IT@Brown: News & Resources

An audio recording of this meeting is available here.

Announcements – Chris Grossi

We’re down to two weeks left for the Symantec Antivirus license. CIS is tracking and running reports of machines that are still contacting the SAV server. ISG has sent reminders to departments that have many remaining SAV clients. We need to get full migration completed by the end of March to both ensure active and current client security, and to be in compliance with our licensing agreements and protect Brown from a license audit and penalties.

CIS has been working with SAS to extend licensing across campus, they are close to being ready to un-key SAS licensing. Standalone SAS will be available to departments before the end of the semester. Anyone using a keyed installation of SAS will need to uninstall their preior version and reinstall the new unkeyed version. Students are included in the licensing and can install SAS on their own computers.

By the end of this patch cycle, Windows machines managed in the CIS SCCM system will have their Microsoft updates managed by SCCM.

As part of Brown’s Dell contract, Dell will be running a Recycling Day on Friday 20 April (Earth Day weekend) to allow Brown-owned and personal equipment to be dropped off for recycling. Details are still being worked out, look for more information from CIS soon.

Qualtrics Online Survey Platform

Representatives of Qualtrics, a commercial service offering very high-quality hosted online survey building, deployment, and reporting, presented their platform. Their core features are:

• Sophisticated surveys made simple (built by a PhD survey researcher)
• 86 question types
• Advanced logic available
• Provides University control. delegated administration
• FERPA. IRB, PHI, HIPAA compliance – SSAE 16 Certified
• University owns the data
• Collaboration available with other researchers in the world even if they don’t have Qualtrics at their institution
• Extensive training and documentation both in using the service and in general research survey design

If you have any questions about the features and benefits of Qualtrics, feel free to contact Ryan Jackson, their representative, at ryanj@qualtrics.com.

CIS is looking for feedback to see who else in the University would be interested. Send your feedback to Stephanie_Obodda@brown.edu. If you have direct feedback regarding the usefulness of Qualtrics to your department, you can also complete the CIS survey that is collecting departmental interest in the platfom.

Doug Wilkinson – CIS Network Technology Group (NTG)

NTG is comprised of:

• Network Security
• Network Engineering
• Network Operations

Any network tickets should be assigned to the Network Operations group, they triage and reassign as needed.
CommOps remains unchanged, still handle dead ports, tap requests, etc.
Projects update:

• Internet Border to OSHEAN – upgrading infrastructure to prepare for a future migration from redundant 1G to redundant 10g
• 5400 firewall decommission, reaching out to departments who are behind these obsolete devices
• NSZ moves
• PBX and SIP upgrade, now complete. SIP features and phones are in testing and will be deployed in new projects in the near future.

Doug’s slide deck is available here.

An audio recording of this meeting is available.

Announcements – Pat Kinghorn

Next week’s TechForum meeting (Wednesday 21 Sept 2011) is focused on FileMaker Go. Our new FileMaker technical rep will be here doing a demo. Also, Brown is leading the creation of global higher-ed FileMaker listserv. If you’re interested, contact Pat Kinghorn.

Next month’s DCC meeting will be held in the List Art Center, room 110.

Announcements – Chris Grossi

We all got through the Back-to-School rush pretty well; it was as quiet a BTS period as in the last 10 years. The Cloudpath wifi auto configuration service was a big part of that: 2450 people auto-configured the Brown-Secure SSID since 8/30. Walk-ins were down 50% at Help Desk, as there was no need for walk-in wifi configuration.

Banner’s recent ‘Error 404’/cookie problems were been patched on Monday. If anyone has further troubles, contact Help Desk.

Tom Flood from Facilities is making a bulk purchase of Dell laptops and desktops – if you want to join in contact Tom immediately.

AV migration is coming along … CIS is testing a ForeFront installer. They are assembling a steering committee to manage the migration project. More information is coming soon, please contact Pat Kinghorn if you’re interested in participating.

Software Services release EndNote X5 for Windows immediately. EndNote X5 for Mac is waiting for receipt of installation media from the vendor, and will be released within a month. X4 is available directly in a pinch, but does not work on Lion.

CIS is still planning to formally support Office 2010 in October.

