemanagement.stanford.edu • Stanford Answers (also Client Support): http://answers.stanford.edu
Computing Services Business Applications Support (continued) Support for ITS internal business apps and campus-wide enabling applications • ACES (Access Control Enterprise Systems) – Card access to buildings • Lenel • CS Gold • eCommerce – a suite of services that enables Stanford's schools, centers, and departments to establish themselves as merchants, and market and sell products and services on the web. Managed by the Controller’s Office. • SMARTS – monitoring tool to monitor and respond to alerts from networks (phone, switch, data, VOIP, Net-to-Switch/Jack), door security, and environmental systems in the data centers • Unanet – time tracking tool that IT Services uses internally to track staff work time • Jira – tool used to track bugs and other issues in enterprise software used at Stanford
Computing Services Departmental compute servers • Remote access to high-speed, high-power computing resources to support large jobs and provide support for core curriculum and research • Support for departmental or course-specific computing needs. • Specific compute services that don't scale to an enterprise level.
Computing Services Database Services – MySQL • IT Services provides consulting and assistance with databases and database vendors, as well as hosting and support. • MySQL service • Popular open source database management system • With PHP programming language, used to build dynamic, interactive Web sites. • Available for Stanford departments and official University groups and services • https://www.stanford.edu/services/sql/ • http://mysql.stanford.edu
Computing Services Database Services – Microsoft SQL and Oracle • Microsoft SQL • Microsoft’s implementation of SQL • IT Services offers support for departments who have implemented Microsoft SQL • Oracle • IT Services provides consulting and assistance with databases and database vendors, as well as hosting and support. • Note: No Oracle DBAs in-house • For-fee services - supported via Ntirety
Computing Services Directory Services (Registries) • OpenLDAP (Open Lightweight Directory Access Protocol) • http://www.stanford.edu/services/pubsw/package/network/openldap.html • http://www.stanford.edu/services/directory/ • http://www.openldap.org/ • Active Directory • http://windows.stanford.edu/Public/Infrastructure/Services/Directory.html • Whois / StanfordWho • http://stanfordwho.stanford.edu/ • StanfordWhat • http://stanfordwhat.stanford.edu/ • Workgroup Manager • http://workgroup.stanford.edu/ • StanfordYou • http://stanfordyou.stanford.edu/ • Printed Directory (ASSU) • http://assu.stanford.edu/
Computing Services Directory Services (Registries)
Computing Services Technical Facilities (TFAC) • Provides operational management and support for: • IT Services production systems • Infrastructure supporting these systems • Data Centers • Forsythe, Sweet Hall, the 12 ECH (Electronic Communication Hub) facilities, and the Auxiliary Data Center in Livermore, CA) • Responsible for: • Space Planning • Vendor/Customer Coordination • System Hardware Installation • Cabinetry • Low Voltage Cabling and Branch Circuit Distribution • Tracking all equipment in the data centers, IT Services, Administrative Services, and the CFO’s office (Property Administration)
Computing Services Storage Management • IT Services provides solutions to data storage needs for all levels — individual, departmental, and institution-wide (enterprise). • 1 GB of AFS storage space is provided at no charge • Three additional tiers of fee based storage, each priced per gigabyte for maximum flexibility. • This service provided by block-level, or file-level storage with multiple available protocols (SAN, NAS, iSCSI, CIFS, AFS, etc). • For interconnection, fiber channel and iSCSI is recommended • http://www.stanford.edu/services/storage/
Computing Services Unix/Linux/Windows System Administration • Unix/Linux System Administration • Plan, manage and operate development and production servers in Forsythe Data Center, Sweet Hall, and West ECH, East ECH, and Press ECH. • http://www.stanford.edu/services/unixcomputing/ • Windows System Administration • Addresses the need to move closer to single sign-on • Provides location-independent access to resources, • Provides manageability and security for the Microsoft Windows platform • http://windows.stanford.edu/
Computing Services Web Services – Infrastructure Stuff • ITS web services allow clients control over the collection (database) and presentation (web) of information using various tools. • Virtual Host: • Lets you have a shorter web address (URL – Uniform Resource Locator) • Learn more: http://virtualhosting.stanford.edu • Request or update existing: http://tools.stanford.edu • Web Searching: • http://search.stanford.edu/ • http://www.stanford.edu/services/websearch/Google/ • Web Space: http://www.stanford.edu/services/web
Computing Services Web Services – Databases • MySQL • Popular, free, open-source relational database management system known for its speed, reliability, and ease of use. • http://www.stanford.edu/services/sql/ • http://mysql.stanford.edu • Request a database: http://tools.stanford.edu/ • Microsoft SQL • Microsoft’s implementation of SQL • IT Services offers support for departments who have implemented Microsoft SQL via Ntirety support (for-fee service)
Computing Services Web Services – Forms and CGI • CGI (Common Gateway Interface): • Lets you run programs on the Web – providing dynamic content, collecting user input, and offering services • Ruby, Python, PHP and Perl languages are supported • http://cgi.stanford.edu/ • Request CGI service: http://tools.stanford.edu/ • Form Builder: • Build, publish, and manage web forms on the Stanford servers • http://formbuilder.stanford.edu • http://www.stanford.edu/services/webforms/
Computing Services Web Services – Content Management Systems (CMS) • Content Management Systems (CMS): • Drupal installation: http://tools.stanford.edu/ • Stanford look and feel templates:http://web.stanford.edu/design/templates/modern/ • SharePoint: http://www.stanford.edu/services/sharepoint/ • Other systems will work, but aren’t necessarily supported. Your mileage may vary! • Note: These products are evolving. Stay tuned for new developments!
