As part of the University's efforts to identify and mitigate risk to its networks and computing systems, potential issues with Caviness have been identified. It is necessary that we address those issues to balance risks versus users' ongoing access to and functionality of the cluster. The mitigations include:
Each is discussed in more detail below. IT RCI staff will be holding a town hall-style meeting from NOON to 1 P.M. on WEDNESDAY, NOVEMBER 5, in the Faculty Commons (116 Pearson Hall) ics. All in the Caviness community are invited to attend to discuss how these changes could affect work being done on the cluster.
IT-RCI staff thank the community for their understanding as we work to better-secure the clusters and protect their access and their research computing resources.
To harden protection of critical University computing systems, the University is seeking to HEAVILY-CONSTRAIN Caviness users' access to those systems by introducing a "block all" firewall policy on connections made FROM Caviness TO OTHER SYSTEMS on the University's campus network.
The DARWIN system has a similar policy already in-place by virtue of its being on a special network called the ScienceDMZ. The UD ScienceDMZ is not subject to the filtering and introspection that exists on other University networks and has a higher-bandwidth path to other institutions (Internet2). Logically:
The ScienceDMZ firewall policy WILL BLOCK ACCESS TO ON-CAMPUS SYSTEMS like license servers and other clusters — effectively any UD system a user connects to FROM Caviness. IT RCI and Security have been working to capture a list of such systems, but Caviness community members SHOULD TAKE TIME TO IDENTIFY ANY UD SYSTEMS THEY ACCESS FROM Caviness and contact IT RCI. Exceptions to the "block-all" policy will have to be negotiated with IT Security on a case by case basis by IT RCI and affected parties. All such exceptions are audited annually by IT Security and will be subject to review for renewal.
One security control widely-used today is multi-factor authentication (MFA). A username and password are still employed, but additional credentials are required to successfully authenticate. For Caviness, the additional credential is slated to include either of the following:
OR
IT-RCI is exploring MFA options and will provide the community further updates when a solution is chosen and a date for its implementation is planned.
For the duration of University IT's management of central HPC systems, HPC users with a UDelNet account have had their HPC username and password synchronized automatically with their UDelNet id and password. This presents the potential for compromise of that password to grant unauthorized access to BOTH HPC and University computing systems. To mitigate this risk, IT RCI will be making a policy change in the near future:
IT-RCI will provide a web portal for HPC users to reset the HPC password. Users will be asked to NOT reuse their UDelNet password as their HPC password.