25 May 2004

Access to the UC Network from home

While it would be extremely convenient to be able to access the University network from off-campus, there are a number of issues that need to be addressed if this is to happen.

The Division's Vision for ICT in the Division [authentication required] seeks to provide access to the Division's resources from anywhere at any time. With network storage this requires HomeDrives to be available from off-campus as well as from the University campus.

Home drives often contain sensitive information that needs to be kept confidential, so the security of any access allowed to information stored on home drives must be maintained. The University has decided to use a Virtual Private Network, or VPN, approach to providing people physically outside the University campus with access to the resources they should be allowed to see.

A current proposal to provide wireless access to the University network from on-campus includes the development of the systems necessary to support the establishment of VPN connections to the University network. Once this infrastructure is in place it will also allow people from off-campus to establish VPN connections to the network over a wired connection from anywhere on the Internet. Although it may be slower that access while on campus (depending on the connection speed and network traffic), a user will be able to access all the network resources they are entitled to see as if they were on campus.

Establishing a VPN connection to the University network from outside the campus (say from home) will still require an Internet connection. The University's current policy is that staff and student need to organise their own accounts with commercial Internet Service Providers (ISPs) if they wish to use UC on-line resources from home (http://www.canberra.edu.au/cc/off-campus/ [link updated]).

Allowing staff to access the University network from home (and through that connection to the Internet) is difficult for a number of reasons, including:

  • Providing the infrastructure involved for the network connections (via dialup modems, for example).
  • Managing access through off-campus connections.
  • The traffic costs to the University.
  • Monitoring access to the University network, which is a part of the Australian Academic Research Network (AARNet), and thence to the Internet via the campus network. Use of the University network is is subject to AARNet Policy as formulated by the AVCC and limits the uses to which the networks can be put.

The technical complexity of limiting people from home who access the University network, just to the University network itself is high and would probably need other changes to the way the network is managed to ensure services are available. Some services available on the University network (like some of the Library research databases, for example) would not be available unless additional work was done, if at all.

Size of individual emails

Email is not the best way to distribute large documents, especially to a number of recipients.

General consensus seems to be that the size of individual emails should be limited: the actual size of the limit is still under discussion. Since it is attachments that increase the size of emails beyond what might be considered "reasonable", discussion is centred around limiting the size of attachments by using the configuration options of email servers.

In some cases (like the uc-chat discussion list for example), no attachments should be permitted. Many commercial ISPs limit attachments to 2MB, or limit the overall size of an individual mailbox to 2 to 20MB. Email larger than the limit, or which would put the size of the mailbox over the overall limit, is bounced back to the sender. Some Government Departments are reportedly limiting email attachments to 4MB.

Whatever limits are put in place, alternative mechanisms for sharing files with colleagues individually or in groups need to be developed and understood by staff. The Division's Public Documents [authentication required] service goes some of the way to providing document sharing with other Divisional staff, but isn't a suitable solution in all cases. Authenticated access to shared network storage is used widely throughout the Division to share files among workgroups, and can be set up on request by the Help Desk, although the administration of these services can be onerous as groups change.

The University Information Management Systems Committee (UIMSC) has established a Working Party on Collaborative Services that includes consideration of these issues among others, and is working on possible solutions.

In the meantime, staff should be reminded that sending "large" files (2MB+) via email is probably not a good idea, and definitely not to a number of recipients. Other ways may be more appropriate: if in doubt contact the cehelpdesk for advice.

Portable Computers

The issue of staff using portable or laptop computers instead of desktops is still not resolved.

Last year in the TSU Report 13 May 2003, the issue of portable versus desktop computers was raised. Executive referred the issue to the University Information Management Systems Committee (UIMSC), which referred it to the OH&S Office for comment. PVC Research and Information Management has reported that the UIMSC is following up the issues in relation to a University policy on portable computers.

Following is last year's report on portable versus desktop computers, updated with current configurations.

Traditionally, the Division has supplied staff with desktop computers. On application some staff with specialist needs for a portable computer have had their desktop computer swapped for a portable. Lately there has been an increase in the number of requests for portable computers in place of desktops, and the following comparisons may help Executive decide whether to make portables more widely available in place of desktops.

The standard configuration for the Division's new computers currently [May 2004] is:

  • Dell PC or Apple Macintosh
  • 512MB RAM
  • Combo Drive (reads and writes CDs, reads DVDs)
  • 15" Flat Panel Display

The Hard disk size is not really a consideration for desktops since it is expected that desktops will use Network Attached Storage for saving data. 30GB is usually the minimum available for desktops, which is generally more than enough for most users in the Division. Standard configurations vary from 20GB [Dell portables] up to 80GB [Macintosh desktops]. No floppy or Zip drives are supplied.

Monitor size for Desktops is 15", giving a display usually of 1024x768 pixels.

Monitor sizes for portables are usually 14", capable of displaying 1024x768 pixels (same as the desktops, although overall the screens themselves are slightly smaller in size so the text and graphics look smaller).

Prices (ex GST) range from about $1,800 for a Macintosh portable to almost $2,400 for a Dell portable. Desktops are around $2,000.

Note that PC and Macintosh portables are available for short term loan from the CRC for conferences and other uses.

