Information Technology News Archive

1996 - 2017

You are here: Home / Archives for Voice and Data Services / Network Security

Network Security

Enhancing UCI’s Internet Firewall through “Server Registration”

by

In September 2007, NACS changed the configuration of the campus network to improve security.  UCI’s Internet firewall (a device that controls off-campus access to UCI computers) now denies inbound connections except the ones that have been approved in advance by faculty and staff. This protects most campus systems from unauthorized access while preserving off-campus connectivity wherever it is needed.

Directing Network Traffic

Directing Network Traffic

The process of authorizing specific off-campus connections is called “server registration” although it is not limited to servers in the traditional sense. If you own or manage a computer that needs to accept network connections from off campus, you can define what kinds of access are needed using a Web-based form. You can then manage all the machines you are responsible for, using a set of online tools.  Please check with your local support, because some units coordinate server registration on behalf of users.

Registration offers a simplified configuration process for common situations, such as remote access — secure shell (SSH) or Microsoft Remote Desktop — or systems that really are servers and are already protected by firewalls. If you manage a large number of systems, you can register them as a group by email request to security@uci.edu .

Since server registration was implemented last September, 4.5 billion unauthorized probes from off campus have been blocked, or roughly 12 million per day.

A more complete description of this service and how to use it can be found on the server registration web page.

Off-Campus Network Access

by

Many faculty and staff have a need to access UCInet and other network resources from off campus, in particular, scholarly resources licensed by the UCI Libraries and available only to systems which are part of UCInet.

NACS has developed and supports three different ways of connecting to UCInet from off campus:

  1. the lifeline modem pool
  2. the proxy server
  3. the virtual private network (VPN) device.

Modem Pool
The first such service deployed was the “lifeline modem pool.” This is, as the name implies, the resource of last resort. Bandwidth (data throughput) is limited, compared to cable modem or DSL, and there are limits on the amount of time you are allowed to use the service. The advantage is that it can be used from any telephone line in the world (if you are willing to accept long-distance charges).

Proxy Server
The proxy server is a collaborative effort between NACS and the UCI Libraries. Users of the proxy server make web requests as if from on campus, regardless of how they connect to the Internet. However, this service is sometimes slow depending on the number of users simultaneously working through it.

VPN
An alternative to using the proxy server is to use the NACS Virtual Private Network, or “VPN”.

The advantage that the VPN has over the proxy server is that it opens up ALL network resources that require a UCI network address, while the proxy server only addresses Web-based applications. It may also be faster. Finally, the VPN offers a secure connection to campus from outside, commercial, and wireless networks, which are inherently insecure.

It is expected that proxy server and lifeline modem pool users will migrate to the VPN as the preferred way of connecting with campus services which are restricted to UCI address space.

Because the proxy server requires manually encoding each site which is restricted to UCI affiliates, it is difficult to maintain, and it is intended that this service be phased out over the next year.

For more information, please consult the following web pages.

Lifeline modem pool: http://www.nacs.uci.edu/network/modem/
NACS Proxy Server: http://www.nacs.uci.edu/network/proxy/
NACS VPN Information: http://www.nacs.uci.edu/security/vpn.html

Alternative to Proxy Service

by

UCI faculty, staff, and students have access to a number of restricted online resources — most notably those licensed by the UCI libraries — such as Scifinder Scholar.

Because these resources are licensed specifically to members of the UCI community, however, access to them is normally limited to systems on the UCI network.

Users, however, sometimes need legitimate access to these resources from off-campus as well. NACS currently offers two services that enable such off-campus access. The proxy service was created a number of years ago, and has been jointly maintained with the UCI libraries. More recently, NACS introduced the Virtual Private Network (VPN) service, offering additional functionality and improved performance.

Using the VPN is easy. Just download the appropriate client from the web address listed below, enter your UCInetID and password, and you are on your way. With the VPN in place, your laptop or home computer is treated as though it were right here at UCI, with all the privileges and access that implies.

