Duke ITAC - October 09, 2003 Minutes

DUKE ITAC - October 09, 2003 Minutes

Minutes

October 09, 2003

Members present:Ed Anapol, Ron Stubbs (for Mike Baptiste), Pakis Bessias, John Board, Paul Conway, Jason Cooper, Wayne Miller (for Dick Danner), Nevin Fouts, Tracy Futhey, Michael Gettes, Patrick Halpin, Alfred Trozzo (for Paul Harrod), Bob Newlin (for David Jamieson-Drake), David Jarmul, Kyle Johnson, Ian Lawrence, Roger Loyd, Melissa Mills, George Oberlander, Lynne O'Brien, Mike Pickett, Rafael Rodriguez, Molly Tamarkin, Robert Wolpert, Steve Woody

Guests present:Chris Meyer, Bob Currier, Chris Cramer, Phil Lemmons, Sue Jarrell

I. Review of minutes and announcements:

Blackboard - Tracy Futhey: Tracy and Lynne circulated a message in e-mail to ITAC, the same message was sent to faculty. It documented what were some unforeseen, but very unfortunate things that took place during the recent Blackboard scheduled downtime. Included were problems we had, their impact and steps to keep them from happening again. By end of month, there will be a detailed report on the contributing factors causing the problem. Work is well underway to make sure it doesn't happen again. There will be an update in a few meetings.

Unencrypted e-mail - Chris Cramer: The final date to turn off unencrypted e-mail access is 10-20-03. After that date, users will have to use SSL encrypted e-mail access. Chris has been working with dept and schools, there are not too many people left who are still using unencrypted mail. The help desk has been notified and groups have been working closely together to coordinate this effort.

II. Update from the Board of Trustees presentation

Presented by Tracy Futhey

Friday, the full Board of Trustees met. IT was a large agenda meeting item. It was the first time they had had a presentation on IT at Duke since 1987. There were very old perceptions of how things were. Three main messages that were conveyed:

  1. Timeline - where we were 10 years ago (history)
  2. Where we have gone since - central IT, network, etc
  3. Where we are headed - building on excellence, CIT, CITIE, not so much on underlying business resources, but more on the research aspects

Where we are today is still light years from where we were. Back then schools did not communicate; There was no focal point. Tracy gave her perspective on where we are positioned now, what we are doing well, what we need more work on, and where we need to improve. We are ahead of the middle of the pack. We need to be better. For example, what we need to be in academic technology is a 9 out of 10, but we are not quite there. We have many good programs, but there is variability across some of those. One school may have a lot of new technology, another school may not.

Questions: John board - How many have IT experience?

Tracy - A few have positions probably related to IT, but from the people side, or from running a company. There are no hard-core techies on the Board as far as she knows.

Where do we stand in relation to our peers?

Some of our initiatives are quite good--CITIE, laptop, research, cluster computing, etc.

The board came away from meeting wowed. They reacted very well. Tracy tried not to paint picture that we are terrible or wonderful, but realistic. (T)
They asked good questions about security, bandwidth in dorms, how we are positioned to move forward.

The tools used in the present are not much better:

  • Optical splitters
  • Linux-based but...
  • Perl-based capture, but Snort post process
  • Awk data distillation 10x speed vs perl
  • Still 1 min out of every 15 is captured, but all hosts are logged vs only the top 250 as before
  • Now we're only saving the IP source address, IP port, and Packet size
  • We generate graphs using php/jpgraph
  • We use a custom perl ldap/cgi code for user identifier
  • NetReg dhcp.conf and dhcp.leases files parsed hourly and the results are stored in MySql
  • LDAP code runs daily
  • Daily totals are generated using numerical integration

III .Enterprise e-mail proposed specification force

Presented by Mike Pickett force

What would it take to transform acpub e-mail system into an enterprise system? Excluded in this is the Health Systems, they are invested in Lotus Notes. The group was to create a set of specifications that would satisfy problems a school or dept might have in order to make it attractive for them to use and would make more sense for them to use the enterprise system versus their own. The group met for over 3 months.

