Restricted/Limited Access Network project meeting

Monday, December 16, 2013; 3:00 p.m.; AISB-208

Invited

Phil Benchoff, Jacob Dawson, Marc DeBonis, Brian Jones, Ron Keller, Philip Kobezak, Greg Kroll, Steve Lee, Randy Marchany, Rich Sparrow, Lucas Sullivan, Brad Tilley

Agenda

  1. Review action items and comments from 20131104 - November 4, 2013 RLAN Project Status Meeting
  2. How long is "temporary" and how will we undo the permit-all-out and lack of requirement for two machines/ports?
  3. Open Forum

    Attended

Phil Benchoff, Jacob Dawson, Brian Jones, Ron Keller, Philip Kobezak, Greg Kroll, Steve Lee, Rich Sparrow, Lucas Sullivan

Meeting Notes

  1. Review action items and comments from 20131104 - November 4, 2013 RLAN Project Status Meeting
    1. Action item: Randy will talk to William about using the UC phones to temporarily access the RLAN.
      1. Not completed. Greg will send a reminder to Randy.
    2. Action item: Randy will send Steve an email requesting the above temporary network changes.
      1. Specifics worked out via email.
    3. Rich reports that Randy discussed the plan to open outbound traffic on the RLAN with Scott Midkiff who approved the plan.
    4. So the current plan is to set the outbound policy to open for RLAN users.
    5. For the record Phil strongly objects to this plan and contends it defeats the original purpose of a "locked down", "restricted", internal network.
    6. Action item: Steve has already received email approval from Randy for firewall changes to implement an open outbound traffic plan and will notify the ITSO when those changes are complete.
  2. How long is "temporary" and how will we undo the permit-all-out and lack of requirement for two machines/ports?
    1. ITSO estimates is may take several years (i.e., end of 2015) for full implementation of RLAN and the transition of all identified departments.
    2. There was a discussion about alternative, low-cost, easy, network solutions to address the problem of securing the network for PII users.
    3. ITSO contends that even with outbound traffic being open the RLAN network will still:
      1. limit who is connected to the RLAN.
      2. have secure, up-to-date inline equipment monitoring the RLAN.
      3. have all RLAN users approved by ITSO.
      4. have secure policies in place for "locked-down" computers on the RLAN.
    4. With the decision to open outbound traffic on the RLAN there was a discussion about the need to advertise or characterize the RLAN as limited (not the full RLAN implementation) when discussing it with departments. Explaining that eventually all inbound and outbound traffic will be restricted.
  3. Open Forum
    1. The ITSO reports that currently no users are using the RLAN.
    2. This is a good opportunity to test the new Intrusion Detection System (IDS) design before users are brought back on the RLAN after the holidays.
    3. What are the RLAN maintenance windows? Is any downtime required for maintenance?
    4. Jacob commented that additional engineering is required in order for the UC phones to access the RLAN.(Note: related to first action item 1.a. above).