CNAC Upgrade on the way

25 01 2011

IR posted a note to Royal News about an upgrade to CNAC (emphasis ours):

Cisco Network Access Control (CNAC) will be upgraded to the latest version on Tuesday, Jan. 25, between 10 – 11 p.m. Downtime should be approximately five (5) minutes. The next time you authenticate your computer in CNAC you will be prompted to install a new Cisco NAC Agent. If you have any questions or problems, please contact the Technology Support Center at 941-HELP or techsupport@scranton.edu.

 

What’s CNAC? Click here for more than you ever wanted to know – Jeremy’s explanation.


Comments : Leave a Comment »
Tags: , , ,
Categories : Announcements, Network and Infrastructure, Outages, Security, Upgrades

CNAC Reauthentication

6 01 2011

On January 12th, and regularly on the second Wednesday of every month, IT Services is going to require all faculty and staff to enter their username and password (as you would if you were to log on to my.scranton) in order to get internet access. This allows IT to ensure that your computer has the most up to date security software and protection.

On January 6th, faculty and staff received the following e-mail from IT Services:

As part of Information Resources’ continuing effort to enhance our services and increase our information security posture, the Cisco Network Access Control (CNAC) will require individuals to re-authenticate to gain network access on a monthly basis.

On Wednesday, January 12th all end-users should expect to enter their University username and password into the CNAC agent before gaining access to any network resources. This process will allow us to continually assess the validity and health of our computing environment. The CNAC re-authentication process will routinely occur on the second Wednesday of each month.

Thank you for your patience and understanding as we implement these changes. If you have any questions or concerns, please contact the Technology Support Center at 570-941-HELP or at techsupport@scranton.edu

Click here for more information on CNAC authentication.

Click here for a detailed discussion of the new CNAC security procedures.


Comments : Leave a Comment »
Tags: , , , , , ,
Categories : Network and Infrastructure, Security

CNAC Reminder… and Brown Bag Postponement

9 11 2010

Just a reminder that we’ll all have to log in to Cisco NAC Agent tomorrow morning in order to be able to access the University network.

Also, the Provost’s office is trying to reschedule this week’s Brown Bag on the CMS.  It seemed like this Thursday wasn’t a good time for most people. We’ll keep you updated on any new dates and times.


Comments : Leave a Comment »
Tags: , , ,
Categories : Announcements, CMS and University Website, Network and Infrastructure, Security

CNAC Update

3 11 2010

IT services sent out another CNAC update today.  What’s CNAC, you ask? Take a look at Jeremy’s monster explanation from back in September.

Bottom line of this latest update is that anyone using a University-owned desktop computer will have to log in to CNAC again next Wednesday (11/10) and then monthly after that to use the University network.

Here’s the full text:

In a continuing effort to enhance our services and increase our information security posture, Information Resources will be implementing changes to the Cisco Network Access Control (CNAC) system. The CNAC system, which was recently deployed campus-wide to Staff and Faculty machines, helps us validate that only authorized users are able to access network resources (Banner, Internet, etc). Additionally, CNAC will help us monitor the “health” (up-to-date patches, operating systems, etc) of the desktops that are connecting to our network.

During the deployment of CNAC, end-users were prompted by the CNAC agent to enter their University username and password once, thereafter allowing them to gain access to network resources. All end-users will be required to re-authenticate to the network via the CNAC client on a monthly basis. This will initially occur on Wednesday, November 10th. End-users should expect to enter their University username and password into the CNAC agent before gaining access to network resources. This process will allow us to continually assess the validity and health of our computing environment.  The CNAC re-authentication process will routinely occur on the second Wednesday of each month beginning in January 2011.

Additional information can be found in the announcements section of the my.scranton portal.  We thank you for your patience and understanding as we implement these changes.   If you have any questions or concerns, please contact the Technology Support Center at 570-941-HELP or at techsupport@scranton.edu

 

————

Note: Updated for clarification at 3pm 11/3/10.


