2025-2026 Caviness Security Change

As part of the University's efforts to identify and mitigate risk to its networks and computing systems, potential issues with Caviness have been identified. It is necessary that we address those issues to balance risks versus users' ongoing access to and functionality of the cluster. The mitigations include:

• Caviness will be moved into a different network to isolate it from other campus computing systems
• Augment SSH username/password authentication with multi-factor authentication(MFA)
• HPC accounts for UD users will no longer synchronize with UDelNet passwords

Each is discussed in more detail below. IT RCI staff will be holding a town hall-style meeting from NOON to 1 P.M. on WEDNESDAY, NOVEMBER 5, in the Faculty Commons (116 Pearson Hall) ics. All in the Caviness community are invited to attend to discuss how these changes could affect work being done on the cluster.

• IF YOU PLAN TO ATTEND, please email it-rci-info@udel.edu to let us know.

• IF YOU CANNOT ATTEND AT THAT TIME but have concerns, please email it-rci-info@udel.edu so IT-RCI can include you in any follow-up meetings that are scheduled.

IT-RCI staff thank the community for their understanding as we work to better-secure the clusters and protect their access and their research computing resources.

To harden protection of critical University computing systems, the University is seeking to HEAVILY-CONSTRAIN Caviness users' access to those systems by introducing a "block all" firewall policy on connections made FROM Caviness TO OTHER SYSTEMS on the University's campus network.

The DARWIN system has a similar policy already in-place by virtue of its being on a special network called the ScienceDMZ. The UD ScienceDMZ is not subject to the filtering and introspection that exists on other University networks and has a higher-bandwidth path to other institutions (Internet2). Logically:

• External-facing Caviness network interfaces will be MOVED TO THE ScienceDMZ to effect the necessary "block-all" firewall policy AND improve bandwidth and latency w.r.t. other institutions

The ScienceDMZ firewall policy WILL BLOCK ACCESS TO ON-CAMPUS SYSTEMS like license servers and other clusters — effectively any UD system a user connects to FROM Caviness. IT RCI and Security have been working to capture a list of such systems, but Caviness community members SHOULD TAKE TIME TO IDENTIFY ANY UD SYSTEMS THEY ACCESS FROM Caviness and contact IT RCI. Exceptions to the "block-all" policy will have to be negotiated with IT Security on a case by case basis by IT RCI and affected parties. All such exceptions are audited annually by IT Security and will be subject to review for renewal.

One security control widely-used today is multi-factor authentication (MFA). A username and password are still employed, but additional credentials are required to successfully authenticate. For Caviness, the additional credential is slated to include either of the following:

• The system attempting to SSH to Caviness is on the UD campus network (including UD VPN)

OR

• Solicitation of a second passcode (e.g. a push notification)

IT-RCI is exploring MFA options and will provide the community further updates when a solution is chosen and a date for its implementation is planned.

For the duration of University IT's management of central HPC systems, HPC users with a UDelNet account have had their HPC username and password synchronized automatically with their UDelNet id and password. This presents the potential for compromise of that password to grant unauthorized access to BOTH HPC and University computing systems. To mitigate this risk, IT RCI will be making a policy change in the near future:

• UDelNet ids will continue to be used for HPC accounts; when a user changes his or her UDelNet id, that change will continue to automatically be applied to the HPC account

• UDelNet passwords will NO LONGER BE SYNCHRONIZED with HPC accounts; a user's HPC account password will be distinct

IT-RCI will provide a web portal for HPC users to reset the HPC password. Users will be asked to NOT reuse their UDelNet password as their HPC password.