Duke ITAC - July 31, 2014 Minutes

Duke ITAC - July 31, 2014 Minutes

ITAC Meeting Minutes

July 31, 2014

 

I.        Announcements

  • June 5th, 2014 meetings minutes were approved.
  • Introductory Computer Science class has filled capacity at over 300 students with 25-30 on the wait list.
  • Drone Policy/Guidelines Working Group formed.  Current regulations prevent research, commercial and operational use of outdoor un-tethered drones.  Regulations are more open for hobbyists. 
  • Duke NetID integration with research.gov NSF ID using the InCommon mechanism.
  • Telcom fire and emergency service move.  No significant damage, but a large amount of smoke was generated.  There were approximately 30 responders to the incident.  The building is now back to its original state.  Operators were able to move to the backup location with minimal impact to service calls.

 

II.      Agenda Items

4:10- 4:20 – Distributed Antenna System (DAS), Bob Johnson (5 minute presentation, 5 minute discussion)

What it is:  Duke’s cellular phone users will see improved coverage in key campus areas this fall thanks to improved Distributed Antenna System (DAS)

Why it’s relevant: The DAS broadcasts cellular signals more directly to campus buildings and cover a much larger area than in-building hardware. We will provide an update on the status of this project and what cellular users can expect in the coming weeks.

Progress on the head end has been ramped up by the carrier partners.  This has been the delaying factor up to this point.  This should be coming live shortly.  Buildings throughout campus can then be connected.  Environmental Hall will be one of the first to be completed.  Working on a priority list for when buildings will be completed.

Need to watch for contention between existing outdoor DAS and this new head end.  Strength of connection has not been the issue, but rather it has been a problem of excess capacity.  This will improve as we migrate to the new head end.

This has been a 2+ year process.  As soon as it is complete, we will begin the process of moving buildings to the new head end.  There have been 12 sectors identified across the campus.  Most of the campus should be completed by the end of the calendar year.  Off-campus sites (e.g. Durham Regional) will be completed during the next calendar year.  There are a total of 8 crews performing this work.

Questions and Comments:

Are sites like Erwin Mill covered?  No, they are currently not part of this plan.  If there are concerns, they should be directed back to the landlord and/or the carrier.  Hock 1 and 2 will be covered in this project.

4:20- 4:35 – Network Topology Changes – SourceFire Deployment, Richard Biever and Nick Tripp (10 minute presentation, 5 minute discussion)

What it is:  The IT Security Office (ITSO) is working to deploy the product SourceFire, which uses an approach to security focused on protection before, during and after the threat.

Why it’s relevant: The ITSO will present on the current state of the SourceFire implementation, next steps, and what we are learning with the tools.  As we move ahead with the deployment, we would like to share how this will (a) improve the security of the network, as well as (b) provide better traffic flows between systems on the core network

Prior to the discussion an update was given regarding another phishing attempt in mid-July using a salary update as a tactic.  Message went to approximately 600 people across the campus.  The small number of individuals whose accounts were compromised were contacted by staff over the weekend. 

Departments are still being highly encouraged to discuss multi-factor authentication with their groups to show people what it is and how it is used in an attempt to get more people enrolled.  We believe that once more people start using it and feel comfortable with it, there won’t be so much push-back from users and will be more easily adopted across the board.

Presentation:

Intrusion prevention systems (IPS) examine network traffic to see if it is malicious or not.  The objective is to drop malicious packets automatically and allow non-malicious packets to go through, but occasionally things are blocked that shouldn’t be (false positives).  Our current intrusion prevention system, TippingPoint was acquired by HP and we outgrew its capabilities.  It will be replaced with SourceFire because it has some more features and advantages.  The proof-of-concept has been in place since January.  Production units have been installed and will be moved to production in mid-August.

Capabilities of the new system:

  • Ability to inspect network traffic
  • Compare file hashes to allow for blocking of malicious files (would have been helpful for the CryptoLocker attacks last year).
  • Improved visibility to events requiring action
  • Platform is built on open system which allows for community-wide sharing of filters and bad actors
  • Improved bandwidth performance

Dashboard Demo

Questions and Comments:

Can we implement an online assessment for users whose accounts have been compromised before they have their accounts reinstated?  Yes, this might be something we can consider.  Right now the focus is on automatically enrolling these individuals in multi-factor authentication.

Are the files that are being inspected accessible to individuals in ITSO?  The files themselves are not visible to personnel in ITSO, but the results of the traffic inspections are.

Are there any segments of the Duke network that could be blocked by the new system?  Yes, there are a few.  ResNet, visitor wireless and Co-Lab should be treated as external networks because they are unmanaged and should have the traffic sent through the IPS.

