ICC Home  /  Members  /  Meetings  /  Peer Support  /  Documentation  /  Projects

Minutes of October 9, 2008 ITAC-NI Meeting:


back to ITAC-NI minutes index

    Link to ACTION ITEMS from meeting

    AGENDA:

    1. Approve prior minutes
    2. Greeting from the CIO
    3. Review the UF AUP and UF Network and Host Security Standards and Procedures, and how they imply restrictions on NAT devices even in networks that are not centrally managed i.e. not CNS Wall-Plate, HealthNet, or DHNet.
    4. CNS Wall-Plate update

    CALL TO ORDER:

    This meeting was scheduled in CSE E507 at 1:00 pm on Thursday, October 9th and was made available via videoconference with live-streaming and recording for future playback. Prior announcement was made via the Net-Managers-L list. The meeting was called to order by ITAC-NI chairman, Dan Miller, Network Coordinator of CNS Network Services.

    ATTENDEES: Twenty-one people attended this meeting locally. There was one attendee via Polycom videoconference but there are no records of how many may have listened into the stream via a web browser using the web interface.

    Ten members (or their proxy) were present: Charles Benjamin, Clint Collins, Dan Cromer, Erik Deumens, Tim Fitzpatrick, Craig Gorme, Tom Livoti, Dan Miller, Handsford (Ty) Tyler and Allan West (proxy for CLAS).

    Four members were absent: Stephen Kostewicz, Shawn Lander, Steve Lasley and Chris Leopold.

    Eight visitors were present as well: Stan Anders, Dennis Brown (via Polycom), David Gagné, Todd Hester, Charles Frazier, Bob Johnson, John Madey, and John Sawyer.


    Viewing the recording

    You may view the recording via the web at http://128.227.156.84:7734. Currently, you will need to click on the "Top-level folder" link, then the "watch" link next to the "ITAC-NI Meeting_09Oct08_12.45" item. This will likely be moved into the ITAC-NI folder shortly. Cross-platform access may not be available; on the Windows platform you will have to install the Codian codec.

    Audio archive

    An archive of audio from the meeting was not available this month.

    1) Approve prior minutes

    No corrections or additions were offered and the minutes were approved without further comment.

    2) Greeting from the CIO

    Dan Miller introduced Dr. Charles (Chuck) Frazier who was appointed as Interim CIO effective August 1st.

    2-1) Apology for missing our September meeting

    Dr. Frazier stated that he had the goal of getting around to all the various ITAC sub-committees shortly after his appointment. He mentioned that this didn't happen immediately with this group and he had missed at least one meeting for which he apologized.

    2-2) Thanks for the work we do

    Chuck said that he had two basic purposes in coming. The first was to offer his thanks to the committee members for the time and effort they spend on committee duties. Having been involved in its creation he has always been gratified with how well the ITAC and its governance structure has worked over the years. He realizes that we are not directly compensated for our time with these committees. That is all the more reason to thank us for the work we do here for the greater good of UF.

    2-3) "Transition to the transition"

    Dr. Frazier's second reason for coming today was to try explaining the "transition to the transition" which IT at UF is currently undergoing. He had tried to do a bit of that via the Open Letter to UF OIT Staff in the September Edition of the UF Office of Information Technology Newsletter, but hoped his presence here could help clarify things a bit.

    2-3-1) IT had a previous opportunity for centralized focus eight years ago

    Chuck said that UF had had an opportunity back in the 1999-2001 timeframe to focus a bit on IT and to make some progress. ITAC and the various sub-committees were created out of that and much good resulted.

    2-3-2) Since that time IT has been on the back burner

    We then went through a period where IT was not a front-burner action. Chuck doesn't think this happened because of any effort to take IT and bury it someplace, but rather because our new president had looked at many issues and decided that other matters were more pressing. The administrative structure for student services, HR, etc. have been the focus during the interim and a great deal of change and progress has been accomplished in those areas.

