Present: Mark Aldenderfer, Arlene Allen, Jerry Baltes, Polly Bustillos, Larry Carver, Chris Dempsey, Bill Doering, George Gregg, Bill Koseluk, Tom Marazita, Alan Moses, Joan Murdoch, Larry Murdock, Stan Nicholson, Dan Ringwald, Glenn Schiferl, Kevin Schmidt, Deborah Scott, Jan Smith, Chris Sneathen, Jamie Sonsini, Chas Thompson, Paul Valenzuela, Paul Weakliem, Craig Welsh
George Gregg brought up his frustration that, day after day, campus hosts continue to be reported vulnerable to attack from programs like Blaster. The campus assumes risks and liabilities by not knowing exactly who is on the Net and what are they doing. Delegation of this responsibility is fragmented: some LAN administrators do not see responses; responses are passed on with no follow up. Part of the problem is that ports and hosts are transient; for instance, a guest researcher here for only a day or two may leave a virus on a host undetected. The department does not know how to control this type of access, yet feels obligated to be a host and provide services, while desiring to be a responsible participant by making sure no harm comes to other users. However, with no user accountability, there should be no user access.
A consensus is growing on the need for a "network logon," i.e., a user would not not be allowed to send routable information until the device or source itself has completed an authentication process. A second step in this hypothetical process would be to "vet" the device at higher layers of the software in order to determine that it does not pose a hazard to others on the network. Arlene is concerned that the first component of this, the authentication process, be built upon the directory and authorization software framework UCSB has recently adopted. She is researching options in that vein. Kevin is drafting a network citizenship document which will require every allocated subnet to appoint an individual system administrator responsible for maintenance and operation of network. Departments must acknowledge responsibility for assuring that machines on their net are "healthy." Failure in this requirement may result in a meeting with the department chair and department administrator for the first offense, and subsequent occurrences could result in a department's being cut off from the subnet. Skill level of the systems administrator is another problem that needs to be addressed. It should be remembered that traffic both to and from a problem host would be cut until fixes are completed.
The mobility of laptops is a great contributor to the problem. How do you block a previously clean machine that picks up a virus and brings it back into the subnet? Kevin is looking for a way to gather information (802.1x) and relay it back to the system administrator and the user. (Meetinghouse and Funk Software are the most popular programs investigated.) The communication hierarchy regarding virus intrusion would be: individual user, to department system administrators, to the NOC. The scope of responsibility in departments needs to be limited to one point of contact. Notification of repeated breaches should be sent to the departmental control point as well if it becomes necessary. The Network Administrator has the responsibility to maintain security on their network. It has been found that most problem machines are in academic departments. Department chairs should be notified that security is a very important issue; we need to stress that departmental program support, delegated authority, and resources are at stake. We recognize that there are understaffing and resource issues, but there needs to be an explicit statement of requirements for the control points.
A network citizenship draft is to be presented at the next meeting by Kevin or Andrew. The Academic Senate needs to be involved as well, and the OIT will provide pressure once the document is in place. The Gartner Group has a comparison chart which indicates how much staff should be required per host. Every campus has proportionate problems, as evidenced by JOG meeting discussions. Solutions should be simple to understand, and we need an architecture for the software we currently use that will enable the reporting of issues. It is problematic in that there is not a 1:1 ratio for support, and individual users can have more than one access point per department, making it difficult to match a specific person to a specific support contact. Automated response directly to the individual user is necessary.
Mark announced the formation of the Information Technology Leadership Council (ITLC), which is a replacement for JOG, although the functionality of JOG will continue in other subcommittees that will report to the Office of the President and ITLC. This should result in increased focus on IT issues across campuses, and comprehensive responses. The operational component is still in flux. Each campus will be represented in strategic planning within the ITLC; operational issues will be directed into subgroups.
Associate Vice Chancellor Kris Hafner reported that the RIAA & MCIA sees UC as one entity in cases of downloaded peer-to-peer files. It was suggested that the Berkeley System and Network Security (SNS) website be reviewed. Campuses are moving towards centralized email accounts for security reasons, and there is a trend of charging for wireless access in order to obtain a degree of control, the philosophy being to deploy and work out the problems as they arise. UC Santa Cruz is consolidating all IT in order to make it as responsible and secure as possible.
In order to realize a greater degree of security and reliability, IS&C is running two directories in multi-master mode. There will also be a third directory exclusively for extranet access. These directories have been placed as close to the NGB as is possible for reliability and performance. Off-campus entrance to the extranet will be related to off-campus allowable access. Oblix is mostly installed and is being learned.
"For Widest Distribution"
Alan Moses suggested that the ITPG establish guidelines for emails designated "For Widest Distribution," in light of the United Way Day of Caring 7.5Mb email attachment distributed recently. When conducting mass emailings, consideration should be given to appropriateness, technical guidelines for messages/attachments, and format and maximum size of attachments. Suggestions in composing such messages are to include a URL rather than an attachment, admonishments to exercise restraint in duplicating the message, and to keep the format simple. Mark Aldenderfer indicated the OIT would offer to coordinate a response and include Meta Clow, Campus Policy and Records Management Coordinator.
Support for Non-Departmental Applications
Alan Moses reported that the web-based BARC application has adversely affected the LSIT Helpdesk by advising users to "please contact local support" for problem resolution. The BARC application runs on Netscape 4.7, which was dropped from the LSIT list of supported programs some time ago. The "Please contact local support" statement should be added only after consultation. Otherwise it becomes an unfunded support mandate, and technical issues regarding desktop support become problematic.
There was a meeting of users and potential users, where creative solutions were proposed and the issues seem to be well in hand. Concerns were expressed regarding the time it takes to recognize conflict and the length of time it takes to devise a solution. In addition, the more difficult the problem, the more time sensitive the problem becomes. There is missing information in the points of contention on the fiber plant regarding the lead time requirements for the various areas of campus and the specific case control points. Documentation of the status was also a concern; a list of materials does exist, and user resources are being identified. Real time documentation needs to be maintained. Mark Aldenderfer indicated that Elise had begun to look at fiber allocations prior to her leave, and it would be her primary task upon her return.
Bill Koseluk reported that with declining revenues, equipment replacement will become a problem, and individual (fragmented) tech fees are a bad idea. Should the ITPG revisit the issue with the Chancellor, and if so, should we propose a coordinated effort for a single fee? Should the fee be user specific, or widespread? It was mentioned that course fees might be a potential source of funds, but course fees are generally limited to consumables; there is no general course fee. Should this be part of the networking funding model, or an IT funding model? There are a series of funding issues, and the funding model should be cognizant of "unfunded" issues. UCSB seems to have no strategic plan, but relies on a political climate that solves issues piecemeal while other campuses have a strategic plan in place. All students will receive services via the network, and a good model of services, fees, etc. is needed. The Budget subcommittee will be meeting this Fall to discuss this issue, but does not have a clear direction.
Deborah Scott reported that the huge increase in logons to the GOLD system by students looking for their class schedules filled the available sessions from the mainframe. When staff came back using Rex and Travel, the increase crashed the system as well as the BARC, Purchasing, and Accounting systems. Fees could not be made on time, so the deadline was extended. This was the first year that class schedules were not printed and available only online. In addition, there was no voice response (RBT) available.
The City of Goleta is voting on the first part of the first ONI route off campus on October 6. The Los Carneros route is up and running on an interim solution.
Paul Valenzuela announced that Elise will be back for the next meeting, scheduled for October 27, and thanked the group for their cooperation during his tenure.
Back to ITPG Meeting Schedule