Visitor's Computer Guidelines
In general, there is no problem connecting up your laptop, data taking or data reduction computer onto the CTIO computer network as part of your observing program.
Follow these guidelines
Let us know ahead of time...
To connect to the CTIO network we will have to register your computer's MAC Address for each network card (WIFI and Ethernet), please do this before visiting, otherwise you will not be able to use your laptop,tablet,etc... By clicking on the link below, you will fill out a form and this will send an email to CISS staff, who will then manually add the MAC addresses provided to the DHCP server.
- We don't normally assign fixed IP numbers (typically DHCP servers automatically assign IP numbers to computers registered at CTIO). Even before the equipment actually arrives, we would still like to know the particulars of a hardware system to see if it will cause any conflicts.
- Send email to ITOps with details about your system and your requirements.
- If necessary, we will send you back the details about our network you will need to know such as gateways, subnet masks, internal DNS servers and so forth.
Please don't bring down an insecure system...
- Make sure you read the CTIO Network Security Guidelines
- Make sure your computer's operating system has the latest security patches installed: whoever set up your computer should follow hardening security best practices in applying patches, closing off unused operating system features, and keeping antivirus software and personal IDS systems functioning and up-to-date.
- Make sure your computer has the minimum services enabled.
- Make sure your computer responds to network based connection requests only on network ports actually being used.
- Of course, please make sure your computer does not have a root-kit or remote administration trojan installed (!)
- In a world where zero-day viruses are becoming more common, please make sure you have an anti-virus running with the latest virus definitions on your machine if running Windows 9x/NT/2000/XP. At CTIO, anti-virus software running on user PC's updates its definitions >> TWICE A DAY
- It is highly recommended that you enable a properly configured host based firewall/IDS: Zonealarm for example if running Windows 9x/NT/2000/XP, ipfilters or ipchains if running a Linux/OpenBSD/Unix based system.
- Make sure you have a minimum sized password file with only standard accounts required by the operating system plus those that will actually be used during the run, and no easy to crack passwords.
- In the likely event you plan on logging into the CTIO machines and/or transferring data to them, you should have SSLv2 derived scp or which are much safer than normal ftp. See the CTIO Network Security Guidelines on how to acquire these if you haven't already.
Disconnect from your network BEFORE you come down...
- You should NOT run a DHCP server on your machine.
- Setting up your machine as an FTP server is *very* strongly discouraged (it will only be allowed by special request), as this is the classic security hole on many types of system, particularly Linux. If you must run as an FTP server, you should not set up an anonymous FTP incoming area, and you should be running a more secure FTP than the normal Linux distribution such as vsftp).
- You should NOT run a WWW server on your machine, particularly a Microsoft IIS WWW server.
- You should NOT run unnecessary daemons, CHAT, ICQ, networked games, P2P, KaZaa, Napster, GNUtella, or other potential avenues which malware can use to circumvent CTIO defenses.
- You should NOT run a DNS server on your machine.
- You should NOT run an NIS or NIS+ server on your machine.
- You should NOT run an active router of any sort.
- On SUN Solaris 2.x run the command sys-unconfig as the last step before packing up your machine to disconnect the various daemons and setup files from your home network.
- On computers running a flavor or UNIX (Linux, OpenBSD, etc), you will have to edit the files in directory /etc/sysconfig like network to remove your home network dependencies.
- In sum, make sure you declare independence from your home network and no longer depend on remote mounts to access crucial system files or resources.
Bring down the right miscellaneous hardware...
- In general, we can handle 100baseT connections to our ethernet backbones, have quite a bit of wireless 802.11b/g, and support gigabit ethernet on some subnets.
- We have dial-in modems for PPP connections available but these are now deprecated and accessible only by special request.
- We may not have all the right miscellaneous connectors, adaptors or cables available for your brand of equipment if you leave them at home.
- We will of course try our best to get you on line regardless...
If any of these requirements present a problem, please contact ITOps with your needs and we can investigate the safest solution.