Comments : 4 Comments »
Tags: , ,
Categories : Network and Infrastructure, Security, Upgrades

More IT Forum updates

19 10 2010

I’ll post the slides from today’s IT Forum when they’re available, but in the meantime here’s what I thought was the most important news from Jim Franceschelli’s talk on “Desktops of the Future”:

  • Windows 7 will be rolling out around November, since Windows XP Extended Support is ending.  IR computers will get the rollout first (probably this month).
  • IR will be setting up standard user accounts on University-owned computers.  These user accounts will limit what applications users can install, in order to make the campus more secure.  MOST applications will be blocked, but some whitelisted applications (e.g., iTunes) will be allowed.  This has me a little concerned – it seems like an area where we’ll need a lot of communication between IR and faculty to make sure that faculty can download and install the applications they need on their desktops.
  • IR will also soon be rolling out Active Directory, a tool that will sync your Windows account – so that you’ll be able to access to mapped drives, etc from any computer on campus.
  • IR is encouraging everyone to delete any personally identifiable information (PII) from their computers.  A tool called Identity Finder will be rolled out soon that will try to locate what it thinks is PII on your desktop and then give you the option to delete or encrypt it.
  • Remote desktop assistance will be available soon – this will allow IR staff members to remotely connect to your system, making repairs faster and making the TSC more efficient.
  • The University is heading towards a virtual desktop environment (where all data is stored on Royal Drive and access to your “desktop” is via a thin client on a terminal).  IR already has the thin client and will be testing it later this month.  The current plan is to set up a prototype lab in January to be tested by users in Spring 2011.

Comments : 4 Comments »
Tags: , , , , , , ,
Categories : Announcements, Network and Infrastructure, Security, Upgrades

CNAC Deployment Feedback?

8 10 2010

The Library was the last building on the CNAC Deployment schedule – and we’re hitting a few rough spots today after this morning’s rollout.  How did the deployment go for everyone else? Any issues that the TSC hasn’t been able to resolve?


Comments : 3 Comments »
Tags: , , ,
Categories : Network and Infrastructure, Security, Upgrades

Peer to Peer File Sharing

8 09 2010

Jerry DeSanto just e-mailed the entire university community about regulation and rules regarding peer-to-peer file sharing.

September 2010
Members of the University Community:
Greetings from the Planning and Information Resources Division — We have been hard at work during the summer months making improvements to the classrooms and computer labs, data center, enterprise applications and related services used to conduct the work of our campus community. Our technology infrastructure allows us to share resources and collaborate with each other and colleagues around the world in numerous, productive ways. I want to remind you that, while using the University’s technology resources, we have all agreed to abide by the Code of Responsible Computing and Student Computing Policy.
On July 1, 2010, final regulations from the federal government specific to the use of peer-to-peer (P2P) file sharing applications within colleges and universities took effect. Peer-to-peer file sharing is widely used to exchange files, most commonly music and video; however, the unauthorized distribution of copyrighted material may subject the individuals involved to civil and criminal penalties. In general, anyone found liable for civil copyright infringement may be ordered to pay either actual damages or “statutory” damages affixed at not less than $750 and not more than $30,000 per work infringed. For “willful” infringement, a court may award up to $150,000 per work infringed. Willful copyright infringement can also result in criminal penalties, including imprisonment of up to five years and fines of up to $250,000 per offense. Colleges and universities can be required to identify offenders within their network(s); The University of Scranton will comply with any court orders it may receive.
The University limits the amount of bandwidth allotted to peer-to-peer applications in order to ensure the availability and integrity of our network and services. In addition, we prohibit the use of those aggressive peer-to-peer applications that utilize excessive network resources or are known to carry mostly illegal content. As stated in the University’s Copyright Compliance and Peer-to-Peer File Sharing Policy , individuals who are in violation of policy will be subject to disciplinary action, which may range from written warnings, fines, counseling, and/or suspension of network access. If you have any questions about this please contact the Technology Support Center at 941-HELP (x4357).
Best wishes for a very rewarding academic year.

