Network Services provides network security and connectivity to the CSULB campus. This website is a collective of information from the Network Services group that discusses and suggests solutions to new and existing computing/networking issues.

Frequently Asked Questions of the Month

  • What is the best way to remove a virus? Read an e-mail from Eli Shubin, LAN Security Specialist, Network Services.

    I thought of something that is always the first reminder I try to give someone that calls me to say that Symantec AntiVirus has detected a virus on their PC, and ask what they should do next. This is important because alot of people don't follow these little steps and they end up getting frustrated because they get alerted over and over again that Symantec detected the virus.
    Read more
  • What type of spyware is hitting the campus? Read an e-mail from Eli Shubin, Network Services.

    Looking back on the virus alert logs for March, a good number of client computers were hit with the Adware.CDT threat.
    Read More

What is this BeachNet thing?

You've probably heard us use the phrase, or seen it, so let's clear up what we mean.

Briefly, BeachNet is the name we have given to the upgraded campus data network. The network is almost entirely Cisco based, which gives us an enormous amount of flexibility in making BeachNet secure, reliable, and fast. In this write up, we'll describe in more detail what BeachNet means and the ways to get connected.

First, two definitions, as used by Network Engineering:

Subnet : a continuous block of IP addresses in the 134.139.*.* space. Usually a subnet is a “class C” network where the subnet mask is 255.255.255.0 and serving up to about 250 addresses, but we do divide subnets down to blocks of 16 addresses for some purposes.

VLAN : an alternative term for a subnet. While it is possible to have a one-to-many relationship between VLANs and Subnets, we maintain a one-to-one relationship for performance reasons. In some cases, a VLAN may not have a subnet associated to it. This is called a “Private LAN”.

Provisioned Access to BeachNet

There are two ways of getting connected to BeachNet. The first is a “provisioned” way, where campus Technical Coordinators and Technical Support personnel are assigned a VLAN or multiple VLANs by ITS. When a VLAN is assigned, a subnet is also usually assigned with a scope on the campus DHCP server to assign DHCP addresses. Two blocks of Static IPs are reserved from the DHCP server. One is for Network Services to use for network equipment and is usually the first 10 addresses. The other is for the Technical Coordinator to use to assign IPs to servers, printers, or other equipment that does not work well with DHCP where the address might change. ITS will not manage this static IP range unless asked to do so. We can, however, search for current usage of that IP to verify if it is used or not if asked.

Along with the assignment of a VLAN to a Technical Coordinator (and/or team) come important responsibilities:

  1. The Technical Coordinator is the key Point of Contact for ITS for computer related issues such as security events and maintenance notices. A list is advisable, so that backup Technical Coordinators can be notified.
  2. The Technical Coordinator is invited to participate in the campus Beach-CERT meetings to discuss security topics and be involved with many “beta” projects initiated by various campus departments.
  3. The Technical Coordinator is now also the department-wide approver of DNS changes for respective domains. For instance, College of Liberal Arts has the DNS domain cla.csulb.edu (NB: not cla.ad.csulb.edu) and any entries must be approved by CLA Technical Coordinators before ITS will add/modify any entry. This keeps the Technical Coordinator notified of any changes to servers in his VLANs being operated by other personnel.
  4. The Technical Coordinator is also, where applicable, the Active Directory administrator and Domain Administrator.

Un-provisioned Access to BeachNet, or “Login Required”

Usually when ITS talks about BeachNet this access method is what we mean. When discussing other network access, the conversation terminology sticks mainly to VLANs and Subnets.

Campus-wide, there is one special VLAN that is managed by ITS and is our “default” setting. This VLAN (VLAN 10) is configured wherever a Technical Coordinator can not be identified, such as in a classroom, or via wireless.

This is a “supplemental” network that gives the campus community the flexibility to use networking resources, while maintaining some degree of access restrictions to keep out potential abuse from anonymous sources. Not all features of the Provisioned BeachNet access method are available, which is a result of the compromise made. The known issues and caveats are:

•  Bandwidth. Users are limited to approximately DSL or Cable modem speeds while using this access.

•  Domain logins. Logins to the domain to get onto the PC/laptop will not work. In order to use BeachNet in this way, the user must have a local PC/laptop login.

•  Time limit. Logins are good for 6 hours. Logins can be refreshed by re-visiting the login page, if it was bookmarked.

•  Not for shared PCs. Once a user logs in, the MAC address of the computer is what authenticates any further traffic. Any user can sit down later and will not receive a login page until the initial login expires 6 hours from the first one.

Using BeachNet in this way, a computer will get an IP address in the range of 10.0.*.*. The computer should, unless XP firewall or other firewall doesn't permit it, be able to ping the “magic” address of 10.0.0.1. Opening a web browser to any HTTP URL will cause the browser to get redirected to the Login page, which you can see at https://beachnet2.csulb.edu . Currently, the user can select to use their WebMail (Namemaster provided) username and password, or their BeachBoard/myCSULB (TIM provided) username and password. This is easily changeable and extensible at any time if another authentication database is provided.

As you can see, this address range is not the typical campus one. It is a private IP range behind a firewall. Furthermore, when users login and the authentication is successful, the computer is then automatically scanned for known vulnerabilities. If a computer is vulnerable (not necessarily infected, although some parts of the scan can look for the presence of some internet worms), it will be assumed to be infected and the computer will be placed in a Quarantine. The user will be presented with a web page (see: http://www.csulb.edu/depts/NetworkServices/beachnet/stop.html for a sample) that will inform them of the condition and guide them through the corrective action to take. The Quarantine is also leveraged heavily for use by SIRS (Security Incident Response System) to inform users of corrective action taken by ITS when a computer is detected as compromised at the same time their Technical Coordinator is informed via email.

Most, if not all, of the issues mentioned above, along with the login requirement, can be worked around if a Technical Coordinator chooses to. ITS can permanently authenticate PC, laptops, or other devices based solely on the MAC address if requested. In this case, the only restriction will be that the device using BeachNet in this way will not be able to act as servers, as they will still be behind the firewall.

Lastly, there is an authentication method for “Campus Special Guests”. Guest speakers and presenters can be given an account name and password, which is controlled by a department's Technical Coordinator that they can use while on campus to reach the Internet.

We hope this overview helps the campus community understand more of the policy and procedures around BeachNet. Please let us know if you have any questions by emailing our support address: net-engr@csulb.edu .

© California State University, Long Beach Feedback