Some points to consider in comparing portables to desktops:

  • Our experience with users who are using portables is that they often request additional mice, keyboards, monitors, risers and sometimes docks for their office so they can more comfortably use the portable at work. Normally we will also purchase a carry case of some sort to better protect the computer when it is being transported. Each such item increases the cost of the portable over the standard desktop.
  • The ergonomics of using portables compared with desktop computers may also have OH&S implications that need to be considered.
  • Connecting computers outside the campus to the campus network is currently the responsibility of the user, so any staff member with a portable (as with any computer they want to use from home or anywhere off-campus) will have to make their own arrangements with a private ISP if they wanted to connect to the Internet from outside the campus.
  • Portable computers are also by their nature less secure than desktops, although so far none of the Division's portables has gone missing.
  • Using a portable is also more technically complex for the user, coping for example with online vs offline access to email and web browsing, printer connections, proxy settings and so forth which vary depending on whether the computer is on the university network or not. We have a number of helpdesk requests from users of portables for support for issues of this sort, and given the immediate need these users have for assistance it is often stressful for the staff of the helpdesk to be able to respond in a timely manner.

Also since writing the above Wireless or WiFi access to the University network is being actively developed; and malware (virus, worms, Trojans and other malicious software) has become a bigger issue for PCs, particularly through the connection of infected portable Windows PCs being attached to the University network (wired or wireless) when infected elsewhere.

Update 29 July 2005: The Division’s new laptop policy has come into effect.

11 May 2004

Sasser Virus

PCs at the University were badly affected by the Sasser worm.

On Wednesday, 5 May 2004 at around 3pm Windows PCs on the University network came under attack from the Sasser worm. Many PCs were unusable for several days as the IT groups within the University removed the worm and patched the vulnerability.

The Sasser worm is transmitted machine to machine by exploiting a vulnerability in Windows 2000, XP and 2003 operating systems (Macintosh computers were never vulnerable to this attack, although the network traffic generated by the worm, and subsequent attempts to remove it and patch the Windows computers, caused significant delays for Macintosh users accessing network services like email and Web pages).

The vulnerability exploited by the Sasser worm was recognised by Microsoft, and a patch to prevent the vulnerability being exploited had been issued by Microsoft on 19 April 2004. Windows PCs belonging to Divisional staff on the network are supposed to be configured to download security patches automatically when they become available: this has obviously not been happening consistently throughout the Division, and investigations are underway to determine why patches were not being installed consistently.

All the Division’s Microsoft servers had been patched and were not infected by the worm, but network traffic was such that their performance slowed dramatically, to some users appearing to be down. Macintosh servers were not affected, although again network traffic gave them the appearance of being compromised.

The network port used by the worm to propagate had been closed at the border of the University network for 10 days, so the worm had to have been introduced into the network from inside, either via removable media (floppy disk, Zip disk, or CD) with the worm on it, or from an infected portable computer brought on to campus and connected to the University network.

As a result of this episode, the following things should be done:

  • A communication strategy needs to be developed.
  • As an interim measure, immediately implement an effective strategy to keep security patches and virus definitions current, until systems can be put in place in the University or the Division to maintain Windows PCs.
  • The University, or the Division if ICT Services is unable to manage it, should install and manage Windows Update Services when is it available in late 2004 to ensure an efficient updating system is in place (although the software is free a server will be required, and a licence for the Windows 2003 Server operating system).
  • Serious consideration should be given to expanding the use of alternative platforms in the Division, particularly Macintosh. The Macintosh operating system, OS X, is based on Unix, a mature and largely open-source operating system that is far less vulnerable than Windows to exploitation and not a target for the type of activity plaguing Windows PCs.

Limiting the size of emails

Large emails (usually the result of attaching large files) are clogging the network.

Recently there have been a number of instances where people within the University have sent emails containing large attachments to discussion lists: in one case the attachment was around 150MB in size. The more addresses a large email is sent to, and the larger the attachment, the greater the impact on the email system. In this particular case, the University's main email system ground to a halt and steps had to be taken to remove the email from the system.

Email attachments sent to a discussion list or a group of addresses where the attachment is not required by all recipients is a waste of resources: unless deleted by the recipient the recipient's mailbox grows taking up space on hard disks or servers.

Under discussion is a proposal to limit the size of attachments to emails going to discussion lists, or blocking attachments altogether and providing an alternative means for making files that would otherwise be attached to emails available (like the Division's Public Documents facility).

Software audit

ICT Service is proposing to audit software installed on all of the University’s computers.

ICT Services is planning how it might audit software installed on all the computers in the University, including the Division. By 28 May 2004 ICT Services wants to have details of all the software the Division has purchased in the last three years, including when it was purchased, the version, the licence conditions for the software, and when and where it was installed and uninstalled. They also want to get details of what software is currently installed on every computer in the Division, including staff desktops, servers, lab computers, portable computers, even computers on long-term loan held off-campus.

While this is necessary to have this information, the tools required to capture, store and manipulate it just don’t exist in the Division or the University as a whole. We await client agents for Macintosh and Windows computers from ICT Services that provide a profile: when they arrive we will have to test them and then distribute them to staff with computers that are not on the University network.

ICT Services plans to audit the computers on the University network by deploying agents via the network itself, run them automatically and return the results directly to ICT Services.

05 May 2004

What to do about the Sasser worm

The Campus is currently suffering from a large number of Windows PCs being infected with the Sasser worm (Macintosh computers are not affected).

If your Windows PC keeps shutting down try the following:

  1. Windows 2000: Install the Security patch for Windows 2000. [Click the link]

    OR

    Windows XP: Install the Securitypatch for Windows XP. [Click the link]

    Allow the computer to reboot after the patch is installed.
  2. Launch the eTrust Antivirus - Local Scanner [Start>Programs>Computer Associates>eTrust>eTrust AntiVirus>eTrust AntiVirus] and run a full scan on all affected computer systems, with the "Infection Treatment File Actions" set to "Cure File" and enable the System Cure feature.

For a more detailed process print the security note from Microsoft (Windows 2000) (Ignore Step 4). [Original at http://www.microsoft.com/security/incident/sasser_print2000.asp]

If you can't get rid of the infection yourself, call the helpdesk to report it.