In the past, Help Desk has had Windows XP and Windows 7 licenses available for student use via MSDN-AA, but these have been discontinued by Microsoft starting this semester. CIS is working with interested parties to determine ways to address this.

CIS will be sending a survey regarding the software portfolio to the campus later this month. This is intended to identify stakeholders for software licenses and establish best practices for long-term management of our software portfolio.

Also, CIS released a wifi survey by Morning Mail and hopes to have a good response rate. Please solicit responses to this survey from your department members.

The top half of the 128.16.128.0/24 subnet has been converted from ResNet to part of the admin network. Correction: The 138.16.128.0/17 subnet is now being used for staff/admin networks. Departments running local firewalls may need to adjust their rulesets.

David Sherry – All Things ISG

PowerPoint deck available

ISG has a staff of 4 including CISO, handling all information security, not just IT.

State of the Information Security Union at Brown:

• Staffing: Now hiring for an additional IT Security Engineer

• Network Security Zone (NSZ) moves continuing – still working with departments who ask for it, not mandated at this time

• Scanning service maturing

• Deeper involvement with privacy, records, compliance, and identity (governance)

• Increasing tickets and DMCA notices

• National Syber Security Awareness Month

• “Securing the Human” being prepped – Video awareness campaign from SANS

Ran an external scan by Dell/SecureWorks for auditing purposes. Full report due Friday 16 Sept. 2011. No urgent or critical vulnerabilities were found.

“There are many, many vulnerabilities that can be removed by simply patching the software on systems, and/or upgrading the software to its latest version.”

Google Security

New infrastructure transition last July, many users complained about ‘new’ terms of service allowing administrator access, which was not new at Brown.

Google Image Search malware attacks are getting shut down by Google as best they can. It seems that few people actually got infected by these.

Vanity attacks via Google News alerts – spear phishing. Usually targets high-ranking officials, CEOs, etc.

Virus Proliferation

Phishing and link attacks are growing. Smartphone attacks are coming soon. Increase in attacks on Macs as well, as market share grows.

VPN Status

The new F5 VPN (SSL and Fat Client released) was released as a soft launch on 8/18 and a full launch on 9/12. The obsolete Cisco VPN will be decommissioned on 10/31. ISG is working with Hospital technical staff and other affiliates to iron out bugs and ensure continuity.

Protecting PII

Identity Finder, an automated tool to find personally-identifiable information on your own computer, is targeted for implementation by 10/14/11. If you want to try it at home you can get to at the Identity Finder website.

Guardian Eagle laptop encryption is targeted for 11/23/11 with 1000 licenses to start. Implementation will be targeted at known users of confidential/PII data. ISG is also working on server PII discovery using Veronas.

Firewall Thoughts

Current core firewall servers are aging, ISG is targeting replacement just after commencement next year. They are looking into next generation equipment that moves beyond port-based security for content, user, and application security.

Other Projects

Enterprise Certificates through Comodo: SSL certificates will be available in any number we need, including personal certificates. This should become available before Spring 2012.

Eduroam – new SSID for cross-institutional use by all members of Eduroam (3700 schools in the world, 3600 are in Europe). Login to wifi at participating institutions using your Brown credentials; visitors from other Eduroam universities can login to wifi at Brown with their home credentials.

Brown will soon be archiving mail using Postini for staff members at level 12 or above, for the purposes of data retention and retrieval for legal records.

Coming soon: terminal server for vendor access; developing Domain Trust Security Guidance.

Announcements, Chris Grossi:

Dell’s Premier page will soon have profiles available with the Latitude 6420 laptop and Optiplex 790 Desktop. The 790 will have a standard Brown image available shortly, and the Windows deploy image on the CIS deploy server is already compatible with the 790. The 6420 is also supported from the deploy server, and the 6320 will be supported soon. The 6410/6310 laptops are at end-of-life from Dell and are going away.

CIS is forming a working group to determine the structure and updating of the standard image applied from the CIS deploy server and available on standard Dell models. There will be an announcement made soon to recruit a DCC and a Sysadmin to collaborate on this group. Meetings will start monthly and move to quarterly.

We now have a site license for Matlab at Brown, this will be announced soon on Morning Mail. We will be able to distribute Matlab differently, perhaps downloading it directly from Mathworks. More information will be sent as available.