4:35- 4:45 – BOX Provisioning and Policies, Charley Kneifel (5 minute presentation, 5 minute discussion)

What it is:  BOX is a cloud based service that allows data storage across all clients, including Web, IOS, Macs and Windows. 

Why it’s relevant:  OIT is currently putting together the framework for rolling out the service to the Duke Community. This includes developing a website, documentation, provisioning users, and adding the ability to create course space using Toolkits. We will provide an update on the implementation as well as the policies that have been put in place.

17,000 accounts have been provisioned for faculty, staff and students.  Remaining 15-16,000 accounts will be provisioned soon (hopefully by Monday).  You will receive communications from Box when your account has been added.  If there are email addresses added to your account, you will receive additional confirmation messages.  Duke.box.com is the production site and box.duke.edu is the documentation site.

The medical side has been in close collaboration with OIT so there are a consistent set of procedures and operational guidelines for the use of Box with sensitive data.  Specific training will be required before medical employees are permitted to use Box.  There are specific use-cases for this technology (e.g. taking photos in Dermatology) that will prove to be beneficial to patient care.

Toolkits deployment that will allow the creation of classroom space and ad-hoc groups will be available next week after all the accounts are provisioned.  These spaces are owned by a service account and therefore won’t go away if/when the creator leaves Duke.  This space will also not count against the creator’s private Box space quota.

Alumni.duke.edu accounts have been excluded from the migration

Questions and Comments:

Is there an API for developers to create interfaces with Box?  Yes, information about this can be found at developers.box.com.

Is there a limit on number of synced devices?  Unsure, but it might be 5.  This can be modified if needed.

4:45- 4:55 – SISS Infrastructure Updates, Chris Meyer, Charley Kneifel (5 minute presentation, 5 minute discussion)

What it is:  SISS infrastructure has recently migrated to the Linux Infrastructure using the Virtual Machine (VM) technology. This transition enables the SISS PeopleSoft (ACES and STORM) to take full advantage of the robust and vast VM infrastructure that Duke has invested in over the past few years.

Why it’s relevant:  We will provide a brief update on the project objectives, improved scalability, growth and recent performance gains during the Freshman Registration cycle.

The project started in Summer 2013 and in the middle of June the final piece was moved over in time for Freshman registration.  The load was spread much more evenly over the hardware and there was an increase in the number of enrollments during the first minute. 

The new systems are deployed on Cisco UCS hardware that can accommodate various sized blades and are back-ended by EMC arrays.  This allows more scalability to support the needs.  The old AIX P-Series servers had been sized to support the peak requirements during registration.

Questions and Comments:

4:55- 5:20 – Warpwire, Todd Stabley, Evan Levine (15 minute presentation, 10 minute discussion)

What it is: OIT is in the early stages of conversations with the original founders of Voice thread to see if it would be viable for them to develop a media publishing system for Duke to replace Kaltura which is currently restricted to use only in Sakai and is externally hosted costing additional funds for bandwidth and storage overages. These developers have a great track record in developing media tools for higher education and have a strong understanding of Duke’s authentication and authorization system.e a strong understanding of Duke’s authentication and authorization system.

Duke has been searching for a single media publishing tool that will allow our community to securely publish media assets across the multiple platforms used throughout the organization (Sakai, Wordpress, Drupal, etc.). Previously researched solutions were either cost prohibitive or were unable to secure assets using Shibboleth at the asset level. This seems like it might be a good approach to providing a secure media publishing system.

Warpwire demo

Product Benefits:

  • Can be integrated with Shibboleth
  • Can be embedded wherever the user would like to display/view the video
  • Sakai integration
  • Designed to work the same across all platforms
  • Video files can be kept on Duke storage, not in the cloud
  • Can leverage Box for file storage

Questions and Comments:

Conversation about DCRI-created mobile application.

How can this be managed/organized for sharing with multiple groups and purposes?  The specific mechanisms for doing this are still being developed, but the expectations are that video should be able to add to multiple collections, shared with different groups of individuals.

Discussion surrounding guest accounts for non-Duke users (e.g. continuing medical education, alumni, past employees, etc.)

Can the complexity of the tool be “hidden” from typical users, for example professors using Sakai?  Yes, the functionality will be straight-forward in Sakai similar to what is in place currently.

Are there any concerns regarding scalability?  At this point, we don’t anticipate that being a problem.  This will be tested extensively during acceptance testing.

Wish list items for the future:  transcription of videos that would allow for searching, capturing slides used within presentation.

5:20- 5:30 – Other Topics