Information Technology

Rice Virtualized Network Architecture - aka Affinity Groups

Affinity Groups

The Rice data network is a single physical network with nine virtual networks. These virtual networks are known as Affinity Groups (AGs). The virtual networks are used to group the network traffic of computers and devices with similar security needs together and segments them from other dissimilar systems. Within an Affinity Group, traffic can flow between systems without restriction. Between Affinity Groups, the traffic flow is restricted in order to establish appropriate trust relationships between the systems.

Further detail about Rice's implementation of the Affinity Groups can be found in the RiceNet Affinity Groups and Firewall Relationships document (20.34MB PDF).

Student Network Security Change

Rice's current Affinity Group and network architecture configuration provides private network addresses (10.x.y.z IP addresses) to students. These addresses are not useable on the Internet so they are translated into routable public addresses (128.42.x.y or 168.7.x.y) when the systems using private addresses access sites on the Internet.

Hackers attempting to penetrate the campus network security continue to blast Rice's network with traffic in such a way that consumes all of the available public IP address translations. When this happens, students are sometimes unable to access the Internet. In late September 2008, the unavailability of the Internet to students --due to the hacker traffic-- began occurring on a daily basis.

Information Technology began assessing the Internet connectivity issue immediately and made plans to accelerate the implementation of differentiated security levels. This change will be made on October 2, 2008. It will prevent Internet hosts from sending unsolicited traffic into the campus network across the border and will preserve the availability of address translations.

Ultimately, this change will improve both the reliability of Internet access and the security for systems on the Student network.

Faculty and Staff Network Security Change

Like the Student network, the Faculty/ Staff affinity groups and network architecture configuration provides private network addresses (10.x.y.z IP addresses) to personal computers for Rice employees. These addresses are not useable on the Internet so they are translated into routable public addresses (128.42.x.y or 168.7.x.y) when the systems using private addresses access sites on the Internet.

On October 13, 2008 the Faculty/Staff network security configuration will be changed so that incidents --like the loss of Internet access in early October-- can be prevented in the future.

Faculty and staff computers in the Research network, the Open network, and the DMZ network are not affected by the change in the Faculty/Staff network. Faculty and staff computers that have been configured with public IP addresses are likewise unaffected by the change in the Faculty/Staff network.

 
 
 

 
  
6100 Main, Houston, Texas 77005-1827
Mailing Address: P.O. Box 1892, Houston, Texas 77251-1892
© Copyright Rice University
Page content reviewed: 10/7/2008 by William Deigaard and Gary Kidney. Markup: 10/7/08 by Carlyn Chatfield

Rice University Rice University Information Technology