MAJOR EDITS 9:35PM, 09-02-2010
Jim Franceschelli posted an update to the university community regarding the newest round of updates that will be coming to campus computers from Information Resources (IR; website). Here is a brief summary of how this will affect faculty and staff at the university.
0) This is the first apparent step (from the faculty point of view) of the more virtualized, transparent interaction between faculty machines and the campus network. While it may not appear so from our point of view, it makes the organization much cleaner on the server-side, i.e., the network administration becomes simpler and less complex, compartmentalizing the network by user type. This is coming right off the heels of a major network rebuild by IR, which means fewer network down times, and shorter network outages (which is a very good thing).
1) Previously, faculty computers did not need to “authenticate” to get access to the university network. This means that any computer plugged into a wall port that was designed for faculty use was allowed full access to the faculty network. This was then controlled on a port-by-port basis: Any computer plugged into the port in your office was connected to the faculty network, regardless of who the computer actually belonged to. And, if you plugged your computer into a port normally relegated for student use, you were relegated to the student network space, which left you unable to access certain network resources (departmental printers, for example). With the recent upgrades to the campus network, each network port now has the ability to be assigned to any virtual network. This means that, when you plug in your computer, you can be assigned to any of the on-campus networks (wireless, student, faculty, staff, dining services, etc., all have their own designated “network space”). Thus, instead of making the decision as to what network you belong to based on where you are connecting your computer, the decision as to what network you belong to is based on who you are and what community you are a part of (e.g., administration, faculty, dining services, etc.). So… where does this new update fit into the whole scheme?
2) The key in the previous point is that your digital identity is now the factor in deciding what network resources you have access to. Over and above that, for security purposes, IR would really like to allow you access to those resources, making sure that you are the one using it, not someone else who has somehow managed to get onto your computer. At the present time, there is no additional level of authentication, i.e., anyone using your computer looks like you. The first and foremost reason for requiring you to install Cisco Network Admission Control is to make sure that the only person accessing your network resources is you. Thus, this piece of software will require you to log in with your my.scranton username and password (which no one else other than you knows anyway, right?). But what about this “up to date packages” part of it all? Well…
3) As we said, this is the first apparent step in the upgrade of our campus network. With the installation of Cisco Network Admission Control, not only does it allow you to authenticate* to the network, this software has some additional advantages over a simple password-only based authentication. Cisco Network Admission Control, when running, has the ability to look at your critical software components (e.g., windows system files, web-browser updates, critical system patches, etc.) and make sure that no identified security vulnerabilities are present. This is not currently implemented into the installation configuration. It will be implemented in the near future (there is a possibility for an October timeline, but this is still in flux), with the added benefit of eventually prompting and directing you through the install of these critical software updates (eventually even doing so automatically) and patches to make sure your computer is safe, protected, and able to get onto the internet.** So where do you fit into the picture?
4) In order to implement this level of security, you will need to have Cisco Network Admission Control installed on your computer. Starting on 09/08/2010 in the first and second floor, west wing of St. Thomas (and following the schedule posted here), IR will be converting the behind-the-scenes infrastructure such that you will not be able to log on to the campus network without Cisco Network Admission Control installed! Once they have implemented this change, your internet browser will alert you of the required software and will (painlessly) step you through the installation procedure to install Cisco Network Admission Control on your machine. You will then be able to log in with your my.scranton username and password*** and continue to access the campus network and the world wide web at your leisure! So… what comes next?
5) As the behind-the-scenes updates from IR progress, you will be periodically required to re-authenticate to the network. This will simply provide some additional security, and allow Cisco Network Admission Control to periodically make sure everything is still A-OK on your computer, look for any flaws or critical system components that have been compromised or are in need of updating, and, eventually, even perform those updates for you! This exciting feature is coming soon to a computer near you!
Please see the below post e-mailed to the faculty today. If you have any questions or comments, please post them below. You can also join the discussion at tag-discussion@royallists.scranton.edu (see this post for instructions on how to sign up!).
