3. Network-based Services
Apart from the basic functions of the network described in the section above, a wide variety of key infrastructural network services are also provided by OUCS. These are used by all sectors of the University, some consciously but others unconsciously in the background. These services include:-
- Domain Name Server (DNS)
- Email relay server
- Network time server
- Dynamic Host Configuration Protocol (DHCP) service
- Web cache
- Web servers
- Email POP and IMAP servers
- Network News server
- Mailing List server
- File backup and archive server (Hierarchical File Store) (HFS)
- Windows Internet name server
- Novell Directory Services (NDS) tree server
- Virtual Private Network (VPN) server
Most are based on PC equipment running the Linux operating system, with a few using SUN equipment running Solaris. The choice is determined by the requirements of the application software, though the PC/Linux solution is preferred (for cost and supplier-independence reasons) where feasible. Typically, all require and exhibit very high reliability.
Details of all these services can be found on the OUCS Web pages at www.oucs.ox.ac.uk/network/ . Several of these services are discussed in more detail below.
The email relay service handles the vast majority of the University's incoming and outgoing email, and inter-system email within the University. It directs email to the appropriate email server, performs address checks and rewrites addresses to the standard form (where requested by the relevant department to do so), handles distribution of multiple-recipient email, "spools" email intended for non-responding recipient systems, etc. The number of messages handled during the year averaged more than 260,000/day as shown in Figure 8, with the volume of traffic amounting to over 5,600 MB/day on average as shown in Figure 9. Both the volume of messages and the size of each message rise markedly every year, and will continue to do so as the size and complexity of email attachments increases.
The central email server, Herald, which has been running since 1998, offers a mail-store facility to all University members. The mail can be accessed by desktop mail clients using IMAP or POP, or by a dedicated web interface, WING. Nearly all new undergraduates are pre-registered with accounts on Herald. Demand on this service, as on every email service, increases inexorably, and the servers have been regularly upgraded and expanded to meet this demand. The discrete model chosen has been proved to be as scaleable as planned. It now supports more than 30,000 users, and regularly has a concurrency of over 3,000 users.
The central web servers hold the University's top-level pages, the OUCS web pages, many departmental and college pages, and those for many individual users. In all they support about 150 domain hierarchies, and pages for about 4,000 individuals. In total that amounts to about 700,000 files, occupying some 25 GB. The number of web accesses, the ‘hit rate’, now exceeds 1 million per day. Response time remains excellent.
The Hierarchical File Server (HFS) service started in 1995 to provide large scale central filestore services to the University community. The HFS runs IBM software named the Tivoli Storage Manager. The main services provided by the HFS are a) Desktop and Departmental/College Server backup service and b) long term data repository service for university digital assets.
Since the original procurement of the HFS computer systems, a rolling programme of upgrades of the principal hardware components has kept system capacity in pace with demand. In this period, significant funding has been made available from the HEFCE Capital programme (supplemented by University funding) to enable a major upgrade to be made to the server, storage and network infrastructure of the HFS system. During the latter half of 2002 planning began, investigating disk, tape, server and SAN switch technologies. The upgrade to the systems was planned in four main stages to take place throughout 2003, going out to tender for the first stage just before Christmas 2002. The goals were to move to a switched, fibre channel (FC) infrastructure, to consolidate disk storage, to increase tape storage capacity and provide the basis for a scalable, storage architecture with overall higher performance levels.
At the heart of the new storage architecture is the same, extended, IBM 3494 tape library, connected via a small private LAN to the servers, switches and disk storage servers. The 3590E drives have all been upgraded to Fibre Channel-connected 3590Hs (with the addition of two new drives); with a combination of 384 tracks and extended length cartridges, the 3590 tape capacity is now 60GB uncompressed (90GB compressed). Two FAStT900 disk servers have been installed, one with 70 36GB, 15k rpm disks and the other with 56 73GB, 15k rpm disks. Two IBM P650 systems have been installed to take over the hosting of the TSM servers and to make provision for additional servers. All TSM related disk storage - database, logs and storage pools - are to be held on the FAStT900s.