Microsoft Windows Server 2003 and Server 2008 are now included in the Microsoft campus license agreement at Brown. Nobody should buy licenses for these products going forward. SQL Server, Terminal Server, and other specialist server products are not included.

Security Updates, David Sherry, Information Security Group (ISG):

An SSL VPN from F5, the replacement for our current Cisco VPN, is now available for testing. It is not quite ready for primetime but it does offer support for multiple platforms, including Windows, Mac, and Linux, plus iOS devices. The F5 VPN can also scale up to many more users than our current Cisco VPN infrastructure.

Rather than installing a client application, the VPN is accessible by starting a web browser and visiting http://vpn.brown.edu. Users will login with their Brown shortID and password. On first use, a small applet installs a ‘shim’, checks for appropriate antivirus/patchlevels, and connects to Brown’s network for all traffic. iOS users should download the free F5 app from the App Store. Configuration help is available at . Android support is expected soon.

Remote Desktop is available via the F5 VPN, just keep your authenticated browser session open.

All are invited to try it out from multiple locations (including on campus) and devices, and report problems, particularly in accessing admin-level areas of the Brown network, to isg@brown.edu. There is also an SSLVPN Google Group you can join if you want to participate in discussions.

The F5 VPN is scheduled for deployment in Fall 2011.

David’s presentation slides are available at the internal DCC page.

Also, there is progress moving towards offering a managed full-disk encryption solution from Symantec for institutional laptops by September 2011. More news to come.

Network Update, Doug Wilkinson, Network Technology Group (NTG):

Doug gave an extensive presentation on practical details of upcoming upgrades and changes in the network design at Brown. Some key points:

• All computers using static DNS entries to 128.148.128.9, 128.148.128.11, and/or 128.148.128.130 should be modified to either a DHCP IP/DNS configuration, or a static DNS entry for 10.1.1.10. There is no second IP number needed as 10.1.1.10 resolves to multiple redundant servers using anycast. The former DNS servers will be retired soon, so don’t wait. NTG can provide a report of IP numbers on your subnet currently still hitting the old DNS server so you can track them down.
• Reserved DHCP numbers will continue to be recommended for fixed assets such as servers and printers, but subnets can be moved toward using Dynamic DNS to provide stable names to client machines (for remote desktop, for example) rather than stable IP numbers. See NTG for more detail.

Doug’s full presentation slide deck is available at the internal DCC page.

Pat commenced the DCC meeting with sincere thanks to all the many qualified DCC’s who submitted their names to volunteer within the DPRM group led by David Sherry and the IT leaders group headed up by John Spadaro. Pat stated that the choice was a difficult one because there are so many qualified applicants among the system administrators and DCCs on campus. Jackie Newcomb and Julia Frizzell were selected to work within David Sherry’s DPRM group and Margaret Doll and Don Rogers will be assisting John Spadaro in the IT leaders group. Pat encouraged those persons who expressed an interest in serving these groups that there would be many future opportunities for their help.

Chris Grossi then addressed the group with some brief announcements. He first stated that the VPN connection to Adobe CS4 was shut off on February 28th. Chris mentioned that the Adobe product usage levels out to approximately 70 concurrent uses, but they have sometimes spiked as high as 110-120. Geoff Greene was to meet with a group of executives at Adobe to negotiate licensing costs.

The MatLab license dilemma is still in the process of being resolved. A solution to this problem is hoped for with increased funding for more licenses. The optimal resolution would be for a site license, however, the cost of this might be prohibitive. Chris demonstrated the peak use of MatLab through the course of a two week period, showing the DCCs a graph revealing the crash that happened during vacation week. It was determined that heavy simultaneous demand in multiple departments such as Computer Science, CLPS, and Applied Mathematics were the ultimate cause of the crash that occurred. It was not known that so many courses would have need of so many licenses. Given the need for MatLab, there is no dispute that something proactive must be done to address the campus needs. Since a site license is approximately an additional $20 – $25K annually, it would be too big of a burden for the CIS budget. It is hoped that grant support can be obtained, and to this end, Clyde Bryant has been informed of the shortage and OVPR’s help has been sought. Chris stated that he hopes those departments who use MatLab prolifically might be able to allocate some department or grant monies to the purchase of more licenses. Recently, more licenses were purchased by CIS and Computer Science, however at 375 concurrent copies being implemented it is apparent that unless a site license is purchased or more individual licenses are procured, this resource will continue to run into difficulties.