    2-3-3) It is now time to focus on IT again

    The President has now made the decision to again focus on IT. He knows where he wants to go and now the next decision is how to get there. One option would be to hire a new CIO and give that person perhaps two years to figure out the lay of the land and accomplish the President's roadmap. In this case, the President has expressed confidence in the IT people at UF currently and has decided to move ahead by turning things over to them with roughly a one-year timeframe for completion.

    2-3-4) Why did Dr. Frazier return?

    Chuck said he would not have come back if he hadn't seen this as a positive opportunity and if he didn't have the same confidence as the President in our current IT staff. It wasn't an absolutely easy decision, but when asked he decided in the end that he could do the job. He knows the people and the environment well and believes we can make a very significant amount of progress in a fairly short period of time. Chuck believes we can end up with a better IT foundation for continued forward movement in the future.

    2-3-5) The process will be fast

    Dr. Frazier said that he expects things to take about one year overall. Since we are already two months down-the-road that means we are looking at a fast 10 months ahead of us. Somewhere along the way in that process we will advertize for a new CIO. This means there will be another transition within the transition, likely with some period of overlap.

    This very afternoon at a "town meeting", Dr. Frazier intends to outline what will happen in the next three month period. The President says that IT at UF should be organized under a CIO with a coherent and cohesive organization for IT across the university and Dr. Frazier will be taking the steps to move us in that direction. It is a great opportunity but will entail a great deal of work as well.

    2-4) Questions and responses

    2-4-1) What is this "town meeting" you mentioned? (Erik)

    Tim responded that it started as the annual CNS employee recognition event. Tim invited Chuck and Chuck suggested we broaden it to other OIT employees. This event will be held at 3:30 this afternoon.

    Chuck responded that he has been trying to insert himself into every IT group he can, which was why he had asked Dan Miller to be here today and had asked similarly the other ITAC sub-committee chairs as well. He saw the CNS event as another opportunity and asked for 10 minutes on the agenda there; he requested that other folks who report to him be brought in as well.

    2-4-2) You mention that Dr. Machen knows what he wants at the end of the day. Does that mean the solution has been dictated or is part of this process to figure out what the governance structure should be starting from a blank sheet of paper? (Ty)

    Dr. Frazier responded that the governance structure is still open to some consideration. The whole organization of the university has changed in the last four years and we need to fit our new ITAC structure to that new model. Sometime during those changes the ITAC committee stopped meeting, likely because people didn't feel its structure fit very well with the new organization. Dr. Frazier sees this as an opportunity to reshape the structure of the ITAC.

    The President wants a CIO model for UF where there is a single point of contact for IT responsibilities.

    2-4-3) Can you provide any more details on the roadmap at this time? (Charles)

    Dr. Frazier stated that this was about five hours premature. He intends to cover those at the "town hall" meeting this afternoon. That will begin the information dissemination on this project. The last time we did something like this it took a year. Dr. Frazier has told Dr. Machen that we can do this current transition in three months. Last time we took a year partly because we had a year and also because we didn't have a clear direction of what we were moving to. This time around we will not be given that much time, so this will be a pretty fast, direct and deliberate process.

    2-4-4) Will the new structure be based on more of a business than an academic model? (Clint)

    Dr. Frazier responded that when he was in this position before as Vice Provost for IT, he reported to the Provost who reported to the President. Now he reports to the Senior Vice President for Administration, Kyle Cavanaugh--who reports to the President. Is it now an administrative structure because Kyle is administrative any more than it was academic prior because of reporting through the Provost? In Chuck's view the answer is no. In both cases the intention was for the senior IT person to have responsibilities across the entire university whether administrative or academic. Chuck hopes it doesn't appear that IT was formerly academically based and is now administratively based; it never has been one or the other and never should be.

    2-4-5) Is Dr. Frazier convinced we will have a sustainable funding model for IT at UF? (Dan Cromer)

    Chuck responded in the affirmative and stated that if he hadn't believed that would be the result then he wouldn't have thought this worth doing.