By the end of 2002-3 the first three stages of hardware installation were complete, and much work had been done on configuring and optimising the new systems. The next stage will be the installation of IBM 3592 tape drives, for which OUCS will take part in an early-release programme. These can be used to write tapes of up to 300GB (uncompressed) capacity, and will enable maximum use to be made of the University major investment in the tape robot library.
Figure 10 shows almost 50% growth in the desktop backup service over the year, measured in TB of data held on the server, and is broken down by division. Figure 11 shows nearly 70% growth for server backup data, and is similarly broken down by division.
Figures 12 and 13 give an indication of overall growth for the combined archive and backup services detailing the amount of data (in TB) and files (in millions). These are indicative of the substantial rates of growth of the facility. Figure 14 gives a proportional breakdown of HFS data into the three types. Figure 15 gives an end of year divisional breakdown of HFS data held overall. Figures 16 and 17 give a snapshot breakdown for the Desktop and Server backup service clients by operating system type. These breakdowns are an indicator of overall platform take-up across the university.
In conclusion, the site-wide HFS service has coped well with rapidly increasing demand, continues to offer a highly reliable and available facility with great convenience and simplicity to the end user, and is undergoing a major upgrade that will enable this expansion to be sustained.
The remaining central Unix server, Ermine, was closed down in February. This was preceded by a major exercise to transfer remaining email accounts to Herald, which went without hitch. A new Linux-based system has been provided for those with a special need for this type of service. The service is available to any University member who has a Herald account, and is accessed using Herald username and password on a secure login to linux.ox.ac.uk. This means that there is no extra administration required for registration functions, and so the cost of running the service is minimal. A wide range of software is provided, but does not include any commercial programs. There is no mail delivery to the system, but mail clients can be used to talk to Herald.
The computer room operations staff are responsible for all operational duties associated with substantial computing and network equipment housed there, especially the Hierarchical Fileserver and its robot tape library. In addition, OUCS houses various major computers belonging to other University departments, including the main OLIS library server and the parallel computer complex run by the Oxford Supercomputing Centre. The computer room equipment is protected by a large Uninterruptible Power Supply, and multiple air-conditioning systems.
The reorganisation of OUCS frontdesk service provision allows operations staff to play a much greater role in user support, and OUCS continues to move towards greater integration of all its user-facing activities.
The danger to the University of attack on its computers and network facilities continued to grow this year, with many major events affecting the internet. The threat of denial-of-service attacks, aimed at the internet as a whole or specifically at our networks, has received wide publicity, as has the damage caused by the computer infections usually known as viruses, but encompassing many specialist forms of attack. The defence usually adopted in the commercial world, of a very restrictive firewall policy, is not available in a University whose lifeblood is the range of communications it has to support with outsiders, and with its own members working from elsewhere, and so the firewall that OUCS runs on the external network connection has to be far more permissive than is desirable for tight security. The problem is greatly exacerbated by the wide range of computers connected to the network, and the differing support standards of these computers. Regardless of firewall precautions, infections are increasingly being brought into the University on portable machines, carrying viruses or worms they have picked up elsewhere. These then spread to other internal machines which have not been maintained with the latest security patches, and this can have very serious effects on the internal networks
The security team at OUCS is responsible for monitoring the networks for indication of compromise and for taking action as soon as a compromise is detected. It also has a general pre-emptive role in trying to be aware of and blocking routes for potential attack, and educating the vast number of systems administrators and systems owners around the University of the need for security precautions on their own computers. It has proved very successful at this, and our large and complex computer network, and the computers connected to it, have suffered little disruption. However, every new exploit that comes to light reveals computers on the Oxford network that have not kept up with security precautions. Often the only way of safeguarding the whole University network is to block subnetworks until the machines on the subnetwork have been fixed. This is an area where lack of resources in one department can have very serious affects on everyone.
OUCS is assisted by the OxCERT security team, a group of systems experts from OUCS and other departments, which provides advice and assistance on issues relating to computer security. The OxCERT team has achieved standing and recognition within the international community, and is a full member of FIRST, the Forum of Incident Response and Security Teams.