Sincerely,
Jerome P. DeSanto
Vice President for Planning and CIO


Jerome P. DeSanto
Vice President for Planning and Chief Information Officer
Ph: 570-941-6185
Fx: 570-941-7899
The University of Scranton
Jerome.DeSanto@scranton.edu
www.scranton.edu


Comments : 2 Comments »
Tags: , , ,
Categories : Announcements, Network and Infrastructure

Software updates and access control (and a tutorial on the network structure of the University)

2 09 2010

MAJOR EDITS 9:35PM, 09-02-2010

Jim Franceschelli posted an update to the university community regarding the newest round of updates that will be coming to campus computers from Information Resources (IR; website). Here is a brief summary of how this will affect faculty and staff at the university.

0) This is the first apparent step (from the faculty point of view) of the more virtualized, transparent interaction between faculty machines and the campus network. While it may not appear so from our point of view, it makes the organization much cleaner on the server-side, i.e., the network administration becomes simpler and less complex, compartmentalizing the network by user type. This is coming right off the heels of a major network rebuild by IR, which means fewer network down times, and shorter network outages (which is a very good thing).

1) Previously, faculty computers did not need to “authenticate” to get access to the university network. This means that any computer plugged into a wall port that was designed for faculty use was allowed full access to the faculty network. This was then controlled on a port-by-port basis: Any computer plugged into the port in your office was connected to the faculty network, regardless of who the computer actually belonged to. And, if you plugged your computer into a port normally relegated for student use, you were relegated to the student network space, which left you unable to access certain network resources (departmental printers, for example). With the recent upgrades to the campus network, each network port now has the ability to be assigned to any virtual network. This means that, when you plug in your computer, you can be assigned to any of the on-campus networks (wireless, student, faculty, staff, dining services, etc., all have their own designated “network space”). Thus, instead of making the decision as to what network you belong to based on where you are connecting your computer, the decision as to what network you belong to is based on who you are and what community you are a part of (e.g., administration, faculty, dining services, etc.). So… where does this new update fit into the whole scheme?

2) The key in the previous point is that your digital identity is now the factor in deciding what network resources you have access to. Over and above that, for security purposes, IR would really like to allow you access to those resources, making sure that you are the one using it, not someone else who has somehow managed to get onto your computer. At the present time, there is no additional level of authentication, i.e., anyone using your computer looks like you. The first and foremost reason for requiring you to install Cisco Network Admission Control is to make sure that the only person accessing your network resources is you. Thus, this piece of software will require you to log in with your my.scranton username and password (which no one else other than you knows anyway, right?). But what about this “up to date packages” part of it all? Well…

3) As we said, this is the first apparent step in the upgrade of our campus network. With the installation of Cisco Network Admission Control, not only does it allow you to authenticate* to the network, this software has some additional advantages over a simple password-only based authentication. Cisco Network Admission Control, when running, has the ability to look at your critical software components (e.g., windows system files, web-browser updates, critical system patches, etc.) and make sure that no identified security vulnerabilities are present. This is not currently implemented into the installation configuration. It will be implemented in the near future (there is a possibility for an October timeline, but this is still in flux), with the added benefit of eventually prompting and directing you through the install of these critical software updates (eventually even doing so automatically) and patches to make sure your computer is safe, protected, and able to get onto the internet.** So where do you fit into the picture?

4) In order to implement this level of security, you will need to have Cisco Network Admission Control installed on your computer. Starting on 09/08/2010 in the first and second floor, west wing of St. Thomas (and following the schedule posted here), IR will be converting the behind-the-scenes infrastructure such that you will not be able to log on to the campus network without Cisco Network Admission Control installed! Once they have implemented this change, your internet browser will alert you of the required software and will (painlessly) step you through the installation procedure to install Cisco Network Admission Control on your machine. You will then be able to log in with your my.scranton username and password*** and continue to access the campus network and the world wide web at your leisure! So… what comes next?

