| Both sides previous revision Previous revision Next revision | Previous revision |
| abstract:caviness:security-changes-2025 [2025-10-20 12:15] – frey | abstract:caviness:security-changes-2025 [2025-10-20 16:32] (current) – [2025-2026 Caviness Security Change] anita |
|---|
| As part of the University's efforts to identify and mitigate risk to its networks and computing systems, potential issues with Caviness have been identified. It is necessary that we address those issues to balance risks versus users' ongoing access to and functionality of the cluster. The mitigations include: | As part of the University's efforts to identify and mitigate risk to its networks and computing systems, potential issues with Caviness have been identified. It is necessary that we address those issues to balance risks versus users' ongoing access to and functionality of the cluster. The mitigations include: |
| |
| * Augment SSH username/password authentication with multi-factor authentication ([[abstract:caviness:security-changes-2025#mfa|MFA]]) | |
| * [[abstract:caviness:security-changes-2025#hpc-passwords|HPC accounts]] for UD users will no longer synchronize with UDelNet passwords | |
| * Caviness will be moved into a different [[abstract:caviness:security-changes-2025#network-changes|network]] to isolate it from other campus computing systems | * Caviness will be moved into a different [[abstract:caviness:security-changes-2025#network-changes|network]] to isolate it from other campus computing systems |
| | * Augment SSH username/password authentication with [[abstract:caviness:security-changes-2025#mfa|multi-factor authentication]](MFA) |
| | * [[abstract:caviness:security-changes-2025#hpc-passwords|HPC accounts]] for UD users will no longer synchronize with UDelNet passwords |
| |
| Each is discussed in more detail below. IT RCI staff will be holding a town hall-style meeting at **NOON - 1PM on WEDNESDAY, NOVEMBER 5**, in the Faculty Commons (116 Pearson Hall). All in the Caviness community are invited to attend to discuss how these changes could affect work being done on the cluster. | Each is discussed in more detail below. IT RCI staff will be holding a town hall-style meeting from **NOON** to **1 P.M.** on **WEDNESDAY, NOVEMBER 5**, in the Faculty Commons (116 Pearson Hall) {{:abstract:caviness:it-rci-caviness-security-changes.ics|ics}}. All in the Caviness community are invited to attend to discuss how these changes could affect work being done on the cluster. |
| |
| * **IF YOU PLAN TO ATTEND**, please email [[it-rci-info@udel.edu?subject=Caviness%20town%20hall|it-rci-info@udel.edu]] to let us know. | * **IF YOU PLAN TO ATTEND**, please email [[it-rci-info@udel.edu?subject=Caviness%20town%20hall|it-rci-info@udel.edu]] to let us know. |
| |
| |
| IT RCI staff thank the community for their understanding as we work to better-secure the clusters and protect their access and their research computing resources. | IT-RCI staff thank the community for their understanding as we work to better-secure the clusters and protect their access and their research computing resources. |
| |
| ==== MFA ==== | ==== Network changes ==== |
| | |
| | To harden protection of critical University computing systems, the University is seeking to **HEAVILY-CONSTRAIN** Caviness users' access to those systems by introducing a "block all" firewall policy on connections made **FROM** Caviness **TO OTHER SYSTEMS** on the University's campus network. |
| | |
| | The DARWIN system has a similar policy already in-place by virtue of its being on a special network called the ScienceDMZ. The UD ScienceDMZ is not subject to the filtering and introspection that exists on other University networks and has a higher-bandwidth path to other institutions (Internet2). Logically: |
| | |
| | * External-facing Caviness network interfaces will be **MOVED TO THE** ScienceDMZ to effect the necessary "block-all" firewall policy AND improve bandwidth and latency w.r.t. other institutions |
| | |
| | The ScienceDMZ firewall policy **WILL BLOCK ACCESS TO ON-CAMPUS SYSTEMS** like license servers and other clusters — effectively any UD system a user connects to **FROM** Caviness. IT RCI and Security have been working to capture a list of such systems, but Caviness community members **SHOULD TAKE TIME TO IDENTIFY ANY UD SYSTEMS THEY ACCESS FROM** Caviness and contact IT RCI. Exceptions to the "block-all" policy will have to be negotiated with IT Security on a case by case basis by IT RCI and affected parties. All such exceptions are audited annually by IT Security and will be subject to review for renewal. |
| | |
| | ==== Multi-Factor Authentication ==== |
| |
| One security control widely-used today is multi-factor authentication (MFA). A username and password are still employed, but additional credentials are required to successfully authenticate. For Caviness, the additional credential is slated to include either of the following: | One security control widely-used today is multi-factor authentication (MFA). A username and password are still employed, but additional credentials are required to successfully authenticate. For Caviness, the additional credential is slated to include either of the following: |
| **OR** | **OR** |
| |
| * Solicitation of a second passcode (e.g. six-digit code, push notification) | * Solicitation of a second passcode (e.g. a push notification) |
| |
| IT RCI is exploring options with respect to the second passcode and will provide the community further updates when a solution is chosen and a date for its implementation is planned. | IT-RCI is exploring MFA options and will provide the community further updates when a solution is chosen and a date for its implementation is planned. |
| |
| ==== HPC passwords ==== | ==== HPC passwords ==== |
| * UDelNet ids will continue to be used for HPC accounts; when a user changes his or her UDelNet id, that change will continue to automatically be applied to the HPC account | * UDelNet ids will continue to be used for HPC accounts; when a user changes his or her UDelNet id, that change will continue to automatically be applied to the HPC account |
| |
| * UDelNet passwords with **NO LONGER BE SYNCHRONIZED** with HPC accounts; a user's HPC account password will be distinct | * UDelNet passwords will **NO LONGER BE SYNCHRONIZED** with HPC accounts; a user's HPC account password will be distinct |
| |
| IT RCI will provide a web portal for HPC users to reset the HPC password. Users will be asked to NOT reuse their UDelNet password as their HPC password. | IT-RCI will provide a web portal for HPC users to reset the HPC password. Users will be asked to NOT reuse their UDelNet password as their HPC password. |
| | |
| ==== Network changes ==== | |
| | |
| To harden protection of critical University computing systems, the University is seeking to **HEAVILY-CONSTRAIN** Caviness users' access to those systems by introducing a "block all" firewall policy on connections made **FROM** Caviness **TO OTHER SYSTEMS** on the University's campus network. | |
| | |
| The DARWIN system has a similar policy already in-place by virtue of its being on a special network called the ScienceDMZ. The UD ScienceDMZ is not subject to the filtering and introspection that exists on other University networks and has a higher-bandwidth path to other institutions (Internet2). Logically: | |
| | |
| * External-facing Caviness network interfaces will be **MOVED TO THE** ScienceDMZ to effect the necessary "block-all" firewall policy AND improve bandwidth and latency w.r.t. other institutions | |
| | |
| The ScienceDMZ firewall policy **WILL BLOCK ACCESS TO ON-CAMPUS SYSTEMS** like license servers and other clusters — effectively any UD system a user connects to **FROM** Caviness. IT RCI and Security have been working to capture a list of such systems, but Caviness community members **SHOULD TAKE TIME TO IDENTIFY ANY UD SYSTEMS THEY ACCESS FROM** Caviness and contact IT RCI. Exceptions to the "block-all" policy will have to be negotiated with IT Security on a case by case basis by IT RCI and affected parties. All such exceptions are audited annually by IT Security and will be subject to review for renewal. | |
| |