CTIO Visitor Computer Guidelines
In general, there is no problem connecting up your laptop, data taking
or data reduction computer onto the
CTIO computer network
as part of your observing program.
We do, however, request that you follow these guidelines:
Let us know ahead of time...
- We don't normally assign fixed IP numbers (typically DHCP servers automatically aassign IP numbers to
computers registered at CTIO). Even before the equipment actually arrives, we would still like to know the particulars of a hardware system to see if it will cause any conflicts.
Send email to CISS
with details about your system and your requirements.
If necessary, we will send you back the details about our network you will need to know such as gateways, subnet masks, internal DNS servers and so forth.
Please don't bring down an insecure system...
- Make sure you read the CTIO Network Security Guidelines
- Make sure your computer's operating system has the latest security patches installed: whoever set up your computer
should follow hardening security best practices in applying patches, closing off
unused operating system features, and keeping antivirus software and personal
IDS systems functioning and up-to-date.
- Make sure your computer has the minimum services enabled.
- Make sure your computer responds to network based connection requests only on network ports actually being used.
- Of course, please make sure your computer does not have a root-kit or remote administration trojan installed (!)
In a world where zero-day viruses are becoming more common, please make sure you have an anti-virus running with the latest virus definitions on your machine if running Windows 9x/NT/2000/XP. At CTIO, anti-virus software running on user PC's updates its definitions >> TWICE A DAY <<.
It is highly recommended that you enable a properly configured host based firewall/IDS: Zonealarm for example if running Windows 9x/NT/2000/XP, ipfilters or ipchains if running a Linux/OpenBSD/Unix based system.
Make sure you have a minimum sized password file with
only standard accounts required by the operating system plus those that will
actually be used during the run, and no easy to crack passwords.
In the likely event you plan on logging into the CTIO machines
and/or transferring data to them, you should have SSLv2 derived scp or which are much safer than normal ftp.
See the CTIO Network Security Guidelines on how to acquire these if you haven't already.
Disconnect from your network BEFORE you come down...
- You should NOT run a DHCP server on your machine.
- Setting up your machine as an FTP server is *very* strongly
discouraged (it will only be allowed by special request), as this is the classic security hole on many types of system,
particularly Linux. If you must run as an FTP server, you should not set up
an anonymous FTP incoming area, and you should be running a more secure FTP
than the normal Linux distribution such as vsftp).
- You should NOT run a WWW server on your machine, particularly a Microsoft IIS WWW server.
- You should NOT run unnecessary daemons, CHAT, ICQ,
networked games, P2P, KaZaa, Napster, GNUtella, or other potential avenues which malware
can use to circumvent CTIO defenses.
- You should NOT run a DNS server on your machine.
- You should NOT run an NIS or NIS+ server on your machine.
- You should NOT run an active router of any sort.
On SUN Solaris 2.x run the command sys-unconfig as the
last step before packing up your machine to disconnect the various daemons
and setup files from your home network.
On computers running a flavor or UNIX (Linux, OpenBSD, etc), you will have to edit the files in directory
/etc/sysconfig like network to remove your home network dependencies.
In sum, make sure you declare independence from your home network
and no longer depend on remote mounts to access crucial system files or resources.
Bring down the right miscellaneous hardware...
If any of these requirements present a problem, please contact CISS with your needs
and we can investigate the safest solution.
In general, we can handle 100baseT connections to our ethernet backbones, have quite a bit of wireless 802.11b/g, and support gigabit ethernet on some subnets.
We have dial-in modems for PPP connections available but these are now deprecated and accessible only by special request.
We may not have all the right miscellaneous connectors, adaptors or cables
available for your brand of equipment if you leave them at home.
We will of course try our best to get you on line regardless...