Network Security

Frequently Asked Questions

Q: How will the enhanced security affect me?

A: For most users of desktop computers the primary effect will be an improvement in security. However:

If you are accessing UVM servers from outside UVM and are not currently using encryption capable client software for Web, email and telnet access, you will need to upgrade the software prior to July 1, 2002. Ultimately, this software will also be required to access computers from within UVM as well.

If you have configured email, FTP, Web and other server software on your computer, those services will no longer be accessible from outside the University unless you waive the default firewall protection. Note that in order to waive protection, you must agree to maintain normal security precautions, to be available to address security issues related to your server, and have the approval of your department or college's management.

Q: Can I still use my desktop computer for my personal Web page?

A: Yes, but it will not be assessible from outside UVM. If you wish to have Web pages accessible from outside of UVM, you should use a server with security class 2, 3 or 4. Web space on www.uvm.edu is available to every UVM student and employee. An account on the Zoo cluster is necessary to use the Web space.

Q: My department runs our own Web server and we have a knowledgeable systems administrator who keeps assures that the server is secure and up-to-date. We understand the security risks, but nonetheless need for the server to be accessible from outside of UVM. What do we need to do?

A: The server administrator should send email to security team requesting a firewall waiver.

Q: I am responsible for a server my department bought for us a couple of years ago. We set it up with Web, email, Telnet, FTP and other services enabled for our convenience. We don't have funding for a professional systems administrator and no one in our department has time or inclination to keep up with operating system maintenance or security alerts. Will this change in network security affect us?

A: Yes. Your system, which is currently almost certainly vulnerable to attack, will receive a much higher level of firewall protection. Without appropriate system administration, a firewall waiver will not be granted. Systems, such as the one your describe, have been among the most likely to be compromised and subsequently used to attack other computers (within and without UVM) and compromise the security of our entire network.

Q: We can get along without the off-campus access to our email, FTP and Telnet server, but we don't have time to move our Web pages to www.uvm.edu (and we aren't sure they would function properly without some work). Can we waive just the Web server protection?

A: Yes, if Web security can be satisfactorily maintained. Although Web servers are also a source of security penetrations and routine systems administration is still required, the burden is much less if the other vulnerable protocols have been turned off. Your manager may be willing to support the lower amount of time it will take to secure a Web-only environment.

Q: What kind of help can I expect from CIT?

A: CIT will manage the firewall and the VLANs. CIT will maintain this Web site and the Security list, sharing information on important security matters. CIT will regularly scan systems in security classes 2-4 for vulnerabilities. However, CIT, despite declining resources, is already devoting considerable effort to this matter and is not able to provide direct assistance with system administration or system recovery for departmental systems. However, the Engineering & Mathmatics (EM) Computing Facility may be available for such assistance on a contract or time and materials basis.

Q: What if my unprotected server is hacked into?

A: We expect these security measures to reduce, but not eliminate, that risk. The first step will be to remove it from the campus net and report the intrusion. A compromised server threatens every host on the net. Before the server can be reestablished, the assigned systems administrator will need to reconstruct the server. If the breakin is discovered by CIT(or some one whose system is being attacked by the compromised server) and the assigned systems administrator is not available to address the problem, the system will be isolated to protect the campus network.