Next: Appendix: Legacy File format Up: Network Liaison's Handbook Previous: Reporting Problems

Subsections

Other Topics

Several other topics are important to system and network management but are well beyond the scope of this document. We mention some important ones here, to direct future research.

System Management

All computers require system management. The operating system and applications must be updated and patched regularly, and various configuration changes must be made when network changes are made. Backups of important data should be done frequently. Virginia Tech further describes a set of "Minimum Security Standards" which should be used as guidelines for establishing system installation and management routines.

Security

The network layer for the communications path between two endpoints may pass through many segments or devices. In the case of remote access, some of these pieces may be under the control of hostile third parties. For this reason, the network layer is not an appropriate place to create security mechanisms. Applications must assume that all network traffic may be monitored, intercepted, or forged and implement security at the higher layers. The most secure solution is to use applications that do end-to-end encryption between the client and server.

A secure replacement for rlogin/rsh/rcp/telnet is ssh. OpenPGP offers file and e-mail encryption and digital signatures. Neither of these tools are officially supported by the Information Center, but both are in widespread use on campus. It should also be self-evident that TLS/SSL should be used wherever feasible; the Virginia Tech CA has further information about this, and offers personal x509 certificates for email encryption, as well.

If you care about security at the network layer, you should look into IPSec, which is a standardized protocol to encrypt the contents of IP packets.

Access Control

Any kind of security based on network addresses or domain names is not secure at all. The question of how to determine Virginia Tech users by IP address or domain name comes up frequently when someone wants to restrict access to a resource to Virginia Tech users. Neither of these is a reasonable solution. There may be cases where non-University users originate connections from vt.edu domain names or where University users are using domain names or addresses that are not Virginia Tech's. Further, malicious users can and will gain access to VT hosts by a variety of means. Further information on university expectations can be found in policy 7010.

Public Access

A host that is used by a large number of people (e.g. in a lab) presents special problems. The system manager should assure that there are access controls in place to be able to trace a particular activity back to the responsible party or to limit what can be done from the host.

Dynamic Host Configuration

It may be desirable to use dynamic host configuration (DHCP) in some situations. NI&S offers DHCP as a service on most of the network. DHCP pools are open, so all hosts connected to a DHCP network may obtain a lease via DHCP.

It is acceptable for a department to run a DHCP server so long as three things are done:

In order for your hosts to not recieve a lease from the NI&S DHCP servers, you may set the dhcp client identifier or vendor class identifier to include NIS_IGNORE, or you may register your host's MAC address to our DHCP exclusion list. These steps are necessary should you wish to run your own DHCP server on a network with NI&S DHCP. A free DHCP server can be obtained from Internet Systems Consortium.

Dynamic DNS

NI&S operates a dynamic DNS service for special uses under the dynamic.vt.edu. Should you have an application that requires dynamic DNS, you should familiarise yourself with the nsupdate protocol and contact the hostmaster.

Acceptable Use

Acceptable Use Of Information Systems At Virginia Tech and a number of State and Federal laws describe allowable network and computer resource use. Incidents such as threatening e-mail or denial of service attacks often must be investigated by University personnel or law enforcement. It is important that the NL for a sub-domain know who the system manager is for all hosts in the sub-domain and pass along any information related to problems to that person. The system manager is expected to know who was using the host at a particular time or to be able to secure the host against unauthorized use. It is expected that the individual user responsible for problems can be found.

A typical case would be that an outside organization contacts NI&S to report network abuse. NI&S will pass this report along to the NL for the sub-domain of the machine and the NL will pass it along to the system manager. The system manager is expected to work with the original complainant and resolve the situation. Support is available from the Information Center and NI&S for some phases of this resolution.

In cases of persistent abuse that is not corrected, or on-going incidents, NI&S may shut off the connection to a host until the system manager corrects the problem.

References/Additional Information

Mailing lists

Mailing lists are a good source of information. Much like news groups, there are both local and international lists that cover useful topics. A local list that is probably worth subscribing to is TECHSUPPORT, which is the "support for support" list. You can subscribe here

Next: Appendix: Legacy File format Up: Network Liaison's Handbook Previous: Reporting Problems

Phil Benchoff, Eric C. Landgraf 2021-09-09