5) As the behind-the-scenes updates from IR progress, you will be periodically required to re-authenticate to the network. This will simply provide some additional security, and allow Cisco Network Admission Control to periodically make sure everything is still A-OK on your computer, look for any flaws or critical system components that have been compromised or are in need of updating, and, eventually, even perform those updates for you! This exciting feature is coming soon to a computer near you!

Please see the below post e-mailed to the faculty today. If you have any questions or comments, please post them below. You can also join the discussion at tag-discussion@royallists.scranton.edu (see this post for instructions on how to sign up!).

* By “authenticate”, I mean “be recognized by”. This is just like showing an ID badge, swiping your Royal Card, or typing in your password at an online shopping site. You are proving your authenticity to the program, and it is allowing you access to whatever resources you are requesting, provided you have met all of its criteria.

** The extra time spent installing the updates is far shorter than the time it takes to fix your computer if it becomes infected with a virus. Currently, it takes nearly 3 full days of analysis whenever a computer is infected by a virus to make sure that no restricted information was passed to an outside source. This is a much more detailed and rigorous process than most are aware of, stemming from federal regulations regarding privacy laws. Hopefully we can post something about this is a future blog entry.

*** The login information for your computer will not change! Thus, your preferred username and password needed to start windows will not change. This will only affect your ability to access network resources (i.e., software not directly installed on your machine).

To All University of Scranton Faculty and Staff:

The University of Scranton provides our campus community with a robust environment consisting of over 2,000 desktop and laptop machines. Managing and ensuring the security of these machines has become increasingly challenging. In order to improve our services to you and increase our information security posture, we will be making changes to the way that desktop systems look and how they operate. Upcoming changes include a move to Internet Explorer 8.0 for using services found @scranton.edu sites, use of Firefox as the default internet browser, automation of additional third party application updates, a change in our anti-virus protection, and the deployment of Windows 7.

The next change that you will experience starting on September 7th is the deployment of the Cisco Network Access Control (CNAC) system for all computers connecting to the University network. This system will require end-users to go through a process similar to the one currently used to connect to the wireless network (RoyalAir); meaning that you will be required to authenticate — enter your username and password — before gaining access to the network. The CNAC system will help us to validate that only individuals who should have access to our network resources will have access and, eventually, will help us to monitor the “health” (up-to-date patches, operating systems, etc) of the desktops that are connecting to our network. Collectively, this will insure a more robust and secure electronic working environment for all of us.

The implementation of CNAC will begin on September 7th and is expected to take 30 days for campus wide implementation. The implementation will occur in small network segments that are grouped by building and by floor. Network changes will be made overnight and users of the segment will notice the change the following morning. To assist end-users, information about the planned schedule for deployment can be found at www.scranton.edu/CNAC-Deployment . IT Services staff will be available and located in each of the affected areas as we work our way across campus.

We appreciate your patience and understanding as we continue to improve. If you have any questions or concerns, please contact the Technology Support Center at 941-Help or at Techsupport@scranton.edu

Special thanks to Jim Franceschelli and Tony Maszeroski for their help in writing and correcting the above tutorial.


Comments : 9 Comments »
Tags: , , , , , ,
Categories : Network and Infrastructure, Security, Technology Training, Tutorials, Upgrades

Campus Network Outage

24 08 2010

Some of the on-campus network seems to be down.  matrix.scranton.edu is accessible, but royaldrive and my.scranton.edu are not.  This is affecting the authentication system as well, so logging on to the computers with your scranton ID my not be possible.  Access to off-campus websites is unaffected.  I have been told that the Help Desk is aware of this situation, but no further information is available at this time.  Anyone with additional info, please pass it along.

UPDATE 1:00PM : Everything seems to be back working.  royaldrive, e-mail, and my.scranton all seem to be accessible.


Comments : Leave a Comment »
Tags: , , ,
Categories : Network and Infrastructure, Outages, Royal Drive

Next Entries »