POINTS:

  • Responsiveness: instantaneous delivery - very fast
  • NetID creation process: essential to get on system - fast, effective, pre-emptive
  • Reliability: 99.999 up time - excluding scheduled outages (2 hours scheduled outage)

John Board - This seems unrealistic. How are you going to do that? 2 hours downtime each week is a lot.

Michael Gettes - This is what the ISPs do. How do they respond to changes that happen, upgrade hardware, etc.? We need some scheduled outage time to manage the system and to meet the needs of the institution.

Molly Tamarkin - That time is "reserved" for downtime, but not necessarily used all the time?

John Board - You need to balance the 99.999% with the 2 hours of downtime. You shouldn't need the 2 hours. There should never be an impact on users.

Bob Newlin - If have to factor in the network, you will never meet 99.999% uptime. It doesn't matter if e-mail is up if can't get to the e-mail because the network is down.

Michael Gettes - The goal is to have e-mail up 99.999% of the time. We need something to base the service against. Mail service has to be good and how will we determine whether or not it is good without standards? ISPs, such as AOL, reserve 2 hours every day, but they haven't had an outage in the customers' eyes.

We may use the process with 2 hours schedule time to get as close to 99.999% as we can. If it proves unreasonable, it is good to know.

Support for older, less reliable e-mail clients will be discontinued. POP services will no longer provided after June 30, 2004.

John Board - What is the percentage now of POP vs. IMAP?

Chris Cramer - About 1/3 POP and 2/3 IMAP.

This would be a substantial change in culture and use.

-Capacity: Substantial amounts of quota - 100 MB

-Security and Privacy:

John Board - What does it mean to be HIPAA compliant? We should have the ability to encrypt the transport and/or message encryption. We should have the same ability in campus mail systems.

-Recoverability and Archive:

Back up copy - Robert Wolpert and John Board - It seems rather long for it to take 24 hours for back up. 4-6 hours is preferred.

Rafael Rodriguez - What do you mean by backup? Backup to tape or having multiple copies? Enterprise system have storage redundancy so as you do it, it is backed up.

John Board - Stored on a RAID array, disk to disk backup - 4 hours.

Nevin Fouts - This was discussed regarding user deleted e-mail. If a user doesn't delete e-mail within 24 hours, it is recoverable.

Mike Pickett- Can we have both? 4 hours for disk and the ability to recover if a user deletes messages?

Michael Gettes- We use RAID mirror disks. We're already using RAID arrays and mirroring, but is that enough?

John Board/Robert Wolpert - Is there more than one point of failure? What is reasonable way to have users recover their mailbox? Is there any way to get that back without going through long process?

Michael Gettes - In the beginning it would probably have to go through the Help Desk, but later possibly a user can recover it himself. We need to look around and see who else has done this.

- Adaptive:

Process in place to continue to improve

  • ongoing advisory committee?
  • serve as watchdog and drive functional changes

Robert Wolpert - How large a committee are we talking about?

John Board - Why do we need another committee? Why isn't ITAC the appropriate committee?

Melissa Mills - It takes a lot of time.

John Board - Yes, take it offline and then come back to ITAC.

Mike Pickett - To get this implemented, it will take a lot more work to drive into the details. We have a group of people to help do that, and they can report back to ITAC. Once it is running and in place, periodic checks will be in place, but not a standing committee.

- Standards, Calendaring:

Clients: What are attributes? OIT would provide support around certain clients.

How they would be chosen will involve several groups (like the calendar group).

-Addresses:

Official Duke e-mail addresses will be established for everyone in the Duke community - a way to send official e-mail communications.

John Board - What is the difference between offical identity and e-mail alias?

Paul Conway - There is one and only one identity, but many forms. The Duke unique ID is the one and only identity issued by the university. It is unique and permanent. Only one NetID, DEMPO, alias, common alias, but the unique identifier inside the university steps up and defines a uniqueness. Every member - each unique - may have multiple personalities.

Melissa Mills- I don't know why students have unique IDs and emplid Ids. This is a big issue and very confusing. It's hard to design systems and not know which ID to base the system on. We need one ID.

