technology update tsag meeting 9/12/02. announcements: mandatory password changes coming in october!...

Technology Update

TSAG Meeting 9/12/02

Announcements: Mandatory Password Changes Coming in October!

(Postponed)

End of BootP (November 1)

DNS Cleanup Send periodic ICMP ping probes to all DNS entries (8/26-

9/13) Correlate data obtained from probes (9/16-9/19) Inform TSAG of DNS names to be deleted (9/20) Purge all defunct DNS names (9/23)

Account Cleanup: Collecting information from you. Number of Accounts: 41,338 Number of Faculty/Staff: ~ 3,000 Number of Students: ~30,000 (~ 8K ???)

Training For TSAG Members

Big Picture: Provide XP training to TSAG members Prepare for the TSAG recommended wide-spread

deployment of XP First training session in an envisioned series

First training session cancelled: lack of participation (9/16 – 9/20)

Second training session in jeopardy!Tentative date: 10/14 – 10/18

Coordinate with Chris Sales.

Network Access Control: Recent Changes to Inbound Traffic:

Port-based blocking: 0-512 with exceptions (ftp, ssh, telnet, http/s) Mail related ports except to identified mail servers Printer-related, X1, and service location related

Subnet blocking: 108 – 111 (Education Building)

Network Access Control: Recent Changes to Inbound Traffic:

Port-based blocking: 0-512 with exceptions (ftp, ssh, telnet, http/s) Mail related ports except to identified mail servers Printer-related, X1, and service location related

Subnet blocking: 108 – 111 (Education Building)

time

Application of Subnet Blocking

Proposed Edge ACL Changes

Block all inbound ports in the range: 513-1024 Block all inbound connections on subnets: ??? Target date: October 4

Next step: Block all inbound connections to non Internet Servers

Internet Server: A server that provides one or more services to individuals off campus.

We need information on Internet Servers! Target date: ? January 2003 ?

Preparing for an IDS

From the May TSAG Examine “services” provided (by each unit) Determine general philosophy for Access Control Defined typical traffic patterns Block all unwanted traffic Monitor traffic for abnormal behavior

I.e., we need to understand the services we provide to our constituents.

Dragon Intrusion Detection System IDS: Real-time detection, reporting, and

termination of unauthorized network activity Problem: We need to know which traffic is

authorized or unauthorized based upon your units needs.

Current Status of System

Virtual Private Networking

Preproduction Service Installed:Cisco Systems VPN 3060

Network Address: vpn.csun.edu Clients Available for:

Windows (95-XP) Macintosh System 10.1 Solaris Linux (Intel)

Works with the campus directory! http://www.csun.edu/helpdesk/vpn

What does the VPN do?

Encrypted Traffic:

Secure Services Provide via VPN Examples of uses:

Create secure wireless connections on campus Gain more complete secure access to the campus network

over wireless Create secure connections to the campus network from

home Full, secure use of your campus Email using POP or IMAP

client from your home computer Share on campus files securely with your home computer

More to be added?

Bypassing x1400(For TSAG Members Only) To provide better support to technical savvy

individuals, the Campus Helpdesk and ITR techs will be monitoring an IRC chat room.

Server Name: irc.csun.edu Chat Room: #helpdesk Software Clients:

xchat: http://xchat.org mIRC: http://www.mirc.com

Status of System: Experimental!

Mail Migration Update

Recap: >41K users migrated (1 user took 11 hours) >160 GB of data migrated (Quota’s are NEEDED!)

Planned 4 day activity 11 day activity End-user Problems: (2172 helpdesk calls)

85% Desktop Issues

12% Mail aliases

(steve@csun.edu, steven.fitzgerald@csun.edu)

3% Duplicate e-mail for POP users

Directory Lookup for Email Aliases$ ssh csun1.csun.edu

$ ldapsearch –h dir.csun.edu –b o=csun uid=steve

dn: uid=steve, ou=People, ou=Auth, o=CSUN

uid: steve

…

mail: steve@csun.edu

mailLocalAddress: steven.fitzgerald@csun.edu

mailLocalAddress: steve.fitzgerald@csun.edu

mailhost: petrel.csun.edu

mailRoutingAddress: steve

POP / Duplication Issue

POP users indicated receiving multiple

copies of mail each time they POPed

I recommended:

Configure POP without save on server option

This is a Red Herring!

Feel free to configure POP as you see fit.

Mail and Calendaring: Next Step More aggressive SPAM filtering

SSL/TLS support

SMTP auth support

SMTP auth requirement

TSAG committee to evaluate:“Support Issues for Campus Calendaring System”

Contact: David Sorkin