* By “authenticate”, I mean “be recognized by”. This is just like showing an ID badge, swiping your Royal Card, or typing in your password at an online shopping site. You are proving your authenticity to the program, and it is allowing you access to whatever resources you are requesting, provided you have met all of its criteria.
** The extra time spent installing the updates is far shorter than the time it takes to fix your computer if it becomes infected with a virus. Currently, it takes nearly 3 full days of analysis whenever a computer is infected by a virus to make sure that no restricted information was passed to an outside source. This is a much more detailed and rigorous process than most are aware of, stemming from federal regulations regarding privacy laws. Hopefully we can post something about this is a future blog entry.
*** The login information for your computer will not change! Thus, your preferred username and password needed to start windows will not change. This will only affect your ability to access network resources (i.e., software not directly installed on your machine).
To All University of Scranton Faculty and Staff:
The University of Scranton provides our campus community with a robust environment consisting of over 2,000 desktop and laptop machines. Managing and ensuring the security of these machines has become increasingly challenging. In order to improve our services to you and increase our information security posture, we will be making changes to the way that desktop systems look and how they operate. Upcoming changes include a move to Internet Explorer 8.0 for using services found @scranton.edu sites, use of Firefox as the default internet browser, automation of additional third party application updates, a change in our anti-virus protection, and the deployment of Windows 7.
The next change that you will experience starting on September 7th is the deployment of the Cisco Network Access Control (CNAC) system for all computers connecting to the University network. This system will require end-users to go through a process similar to the one currently used to connect to the wireless network (RoyalAir); meaning that you will be required to authenticate — enter your username and password — before gaining access to the network. The CNAC system will help us to validate that only individuals who should have access to our network resources will have access and, eventually, will help us to monitor the “health” (up-to-date patches, operating systems, etc) of the desktops that are connecting to our network. Collectively, this will insure a more robust and secure electronic working environment for all of us.
The implementation of CNAC will begin on September 7th and is expected to take 30 days for campus wide implementation. The implementation will occur in small network segments that are grouped by building and by floor. Network changes will be made overnight and users of the segment will notice the change the following morning. To assist end-users, information about the planned schedule for deployment can be found at www.scranton.edu/CNAC-Deployment . IT Services staff will be available and located in each of the affected areas as we work our way across campus.
We appreciate your patience and understanding as we continue to improve. If you have any questions or concerns, please contact the Technology Support Center at 941-Help or at Techsupport@scranton.edu
Special thanks to Jim Franceschelli and Tony Maszeroski for their help in writing and correcting the above tutorial.
The CNAC Deployment website has a Q&A page that has some more information about what’s going to be happening — http://matrix.scranton.edu/pir/cnac/qanda.shtml.
My only concern about the email announcement from Jim is the statement about our “default browser” now being Firefox. While I understand the change for many faculty who aren’t partial to one specific browser, some of us are… I use Chrome as my default. I guess I’m commenting here to register my hope that this will not be a locked-down default (which we can’t change if we choose), but just a recommendation for those who are indifferent to which browser they use.
Hi Donna,
The important aspect is that you use a browser other than Internet Explorer as the default browser. IE continues to be the most targeted browser for malware and virus attacks. Using an alternative (such as firefox or chrome) is safer. Our user community has firefox installed and many are currently using it.
Hi Jim,
Thanks for the response! That makes sense, and I’m grateful for the flexibility, as long as we avoid IE. I haven’t used IE for years, except for one set of reports I have to run monthly. I’ll be sure to download the IE8 update before I run those reports next. Thanks for the quick feedback!
–Donna
[…] about the new network authentication (aka CNAC deployment) that will be taking place. See Jeremy’s post on this for all the […]
[…] Library was the last building on the CNAC Deployment schedule – and we’re hitting a few rough spots today after this morning’s […]
[…] IT services sent out another CNAC update today. What’s CNAC, you ask? Take a look at Jeremy’s monster explanation from back in September. […]
[…] Click here for a detailed discussion of the new CNAC security procedures. […]
[…] What’s CNAC? Click here for more than you ever wanted to know – Jeremy’s explanation. […]