Chris then mentioned that some migrations from Novell department files services to the new Windows file services have been accomplished, with still more underway.

There are upcoming ITSC training sessions available.

Chris introduced some interesting facts which can be found on the Dell Premier site and encouraged us to contact Christine_Stewart@dell.com for information regarding custom quotes and standard specs. He also mentioned that when a user name and login are established, one is able to view their recent order and status. In addition, Geoffrey Greene and Tony DeGregorio have formed a working group for the purpose of ascertaining what are the optimal specifications for Brown computing at the best prices, with the goal fixed toward standardizing computing resources on campus.

The question was raised if Lo-Jack software could be added to the standard image. David Sherry mentioned that if he had to decide between Lo-Jack and encryption he would choose encryption, since the cost of potential loss of data would be exponentially greater than the loss of a single machine. Reference was also made regarding the periodic laptop engraving that is offered by Police and Security. Normally Morning Mail announces where and when the next engraving will take place.

Stephanie Obodda then took the floor and spoke about Google’s future plans for merging Google Apps for Education with Google Consumer Apps. Those of us who use personal Gmail accounts are already familiar with Google’s Consumer Apps such as Picasa and Maps. This merger will also enable users to log into either their personal Gmail or Brown Gmail from a single login window. Some potential conflicts arising from account names are anticipated, and solutions are currently being reviewed. Stephanie also mentioned that Consumer Apps would not be fully supported by the HelpDesk.

Ken DeBlois was next on the docket with a brief presentation about the progress of BrownSites. Sites are currently being migrated to the Drupal content management system. Among them are Admissions, OVPR, the Graduate School, BioMed, and Classics. There exists a Wiki describing Brown Sites which can be found here. In addition there is a BrownSites pilot website that users can browse through, in order to gain more information and practice. The BrownSites demo page gives many benefits which I have copied here.

BrownSites:

• Is Web-based. You don’t need special software; it works with any web browser.
• Looks and Feels like the new Brown University website.
• Allows for use of Multimedia.
• Pulls in Calendar Events from events.brown.edu.
• Shares News with an optional news feed: let users subscribe to your news.
• Has Public & Draft modes: preview changes instantly, publish when ready.
• Tracks Page Revisions. Revert back to a previous page versions easily.
• Has Roles for Reviews, Contributors, and Editors. Make colleagues “Contributors” to draft content, “Reviewers” to see drafted content, or “Editors” to publish updates.
• Core files are Upgraded and Maintained regularly by the Web Services team. No need to upgrade software, Web Services does it!
• Gains New Features regularly.
• As Web Services rolls out new widgets, modules, and features, they’ll be available to sites.
• Has Flexibility and Robustness to Customize.
• You can contract Web Services to add online directories, resources, applications, slideshows, and almost anything you can dream up to your site.

There are three roles for those who are responsible for departmental webpages: (1) Reviewer (2) Contributor, and (3) Editor. The reviewer has the right to view the pages and the Contributor has the privilege of drafting contents, but the Editor is solely responsible for the actual publication of the pages.

Web services desires to work closely with departments who seek to migrate their webpages. For more involved features and customizations there is a charged fee.

The final presentation was given by Scott Martin regarding the DNS service switchover which is to occur by June 30th. As a part of the network redesign project, Brown has moved its primary DNS services to a private IP number. Any computers configured to obtain IP addresses dynamically via DHCP will not need any changes. Any computers with static numbers should be updated to use this DNS server address: 10.1.1.10. This is an anycast address that fails over to multiple servers, so there is no need for two separate DNS server entries.

The previous DNS servers at 128.148.128.9, 128.148.128.11, and 128.148.128.130 are to be phased out, most likely by June 30th. More information will be coming soon, but all departments should begin reconfiguring any statically-numbered computers to use the new server address.

Update: CIS has released a detailed Morning Mail message with a full summary of the changes in Adobe licensing.

Petteruti Lounge, Faunce House

Audio recording of the meeting available.