    2-4-6) Do you envision this new structure to be hierarchical and directive across UF or will the CIO be a coordinator of diverse and distributed activities? (Ty)

    Chuck responded "yes and yes". He believes that the CIO will have responsibility and authority under the President's vision. There will be a core group who will be under direct report to the CIO, but there will also be a distributed structure connected only via the dotted lines of an organizational chart. The core will be bigger than it has been however.

    2-5) Summation

    In summary, Dr. Frazier stated that he is genuinely excited about this transition, not because there is anything in it for him personally, but because he believes there is a lot in it for the university. He has been devoted to UF for the past 35 years and he likes seeing good things happen to it. If he had not been convinced that at the end of the day there are going to be good things coming out of this for the IT community and for UF then he wouldn't be back.

    Chuck added that he would be glad to come back to our committee by invitation at any time.

    3) Review the UF AUP and UF Network and Host Security Standards and Procedures, and how they imply restrictions on NAT devices even in networks that are not centrally managed i.e. not CNS Wall-Plate, HealthNet, or DHNet.

    3-1) Background

    John Sawyer from the UF IT Security team was on hand and two handouts were provided from information available on the web:

    3-2) Introduction

    Dan Miller introduced this topic saying that CNS had wanted to review the UF AUP and UF Network and Host Security Standards and Procedures. This desire stemmed from an issue which had arisen within CNS specifically relating to Fraternities and the question: if a central provider allows a general or specific exception, who is responsible for security issues?

    3-2) Run-through of Node Security Standard items

    The published standards seem to be fairly rigorous but Dan Miller wanted to review with HealthNet the published Node Security Standard list of twenty three items to see how those point matched the way things were being done at the Health Science Center. These items list things which must occur with devices managed by UF IT workers before connecting to the UF network though items marked with asterisk are considered essentially optional. Such items must have their security handled in some fashion but not necessarily strictly as listed.

    1. Have a clearly defined UF purpose and intended user base.

      Yes, HealthNet requires this.

    2. Be protected during the installation process by some combination of restricted network access, specific ACLs, private IP, or off-line installation (Best Practices for Secure Installation).

      Yes, HealthNet requires this.

    3. Be operated and secured appropriately for its specified network zone.

      HealthNet will soon be in compliance with this item.

    4. Have appropriate access restrictions, including but not limited to physical, ACL, firewall, authentication, authorization restrictions, screen locks, and inactivity timeouts. Network restrictions must allow access to the UF security scanner.

      Yes, HealthNet requires this.

    5. Be on private IP, unless public IP is required.*

      HealthNet is not quite there yet on this one but has plans to get there.

    6. Be at current patch levels.*

      Yes, HealthNet requires this.

    7. Have current anti-malware protection.*

      Yes, HealthNet requires this.

    8. Have a specific individual designated as manager.

      Yes, HealthNet requires this.

    9. Be documented for recreating the system.*

      The overall answer is no, but it depends on the importance of the system in question. If a system is sufficiently important, then this is supposed to be done; but the question would be one of enforcement.

    10. Be documented for operating the system and troubleshooting.*

      HealthNet does not require this.

    11. Have alerting and/or logging for security-related events or patterns where appropriate.

      HealthNet will soon be in compliance with this item.

    12. Be reviewed for security-related events or patterns with a frequency appropriate to the system.

      Yes, they ought to and they expect to be in compliance soon.

    13. Run only the services necessary to support its function.

      No, this item is considered a bit ambitious.

    14. Run only software necessary to support its function.*

      No, this item is considered a bit ambitious.

    15. Be monitored for proper system operation where appropriate.*

      No, this item is considered a bit ambitious.

    16. Provide system facilities to allow users to secure their data.*

      Yes, HealthNet requires this.

    17. Have been scanned for vulnerabilities within the last 3 months.

      Yes, HealthNet requires this.

