Restricted/Limited Access Network project meeting

Monday, July 22, 2013; 3:00 p.m.; AISB-208

Invited

Phil Benchoff, Jacob Dawson, Marc DeBonis, William Dougherty, Brian Jones, Ron Keller, Jeff Kidd, Philip Kobezak, Greg Kroll, Steve Lee, Randy Marchany, Christine Morrison, Rich Sparrow, Lucas Sullivan, Brad Tilley

Agenda

  1. Review action items and comments from 20130708 - July 8, 2013 RLAN Project Status Meeting
  2. Status of AISB RLAN connections/orders
  3. Review Tasks/Activities that need to be completed by July 2013 in order to end phase I of this RLAN project (see comment from 20130708 - July 8, 2013 RLAN Project Status Meeting)
  4. Review plans/milestones for phase II of RLAN project
  5. Further discussion of RLAN VPN
  6. Open Forum

Attended

Phil Benchoff, Jacob Dawson, Brian Jones, Ron Keller, Philip Kobezak, Greg Kroll, Steve Lee, Lucas Sullivan, Brad Tilley

Agenda

  1. Review action items and comments from 20130708 - July 8, 2013 RLAN Project Status Meeting
    1. Action item: Some agreement regarding firewall management is needed between ITSO and NI&S.
      1. Those present thought a Memorandum Of Understanding (MOU) would work for this. Action item: Brian will ask Christine Morrison to work on an MOU for firewall management between NI&S and ITSO. The MOU should outline who is responsible for what.
      2. Since NI&S already has established processes and procedures for this the ITSO should work within those established practices.
      3. It was emphasized that the firewall can be "completely messed up" with just a single wrong entry into the process.
      4. The ITSO will most likely access the "PCO" process for this process. Eventually it would be nice to automate the process using IRON.
  2. Status of AISB RLAN connections/orders
    1. Those present did not think any progress had been made with the AISB connections. Action item: Rich will contact Vivian Rich to get the AISB RLAN connections completed.
  3. Review Tasks/Activities that need to be completed by July 2013 in order to end phase I of this RLAN project (see comment from 20130708 - July 8, 2013 RLAN Project Status Meeting)
    1. As of last Friday (7/19/2013) there were 4 hosts using the RLAN VLAN.
    2. Phillip reported that Melinda West is going to work on a timeline for getting her people on the RLAN and using it on a regular basis.
    3. The ITSO is working on a timeline with pilot users to get them using the RLAN before Fall semester 2013.
    4. We need to publish valid RLAN IP addresses so servers and services trust these addresses and so those on the RLAN can reach needed services.
    5. Phil Benchoff suggested we simply permit the entire "stroke 12" address space.
    6. It is recommended that Randy (as the IT Security Officer) send an email to TechSupport with approved addresses.
  4. Review plans/milestones for phase II of RLAN project
    1. RALN only restricts where users go to.
    2. The ITSO needs to approve and only let computers on the network that meet specific configuration management requirements/expectations.
    3. It defeats the entire purpose of the RLAN to let anyone onto the network if we are not requiring a certain level of management (commitment) of the computers
    4. Several of those present are not in favor of allowing access to the RLAN through the open campus VPN. Action item: A decision on access to the RLAN using the open campus VPN needs to be made by the ITSO.
    5. The original purpose of the RLAN was to be a restricted group of users with specific configuration requirements and business needs for the RLAN.
    6. Possible departments to add for phase II are Controller, Human Resources, Internal Audit.
    7. Plans are to use the IRON application for all future users to get access to the RLAN. This should help with the Ordering, Approving, and provisioning RLAN
      services.
    8. For whitelist entries NI&S would prefer that ITSO use PCO as opposed to trying to do this through IRON.
    9. Hammer out details concerning whitelisting/blacklisting (Can we develop a better way either through development of a front-ending a configuration tool or through an IDS/IPS solution, or some other way), Either way we need to fine tune the process of rule changes concerning the RLAN
    10. Also needed is a webpage to redirect users to that try to go to a non-accessible website. One suggestion is to have a picture of Randy wagging his finger saying No, no, no... (smile)
    11. A complete review of current processes should be completed with the goal in mind of making it easier instead of more complicated.
    12. Begin planning for replacement hardware/software that fully supports IPv6
    13. The ITSO will pressure the maker of Fire-Eye to be IPv6 compliant. The problem is Fire-Eye is a unique application without much competition and thus has the upper hand.
    14. Need to begin thinking about non-Blacksburg (central campus) sites and use of the RLAN.
  • No labels