Computing Services Web Services – Blogs • Blogs: • MovableType installation: http://software.stanford.edu/ • WordPress installation: http://tools.stanford.edu/ • Drupal installation: http://tools.stanford.edu/ • Stanford look and feel templates:http://web.stanford.edu/design/templates/modern/ • SharePoint: http://www.stanford.edu/services/sharepoint/ • Other systems will work, but aren’t necessarily supported. Your mileage may vary!
Computing Services Web Services – Wikis • Wikis: • MediaWiki installation: http://tools.stanford.edu/ • Drupal installation: http://tools.stanford.edu/ • Stanford look and feel templates:http://web.stanford.edu/design/templates/modern/ • SharePoint: http://www.stanford.edu/services/sharepoint/ • Other systems will work, but aren’t necessarily supported. Your mileage may vary!
Computing Services Web Services – SharePoint • Fee-based service • Offers tools for managing content on the Web • Contains wikis, blogs, discussion forums, event calendars, announcements, task lists, etc. built-in • Workflow tools help manage and automate business processes (approvals/publishing) • http://www.stanford.edu/services/sharepoint/
Computing Services Email at Stanford • Email at Stanford: http://email.stanford.edu/ • Antivirus / SPAM (Sophos PureMessage): http://email.stanford.edu/antispam • Bulk email: Send email to large numbers of Stanford users for official, approved Stanford administrative purposes. • Mailing list services (Mailman): http://mailman.stanford.edu • Secure email: http://secureemail.stanford.edu/ This service is for off-campus secure communication (extra hurdles for data security) • Email Service Tools: http://tools.stanford.edu • Support for Microsoft Exchange servers • ITS is running a BES server for Blackberry devices
Computing Services Stanford Collaboration Tools (Email/Calendar/IM) • Integrated Email and Calendaring (IEC) web site: http://iec.stanford.edu • Stanford Email and Calendar services web site: http://www.stanford.edu/services/emailcalendar/ • IEC solution • Webmail: http://webmail.stanford.edu/ • Webcal: http://webcal.stanford.edu/ • Desktop tools (Outlook, iCal, Apple Mail, Thunderbird):http://www.stanford.edu/services/emailcalendar/desktop • Stanford Instant Messaging • http://im.stanford.edu/ • Centrally-funded instant messaging service provided free-of-charge to the Stanford community, using kerberos, SSL, and the jabber (XMPP) protocols • A safe and secure way to conduct confidential Stanford business online, real-time. (Messages are secure only when sent between Stanford accounts.)
Communication Services Network: Backbone • SUNet: Our 10Gbps Backbone Network • Campus networks divided into 10 Operational Zones (OZ) • 4 OZs for the main campus networks (BOZ, ROZ, POZ, GOZ) • 2 OZs for the residential networks (COZ, SOZ) • 1 OZ for the School of Medicine (MOZ) • 1 OZ for the School of Engineering (YOZ) • 2 OZs for the machine room server networks (FOZ, WOZ) • Off-Campus Connectivity • CalREN – California Research and Education Network • Operated by CENIC (Corporation for Education Networks Initiatives in California) • 10Gbps to CENIC Sunnyvale • 1Gbps to CENIC Oakland • Internet2 connection via CENIC • CalREN-Digital California (DC) connection via CENIC • CalREN-High Performance Research (HPR) Network via CENIC • Internet connection via Cogent Communications (1Gbps) • Internet connection via CENIC ISP
Communication Services Network: Backbone • Our network database tool: NetDB • Stanford University-developed database application • Stores Network and Node configuration information • Assigns and manages IP addresses of machines • Information loaded into DNS (Domain Name Servers) and DHCP (Dynamic Host Control Protocol). • http://netdb.stanford.edu • Stanford Network Self-Registration (SNSR) • Web-based method to self-check a computer and register it in NetDB (using the SNSR template) • http://www.stanford.edu/services/selfreg/ • Load Balancing • Managed server load balancing service for firewalled systems in the FOZ, WOZ, and core operational Zones • http://www.stanford.edu/services/loadbalance/
Communication Services Network: Net2Switch • Net2Switch • Centralized service model • Support for internal and external network infrastructure. • Local Network Administrator (LNA) maintains control of patching active ports in the network closet
Communication Services Network: Firewalls • Administrative Firewall • Firewall service for servers residing in IT Services supported data centers • For University mission critical systems with restricted data • https://www.stanford.edu/services/firewall/ • Departmental Firewall • Protects computers on a local network • Opt-in service • Utilizes virtual firewall technology to allow Local Network Administrators to define their own firewall policies for their department • Approximately 300 networks are behind the Departmental Firewall Service
Communication Services Network: Wireless • Lets you access the network without wires! (d’oh!) • Over 3,200 Wireless Access Points deployed • Over 10,000 devices associate on the WiFi daily • http://www.stanford.edu/services/wirelessnet/ • Wireless Guest • You can grant guests access to the wireless network for up to 2 weeks at a time • https://www.stanford.edu/group/networking/cgi-bin/wirelessguest/accounts • Wireless map & coverage • http://its.stanford.edu/cgi-bin/services/wirelessnet/wireless_map.pl • Wireless security (or rather, the lack thereof…) • Stanford does not currently encrypt data on the wireless network. Please keep this in mind when you transmit data.