Diode = Outside access for servers

EPFL is setting up a more secure internal network.

This separates the data between different zones.

Three zones are concerned for machines open on Diode:

  • The exterior
  • The “Untrust” zone containing open machines on Diode
  • The “DC Service” zone containing the basic services.

Three consequences for machines accessible from the outside opened on the firewall (Diode):

  • All machines must be migrated from specific subnets (“Untrust” zone).
  • Existing machines must be migrated quickly.
  • Since November 20, 2018, it is no longer possible to open a machine on Diode that is not in a “Untrust” zone.

The migration process is described here,
there are five steps to follow for migration:

  1. Check if the opening of Diode is for the management:
    • Yes
      Preferably use the VPN, close the Diode aperture.
    • No
      Go step 2
  2. Check if the machine uses other linked servers:
    • Yes
      Migrate all the concerned servers in the “Untrust” zone.
      or
      Migrate some servers in the “DC Service” zone.
      The machine will have to be hosted in the DataCenter in future!
    • Go step 3
  3. If your machine offers a service that depends on the IP name (Web server)
    • Yes
      Ask the network team ([email protected]) to schedule a 2 minute TTL change for the affected DNS names.
      Must be done no later than 48 hours before migration.
    • Go step 4
  4. Prepare for migration to the Untrust area
    • Yes
      For each affected machine, trigger the migration in this form:
      https://network.epfl.ch/epnet/vrf/vrf.pl
      Be careful, the form will create a new IP address that will communicate to you.
      The step 4 and 5 need to be on the same day.
    • Go step 5
  5. Migrate to the Untrust zone, during this phase the services of the machine are interrupted.
    1. Change the IP address of the affected machine from the migration form.
    2. Validate the migration ( https://network.epfl.ch/epnet/vrf/vrf.pl ).
    3. Restart the machine.

“DC Service” zone

Currently, here are the machines that are explicitly in the “DC Service” zone:

DC Service

128.178.15.0

DNS, AD

128.178.50.0

VPSI

128.178.131.0

Outside VPSI

128.178.210.0

VPSI

128.178.222.0

SLB Service

128.178.166.166

ares

128.178.166.167

ares-ah

128.178.109.70

astalavista

128.178.166.117

security-scan2


128.178.109.75
128.178.109.79
128.178.109.94
128.178.109.143
128.178.109.187
128.178.109.129

myPrint Servers
exterpsrv1
exterpsrv6
exterpsrv7
exterpsrv8
exterpsrv10
exterpsrv14