Data Center Standards

Availability

The Data Center network infrastructure is supported as a 24x7 service through the CoreTech Networking Operations team. Escalation is provided through Data Center Operations and the NOPS team’s on-call rotation.

ITS reserves a maintenance window on Tuesdays and Thursdays, from 5-7am, and Thursdays from 7pm-12M. At least two weeks’ notice will be provided in the unlikely event that maintenance is expected to result in a service outage. The standardized maintenance windows will be used for repairs, installations, upgrades, testing, and other processes and procedures which may cause limited or no access to IT system resources. For planned maintenance, the UCSC Data Center follows the ITS Change Management Process, and planned changes are posted on the ITS Maintenance Calendar.


Standard Networking

The UCSC Data Center provides standardized 1Gbps networks, both firewalled and non-firewalled. The Data Center VPN provides administrators with a secure method to access servers behind the firewall. More information about standard Data Center networks is available here.

The Data Center has physical cabling standards to ensure consistency between cabinets; to simplify troubleshooting for networking, operations, and server-administration teams; and to ensure good air flow in the cabinets. More information is here.


Custom Networks

The Data Center can also provide custom networks for clients who require higher-speed networking, and can provide custom firewalled networks for customers with specific security requirements.


Server IP Address

Servers in the Data Center must be configured for static IP addresses. The Data Center does not typically use DHCP for servers.

Use this ITR Service Request to request a static IP address.

Select the service for “New DNS record and fixed IP.”

Enter your desired hostname and the target network from the link above (place all zeroes in the field for MAC address). Indicate in the “Reason for this request” field that this is for a host in the Data Center. The same ITR Service Request can be used to request a DNS alias (CNAME) for your host.


Server Configuration: DNS, NTP, and log management

DNS

Systems housed in the UCSC Data Center should be configured to use the campus DNS servers. The campus DNS servers are built with infrastructure-security protections, customized for the UCSC environment, that are not available through other DNS providers.

The campus DNS servers are:

ns1.ucsc.edu: 128.114.142.6

ns2.ucsc.edu: 128.114.129.33

NTP

Systems housed in the UCSC Data Center should be configured to use the campus NTP servers. This ensures that the timestamps in your logs are synchronized for event correlation and troubleshooting.

The campus NTP servers are:

ntp1.ucsc.edu: 128.114.129.77

ntp2.ucsc.edu: 128.114.1.77

ntp3.ucsc.edu: 128.114.103.81

 Log Management

Systems housed in the UCSC Data Center should be set to send system logs to the campus Information Security team’s server for monitoring and correlation.

The Information Security team can process a variety of system log types, as well as web server logs from Apache, IIS, and other platforms.

Please review the Log Management Service guide for specifics and configuration information beyond the basic information provided below:

Configure syslog-ng, rsyslog, or Windows agent software to forward to

  • IP: 128.114.111.196
  • PORT: 514 UDP/TCP

Additional info

  • ENCRYPTED PORT: 6514 TCP
  • Format: syslog/CEF
  • Accepts logs from any campus address in 128.114.0.0/16

 If you have problems or questions with sending, please create an ITR ticket, and use the keyword SIEM.


Port Standards

Servers in the Data Center should be configured to use standard ports for services such as HTTP (port 80), HTTPS (port 443), and SSH (port 22). This improves our ability to effectively troubleshoot, monitor, report on network activity, and to maintain standard server configurations.

For firewalled hosts, all administrators’ access (RDP, SSH, VNC) should go through the Data Center VPN.

Registered Standard Port References

Exception Process

Exceptions to using standards ports require approval from the Data Center Manager and Security Manager. To request an exception, follow the Firewall rule request process (below). 


Firewall Rule Requests (and other Data Center network changes)

Firewall rule requests, and other changes to the Data Center network, are reviewed weekly by representatives from the Data Center, Applications, Networking, and Infrastructure Security teams.

This weekly review will provide a mechanism to generalize rules and implement group objects, so that we can reduce the need for numerous point-to-point rules.

This process is defined in more detail in this (internal) KB article

To request additional firewall rules, or to request the removal of a firewall rule, open a ticket in SlugHub as follows:

Service = "Firewall Services"

Sys/App (CI) = "Data Center Firewall"

(or just use Keyword = "Data Center Firewall")

In the ITR ticket, specify the firewall rule requests in the following format:

SOURCE = hostname [IP address]

DESTINATION = hostname [IP address]

PORT(S) = list individual port(s) or range of ports

PROTOCOL = TCP and/or UDP

To help with the review and approval process:

  • Do include a sentence or two about the background for the request.
  • Don’t request rules with “any” for DESTINATION.
  • Don’t request rules with “any” for PORT.
  • Don’t request rules for hosts on the same subnet. Host-based firewalls might need to be updated by the server administrator, but the Data Center firewall will not see this type of traffic.
  • Don’t include access for Data Center VPN users as a normal firewall rule. Access for Data Center VPN users should flow automatically, based on the user's DC-VPN group membership.