Debian in use at Fuller Seminary

Fuller Seminary uses Linux since 1995 for networking and to provide Internet Services to students. Fuller Seminary is a theological academy in the greater Los Angeles area in the United States. Its one of the biggest private theological educational institutions in the US with about 4.000 students. Fuller Seminary has a worldwide acknowledgement In Germany Fuller Seminary is know through the School of World Mission (C.P. Wagner, Charles Kraft, around 1980: John Wimber).

In 1995 the school was not connected and had only one VAX (DEC) with terminals. These terminals were distributed around a big area since the campus consists out of a collection of buldings within downtown Pasadena. A LAN existed only to connect the VAX with terminal servers.

I was hired in 1995 to connect the school to the Internet. I allready had Linux experience and was maintaining a Bulletin Board System on Linux, which was the only way to have e-mail access for students at that time. Linux was a big problem for the management. It had to be a commercial solution, and it was insisted to follow the suggestions of a consulting firm. So a BSDI system was purchased. However, the consulting firm did not forsee that the hardware that they recomended was not not compatible with the requirements of BSDI. So the Compaq server which allready had integrated SCSI controllers was expanded with a Buslogic controller. A Mach32 Video adapter was added and the integrated Video adapter was turned off. Another machine was "reconfigured" in the same manner. It had to be Compaq machines so that one could be sure that they would work.

It became apparent that BSDI had only limited functionality. In the meantime I had found a possibility to add a TCP/IP stack to the VAX (Freeware CMU TCP/IP Package) and after having connected a Linux box to the Terminal Server network the VAX and Unix machines were able to talk to each other. This was a bit unexpected for the managemtent, however, it was clear to them how important this cross-connection was. It had been the aim to switch over to TCP/IP for a long time. BSD/I was not able to maintain a telnet connection open with the VAX. However, Linux was. The interesting thing was that the BSDI machine could be reached from the VAX only if one went over the Linux machine first.

The hardware was still not functioning reliably. The Compac server had problems with overheating due to the many SCSI cables inside it. A demonstration that all hardware was supported and that all the special devices were not needed when one got rid of BSD/I finally convinced the management. BSD/I was gone, Linux was the platform to do the Campus network. I had enough parts left to build a couple of Linux servers.

At that time we were using Slackware. I heard about Debian and tried a few times to install it, however, failed repeatedtly due to the peculiarities of dkpg. After we had great problems with the upgrade of Slackware, twice, I started to study Debian's specialities in early 1996. Afterwards I was able to at last install Debian.

In comparison with Slackware, updates now were no big problem. With Slackware we had several days of downtimes for upgrades. Debian could upgrade packages while the system was actively running, which was a great advantage. Sometimes of course a problem occured during a upgrade, but then you could go back to the previous version to have things running again.

I found a few things not to be optimal with Debian, and a few Softwares were missing too. So I became a member of the Debian Project and made sure that all necessary Software packages were available. The development of .deb packages from source code packages was greatly simplified with the Debmake package. Most of our server had only standart Debian packages without any special software except the custom compiled kernels. The ease of maintainance, of our machines and the uptimes have substantially improved due to Debian.

Architecture

The following is simplified, and unimportant parts have been left out.

The network consists out of the following components :

Server Network

Connection to the Internet and in between the Linux Servers.

Externals Network

Web servers for departments and for other purposes outside the firewall. Access to other networks on the campus is only possible via the firewalls.

Access to the central network is not possible, this network is considered outside our local network and therefore all security measures are taken just as they are for other hosts on the Internet.

Library Network

Library with PAC (Public Access Computers) and diverse research databases.

Central Network

Interconnection of all buildings with servers, which are only accessable for internal use. No machine on the central network is directly accessable from the Internet. All connections to the outside are made via IP Masquerading. The IP addresses on this network are all local, and thus not useable on/via the Internet.

 

Server Network

The server network is the central part of our network. We have one T1 connection to the Internet (which is the standard in the US). The Livingston router dates back to the time of BSDI. We now would probably use a Linux server for the T1 connection. The Livingston router with a different command interface is something that has to be thought to each new personel.

Livingston Router

The Livingston router has two ethernet interfaces. The router is the primary firewall for our setup. The firewall filters only packages that are sent to the server net. The webservers and other special servers are on the "Externals Network". Servers on the "Externals Network" are not controlled by the sysadmins, but are the responsabilities of other people who maintain their servers from somwhere in the world. They are totaly responsible for the security of their servers. In case one of the servers crashes, its their problem. Therefore, these servers are considered to be the same as any other host on the Internet.

Shell Server

A big problem at the beginning was the security of the Unix systems. The thought that students were allowed to have shell access on our Unix servers was a nightmare.

So we installed a special "Shell Server" whose only goal was to allow users Unix shell access in a secure manner.

The shell server had Debian 1.3.1 installed and was using a NIS server for the authentication of the users. There were no passwords on the system itself. Even the root account had an invalid password so that nobody could execute a "su". The root partition was exported via NFS to our administration server. There was no need to login to the system to change or update anything. The Debian NIS package has a special security feature so that a user who tries to do

"ypcat passwd.byname"

does not get any password information

The only security problems on the shell-server up until now were a few students that gave their passwords to other people via the Internet. We had a few hackers that used other peoples accounts. However, they were not able to cause any problems.

Administrative Server

Here the sysadmins are at work. The system contains all administrative information and has all Linux boxes mounted via NFS. It executes daily backups of all Linux boxes. There is a function which allows new Students to setup their account online.

News Server

We offer our students a full UseNet NewsFeed. The system allows public access to Linux related UseNet Groups (set your news reader to news.fuller.edu and your all go). Its also working as Mail-Exploder for the Linux mailing list on vger.rutgers.edu and sends anywhere from 150.000 up to 200.000 e-mails per day. The mailing-list to UseNet gateway is on this machine as well. If you are following a linux.* newsgroups then they are probably fed from news.fuller.edu to UseNet

Internal Router

The Linux router does masquerading for the central network as well as makes information available via chaching. For these reasons there is a DNS server and a web-chache (squid) running on it. The router has 5 network cards installed and is the central router on campus. Due to security reasons the other two servers are also connected to the central network and can take over the role as routers in case of an emergency.

Central Network

The central network is a real 'mess'. Different buildings are connected via diverse methods. The VAX and the terminal servers are what was originally present in 1995. The campus originally was setup with Macintosh systems, we have a lot Macs which are connected via LocalTalk or EtherTalk on the network. On the VAX administrative applications are running. A lot of them are in use since the seventies and are constantly modified according to needs.

As mentioned before the central network is not reachabel via the Internet. Connection to the Internet via the central network is possible due to IP masquarading on the Linux Router

I hope that this was relatively interesting. You can reach me via e-mail at clameter@waterf.org


Translation from German into English (as-is) provided by Giray Devlet giray@osc.nl. Original text to be found at http://lameter.com/linux/DebianFuller.html