Paul Conway - The principle is that everyone at Duke is unique and gets only one unique number assigned.

Molly Tamarkin - User education needs to be part of this. If we are building a system and hope people will migrate to it, then a huge user education campaign needs to be done.

Melissa Mills- We also need a deadline.

Molly Tamarkin - If people compare this to local e-mail at the department level, then this will always fail because of the scope.

Kyle Johnson- It would be a system that folks would want to go to, but if they have a department that could manage e-mail more reliability then they don't have to use it.

Wayne Thompson - Reliability is hard to measure. You must go back to other features like calendaring because it is hard to sell on just e-mail.

IV. Effects of 5 GB cap on ResNet traffic

Presented by Bob Currier and Chris Cramer

This began on Sept 17, 2003. When the number of tickets go up - the bandwidth goes down.

Three students have been rate limited. The average of student uploading is about 1 GB per day per student. Most students are doing only 1 MB, but the average is one GB because of the few students going over the limit. Ten percent of students are using ninety-five percent of the available bandwidth.

Michael Gettes- Is there a way to find out what the pent up demand is without taking the bandwidth cap off? No.

East campus students are the worst offenders. Non-freshman are doing better. We may need more education for freshman.

If the 100 MB cap over the entire campus adversely effects upper classmen, can we cap East campus only?

Jason - I think separate caps are a good idea for East and West campus.

Kyle - Do we know if the performance is better?

No, but we haven't heard the complaints we had last year.

Michael Gettes: We are trying to extend this type of monitoring out to more systems.

V. Report from CSG meeting

Presented by Chris Meyer, Mike Pickett, Michael Gettes, Tracy Futhey

Chris Meyer - meta group consensus was there are certain systems you would buy (CRM, ERP) that are packaged solutions and are much faster to implement with known features and functionality, but you have to live in their constraints. Some universities have decided to build their own software applications if they need to have something highly customizable. The University of Texas exclusively builds software.

Open source solutions: tools, emacs, apache, sendmail, linux, etc. Uportal project price is right. There is lots of control. It is quicker to implement than building. It is a collaborative effort with other schools. Life of open source community is dependent on staffing, and once you customize it is hard to go back.

Web services - Mike Pickett

Found some interesting Web sites: xmlmethods.net, and www.fedora.info.

Michael Gettes - Sun and I2 - Internet 2 members gain access to full suite of Sun software at reduced prices. There is reduced maintenance cost. The pricing schedule is understood outwards to 20 years. This is for non-profit use. A contract will be developed in next month or two.

We also talked about emergency response, viruses, security policy issues. It was a good meeting.

Robert Wolpert - Did you learn anything anyone else is doing that we should be doing?

Mike Pickett - We talked about authenticating to the network and then what? Scan to network? We have leases immediately now - would extra time be a factor?

VI.IVY Plus security meeting

Chris Cramer

1st time ever - Held at Brown University. Found out that Duke did a lot better job handling Microsoft worms than most schools. A lot of security groups are not keeping forensic groups together to go in and see what happened. There was an interest in SSN. We discussed what each member's environment was like. What each one was working on. We didn't spend as much time on issues as we did in the past.

Everyone would like more discussions on firewalls. There are thre main viewpoints - actively pursuing; wanting to deploy; and some would like to pursue, but due to political ramifications are not sure how to do it. Some say no for right now; They are pretty certain they don't want firewalls.

Challenge/Response Systems - How to authenticate if users have forgotten passwords. Schools have not reported abuse. Even online they hadn't detected abuse.

Molly Tamarkin - Regarding firewalls, were you talking about perimeter firewalls?

Yes.

A few schools are trying to deal with the bandwidth issue.

packeteer - breaks packets and appropriately limits bandwidth

Some schools are looking at charging the students - if they go above 3 GB per day, they are charged for an entire month.

Goerge Oberlander - Did you talk about personal firewalls?

Robert Wolpert - Do other schools have site licenses for firewall software?

Chris- They are pursing it if don't have it yet. Most have antivirus software already and it offers firewalls.

VII. Other business

None.

Meeting adjourned at 5:30 pm