    18. Comply with appropriate Software Security Standard(s).

      Yes, new application must be reviewed by the security office.

    19. Comply with appropriate Data Security Standard(s).

      Yes, HealthNet requires this.

    20. Have defined power and backup power requirements where appropriate.*

      Yes, HealthNet requires this where appropriate.

    21. Have defined heat generation data where appropriate.*

      Yes, HealthNet requires this for machines rooms though it was suggested that this item belongs in the server section which follows.

    22. Not have trust relationships beyond those required for proper function. Where needed, trust relationships should be based on secure cryptographic methods (e.g., SSH public keys or SSL certificates), and not on IP numbers or domain names alone.*

      There is no specific rule in this regard; it just makes good sense.

    23. Be synchronized with an accurate time server.*

      Yes, HealthNet requires this by policy.

    3-3) Review of the Network Security Standard section

    Dan Miller then read an earlier section of the standards page stating "Network access for personally managed IT resources should be more restricted than network access for professionally managed IT resources." WIPA (authentication prior to network connectgion) is at the top of the list for that, but they realize there is a cost involved in implementing that. The Health Center has a NAC system that is not implemented network-wide but it is in place on wireless. In the case of the Fraternities and Sororities, they all do go through a Bluesocket box currently and will be on Cisco NAC when that migration is made.

    3-4) What authority does CNS have in managing Greek house networks

    Dan Miller then referred to the very first section of the standard at the top of the page stating that this is the section which CNS is looking at as providing them some authority over the management of how the Greek houses run their networks even if they aren't part of the Wall-Plate initiative.

    3-4-1) Management of Greek networks has always been a challenge for CNS

    Dan Miller related that what is going on now is the security group, represented here today by John Sawyer, is doing scans for P2P traffic and we are looking at bumping users who have what appears to be possibly illicit P2P activity. Some Fraternities have Linksys devices acting as NATs and so that entire device would be bumped. This will cause a bit of a headache for everyone involved and there is the question of what to do when these things are identified.

    3-4-2) Will off-campus houses have the same requirements as on-campus houses?

    Craig raised the question of off-campus vs. on-campus houses. John Sawyer responded that he believed this only applies if the house receives their networking connection from CNS. Clint was surprised that CNS provided network resources to Greek houses at all. John Madey said this started when the Vice President for Student Affairs funded connecting Greek buildings via fiber; they wanted them on the UF network. This began with Fraternity Row and then grew into the Sorority area as well.

    When Tim pointed out that he believed students would question the gap between services at Greek houses on campus and campus residence halls if that were not provided, Clint countered that we don't supply food services and the like for Greek houses on campus. That we do supply network services surprised him. Tim reported that the houses do pay for these services, though they naturally would like not to do so.

    3-4-3) Currently the Greek connections are a mixed bag

    Allan West asked if Greek houses on-campus are being moved to wireless. Dan Miller responded that this is a mixed bag. There are many houses that are on Wall-Plate, some that are not Wall-Plate, and some that just have some UF wireless presence. However, there are Linksys devices all over these houses.

    3-4-4) Short of moving all to Wall-Plate, what should we do?

    Tom said that it seemed to him that if these were all on Wall-Plate then CNS would have the control needed; the goal should be to move them all to Wall-Plate. Dan Miller said that the immediate issue was how to handle those who are not on Wall-Plate. Depending on their location and the presence of campus fiber, many of those are on the campus network and using UF address space.

    3-4-5) UF connections should imply UF rules

    Clint proposed that if these houses wanted the UF connection then they should accept the UF rules. If they don't want to comply, then they have the option of getting their own connections. Tim said that this is likely the direction towards which we will need to evolve. Dan Cromer said that he feels Greek houses on the UF network should comply with the same rules as the residence halls.

    3-5) Details of NAC plans

    Charles raised a question concerning the CNS plans for NAC. Dan Miller summarized by saying they are looking at replacing the Bluesocket functionality (at SSRB and Centrex for redundancy) for our centrally managed WAPs via WiSM modules. We have other type of connections out there currently, however, so there will be different stages of roll-out.