Because the VPN is so powerful, flexible, and easy to use, the proxy service will be phased out in favor of the VPN over the coming year. NACS continues to monitor the performance of both services, and has recently performed an upgrade on the proxy server hardware to allow it keep up with the demand as we help users transition to the VPN.

For more information, please consult the following web pages.

Windows Security

by

A recently announced security problem in Windows will not be fixed for users of Windows NT.

Microsoft has issued a security warning for Windows NT 4.0, Windows 2000 and Windows XP systems. Bulletin MS03-010, dated 26 March 2002, states that this vulnerability could be used by “an attacker … [to] cause the target machine to fail.”

Microsoft does not plan to provide a fix for it on Windows NT 4.0, which is still being used by various departments at UCI. Microsoft says that they have, “extensively investigated an engineering solution for NT 4.0 and found that the Windows NT 4.0 architecture will not support a fix to this issue, now or in the future.”

So, what’s an NT user to do? Microsoft itself recommends placing such systems behind a “firewall which is filtering traffic on Port 135.” Fortunately, NACS has been running a port blockade on this port since November 5, 2002 (more information on the port blockades). This blockade restricts all off-campus systems and Residential Housing computers sending traffic to these ports on campus.

While this keeps UCI users of Windows NT safe from outside attempts to exploit this weakness, it is prudent for departments to develop a migration strategy away from NT, as Microsoft no longer supports NT nor promises to develop security patches as vulnerabilities are discovered.

Computer Security Tips

by

Here are some simple steps each computer owner can take to protect computer systems and data at UCI.

Abide by Departmental Security Standards:

  • Check with your local computing supporter to be sure you are using departmentally approved network settings, security tools, and network services.

Physical Security for Computer Users:

  • Lock your office.
  • Put diskettes and CDs in a locked box.
  • Secure computers (especially laptops) to a non-movable piece of furniture or lock them in a drawer when not in use.
  • Never leave your laptop unattended in public places.

Remote Access:

  • Tools such as PC Anywhere expose your computer to additional security vulnerabilities and are not recommended.
  • Some users can get the remote access functionality they need through the use of the campus Virtual Private Network (VPN).
  • Users who require the facilities of Microsoft Networking are encouraged to use Microsoft Remote Desktop (called Terminal Server in Windows 2000.)

More information: http://www.nacs.uci.edu/news/2003.1.html#1

Don’t run unneeded network services:

  • It is important to turn off all non-required ports on your system.
  • Don’t run a Web server which is built-in unless you have a need to do so.
  • To see what is open on your system run the “Shields Up” program at https://grc.com/x/ne.dll?bh0bkyd2 then click on “Test My Shields” and “Probe My Ports”.

Personal Virus Scanners:

  • Obtain updates on a regular basis.
  • Keep subscription to updates current.
  • Set to Auto-update on a weekly basis, if available.

Please note: NACS continues to scan incoming e-mail for viruses and cleans up infected messages. This protection is available only to messages sent to @uci.edu addresses. (That is, people who receive email addressed directly to their own mail servers do not receive this benefit.)

More information on Virus Scanning: http://www.nacs.uci.edu/email/virus-scanning.html

Encrypt network traffic:

  • VPN – When using network resources and applications where a password is requested, NACS recommends use of the VPN Off-campus and wireless traffic is especially vulnerable to “sniffing,” the practice of invisibly capturing, reading, and retransmitting network traffic. 
    More information: http://www.nacs.uci.edu/news/2002.10.html#1
  • SSH – Secure shell (ssh) is an encrypted alternative to telnet and remote shell (rsh), wherein each packet is encrypted from the source to the destination. This prevents your communications (including passwords) from being “sniffed” while in transit. Using SSH insures that your data packets are only readable by you and the computer to which you are connecting. 
    More information: http://www.nacs.uci.edu/support/sysadmin/ssh_info.html

IM Chat:

  • IM Chat (also known as Instant Messaging) is a popular, but non-secure form of electronic communication.
  • Turn off all Terminal Services.
  • Turn off all File Sharing.
  • Check the settings in your Buddy List.