    3-5-1) Roll-outs will be staged

    The next stage will be an out-of-band solution so we can replace the Bluesockets that are attached to each core router at this time. Initially this will just involve authentication but this will be followed by a NAC implementation. Kathy Bergsma's group will be leading the effort to enable NAC as a follow-up to that. At first we will be monitoring and alerting and after that we will begin blocking access. The first step is to implement this just on central wireless through WiSM; that is our growth area and we need to provide for that. Afterwards we will look at parallel approaches with the wired network.

    3-5-2) Upcoming challenges with NAC implementation

    Charles noted that when a PC first comes on it is on a different VLAN; this means the servers have to be fairly distributed--either that or you are spanning VLANs across the backbones. Dan Miller responded that there are other avenues they are exploring, which are not ready today. The fall-back plan is to use virtual cores (VRFs) and these, though complicated, might offer us other networking possibilities as well. There is another out-of-band solution which Cisco promises which should be a bit easier to implement.

    3-6) UF Security Group plans for the Greek houses

    Dan Miller then asked John Sawyer to describe their plans. John explained that what has happened is they have had a number of security incidents involving connections via NAT devices. The first person connecting ends up with their credentials being piggy-backed by everyone else connecting through that device. This has led to the wrong individual being accused of security violations.

    They have come up with a number of tools which analyze the characteristics of the network traffic passing through IDS and help them determine when these NAT devices are involved. Then they can look at the logs, determine the MAC address of the NAT device and bump by MAC address rather than shutting down the entire device. Whenever a user logs into that NAT device, no matter what user it is, they will automatically get logged off. They can also e-mail the individual involved to provide an explanation of what happened and why.

    3-7) So can UF security policy be enforced by CNS?

    Clint said that since the UF Security Team is obviously expending money and resources in handling these cases, he believes it reasonable to insist that our rules be followed. If they want to do P2P then they can get their own connection. Craig asked if houses are allowed to get their own connections. Dan Miller responded that he believed we would take an either/or approach to that. We definitely wouldn't want both to be in place.

    Ty said that if they are on campus then campus policy restricts them from negotiating with AT&T or anybody else. In contrast to that John Madey pointed out that they do not have "392" UF phone numbers; if they had a DSL line, then CNS wouldn't even know. Ty asked if the Greek houses didn't have some governing structure by which rule violators can be held accountable. If so, why isn't this one of those rules handled via that process. Dan Miller said that this is one approach they plan to take with them. Part of the difficulty has been the turnover of house governing staff; house leaders change every year or every six months. Ty said that CNS could always cut them off as a means of getting their attention on such matters. Tim said that, at the device level, this is exactly what is planned.

    3-8) Proper notification of this change needs to be made however

    Erik pointed out that some structure needs to be in place whereby houses have a responsible contact on these issues. It is not fair to those individuals who are following the rules that they be denied access by a few irresponsible parties. Dan Miller said that they are making every effort to contact the appropriate parties to get the word out that this is a change which is coming in the very near future.

    3-9) Wall-Plate is the long-term solution

    Clint suggested, in those case where denial of connection was deemed necessary, CNS should consider offering Wall-Plate service that would provide them a higher level of granularity for their connection. That way single devices could be controlled rather than resorting to cutting off connectivity for an entire house. Tim said that in the short term we need to shut them off to keep the peace, but in the long term we need either a carrot or a stick to move them to Wall-Plate. Craig noted that, from his experience, if CNS starts doing this and they have an option to move to AT&T or Cox, then they will. CNS would be fine with that.

    3-10) WIPA causes the majority of security headaches

    Clint asked John Sawyer if a disproportionate number of security headaches come from the Greek houses. John replied that the majority certainly come from our WIPA connections. He didn't know off-hand whether or not the Greek houses' share of those was disproportional, but without looking he was inclined to say yes.

    3-11) NAT devices in general rather than P2P are the main problem

    John was asked if the problem was solely P2P traffic. John responded that they were concerned with any security violations and the fact that, with NAT devices, these can't be attributed to an individual as required by UF Network Security Policy. Charles replied that Housing uses 802.1x along with an appliance that contains a huge database of copyrighted material. They use that to look specifically for violations and have had great success with it.

    3-12) Summation

    Dan Miller summed up by saying that this whole problem boils down to the fact that CNS has no edge control in non-Wall-Plate locations. In rolling out edge control to houses on the Wall-Plate CNS realized that they needed to address this organizational structure issue, which is why the matter was brought here for discussion today.

    4) CNS Wall-Plate update

    4-1) Current port and phone counts

    Todd Hester reported that as of September the Wall-Plate project included 18,326 data ports and 3,318 telephones. For the quarter from July to September that involved a growth of 218 data ports and 304 phones. The projections for October through December would be about 13,000 data ports and another 400 phones. The third quarter numbers are underestimated by the way Todd measures things; we have a large number of jobs near completion but the cut-off happened just before those were done.

    4-2) Network Edge Protection progress

    Network Edge Protection has been rolled out to about one-third of all Wall-Plate buildings, and it is going out to all new buildings as they join Wall-Plate. On average, Todd is seeing about 2-3 triggers per day. Most of those involve people moving devices too quickly from one port to another. There are some instances of people plugging in switches and having ports shut down as a result. Dan Miller mentioned that there have been a couple of cases where people have plugged from the phone port back into another wall jack. Todd said that the scheme is working and they have had some incidents which would have taken down things which this protection has prevented.

    4-3) What is causing the triggers and where?

    Craig asked if problems were occurring in any one particular area. Todd responded that problems are scattered. They do see triggers happen in a particular building for 3-4 days in row until everyone realizes what they are not supposed to be doing. Then it goes away.

    A question was asked about how issues are communicated to the end-users. Todd replied that an e-mail is sent to the network administrator. CNS is trusting the local admin to find the problem and resolve it. Otherwise the port just stays down until they fix it. Because it is a new rollout there have been a few instances where they have dispatched someone to take a look to make sure things were triggering the way they thought they were.

    Another question was about how a problem is correlated to a particular user. Todd responded that they don't do that, rather they correlate it to a particular port. They tell the local admin the room number and the jack involved and let them handle it.

    4-4) IFAS has a large number of buildings not currently on the schedule

    Dan Cromer mentioned that IFAS has a large number of buildings which are not on the implementation schedule. Dan would like to know where those belong in the plans. This entails primarily the IFAS Farm Area out in the southwest part of campus. Dan Miller said that this is a specific case of a general problem which involves the cost of getting fiber to small buildings. This is a problem which CNS has been discussing. Todd is currently trying to differentiate between the buildings which they can get to and those which they cannot. Dan Cromer is interested in getting the list to his facilities people saying we need to help do this and that fiber connection of these buildings are our responsibility. Todd hopes to get this information back to Dan by next week.

    4-5) Is wireless connection an option for buildings not on fiber?

    Ty asked if CNS had looked at wireless for connecting out-lying buildings. Todd responded that they use it a little bit, but one of the main problems with that is they don't want to run VoIP service over wireless at this point. Dan Miller clarified that we don't want people to think that their VoIP phone in a wireless-connected building is as reliable as a VoIP phone in a fiber-connected building--especially when CNS goes to extra lengths to assure that there are redundant uplinks and so-forth.

    Action Items

    1. Subscribe Dan Miller, ITAC-NI chair, to all other ITAC committee lists for collaboration purposes (still pending from previous meeting).
    2. Update our official membership list (still pending from previous meeting).

     

    Next Meeting

    The next regular meeting is tentatively scheduled for Thursday, November 13th.

last edited 26 October 2008 by Steve Lasley