ANNOUNCEMENTS – Chris Grossi, CIS

Adobe CS5 installers have been released on February 7 on the CIS Software site (Windows & Mac). Due to new license agreements, CS5 cannot be downloaded by students. Faculty and staff will be able to run CS5 off-campus using the Brown VPN.

VPN and campus residential networks will no longer support running CS4 after February 25. If any faculty or staff want to run the CS suite via VPN after this date, they must upgrade to CS5.

Office 2010 for Windows and Office 2011 for Mac are now available for installation. These versions are not compatible with Brown’s licensed version of EndNote X3. Users of EndNote X3 should not upgrade Office at this time.

CIS is piloting Cloudpath, a web-hosted solution to easily configure Brown-Secure wifi access on Mac OS X/iOS/WinXP/Vista/Win7/Android devices. Testing is ongoing at the moment, Android devices in particular are not yet working as expected with this service. Cloudpath hopefully will move into production soon; more information to come.

Some early migrations from Novell department file services to the new Windows file services have begun, including Public Safety and CIS. Departments using Novell services will be contacted to schedule migration times.

SPSS19 will be released this month. CIS encourages all SPSS users to upgrade as early as possible, particularly users of SPSS 16 which may need to be removed from Brown’s license servers by June 2011.

Dell should have the new Brown-specific Windows 7 disk image soon to offer on new PC purchases of standard models.

Matlab is being utilized very heavily this semester. It is up against the limit of the 295 licenses that Brown currently holds. This is being analyzed to find the best way to manage availability.

ADDITIONAL ANNOUNCEMENTS – Pat Kinghorn, CIS, DCC Liaison

The Computer Store has a deal with Apple through March 20. Through this time, if we can aggregate purchases of Apple hardware in batches of 30 pieces or more, we will get a 4% discount. Contact Pat or the Computer Store if you are interested.

PRESENTATION – Mike Pickett, CIO

Mike presented on a variety of topics, with emphasis on the updated IT Strategic Plan, the recent governance audit, and a newly-forming IT Leaders Council. Slide decks available. This group will help make/influence IT decisions and ensure that central and departmental IT efforts are coordinated where useful. More information is available in the slide deck. Mike has asked the DCC community to provide a representative to this group. Interested individuals should contact Pat Kinghorn by Friday February 25.

Rhode Island Hall

ANNOUNCEMENTS – Chris Grossi, CIS

Marc Doughty in CIS Software Services completed the setup of all USB keys intended for automated Windows 7 installations that were provided by DCCs at the previous meeting; these have been returned by campus mail. Please provide any feedback while using them to Software_Services@brown.edu.

The Novell-to-Windows File Services migration project is rolling towards implementation, more information will be presented in January. For now, it will be useful for those departments using Novell-hosted files to ‘clean house’ within their files where possible; a smaller amount of data will make for simpler migration.

The Google Transition project is winding down and has been very successful. The recent migration from Brown’s internal MX to Google’s went smoothly. There are still a few legacy Proofpoint digests popping up here and there; this is thought to be due to spammers caching Brown’s former MX, where Proofpoint is still operating for now.

The Google Apps Steering Committee will soon be re-tooled to serve as an ongoing advisory/governance group to direct the adoption and support of the many Google Apps services that are becoming available, such as Picasa, Google Earth, and others. If you are interested in serving on this body, please contact Geoffrey_Greene@brown.edu.

Office 2010 for Windows and Office 2011 for Mac will be released formally in the early Spring semester, most likely in February. If you need access the the installers for these applications before that time, please contact Software_Services@brown.edu.

Adobe Licensing is in a state of transition as CIS has recently learned that the existing Brown license does not allow students to run Brown-licensed Adobe commercial software such as Acrobat Pro and CS4 on personally-owned computers. CIS is very aware of the importance of these products to students and others at Brown, and are doing everything they can to work out the best solution to bring Brown’s use of these products into compliance with the licensing agreement, and preserve access where possible. Many details still remain to be worked out, but as early as Spring 2011 students may need to run these applications from a commercial student license, which is more affordable than full commercial prices, but still is not free.  Students are and will continue to be able to run Adobe products on Brown-owned computers in computing labs and clusters.  CIS will send additional communications to the community throughout  December and January.

Dell representatives presented their roadmap of the Latitude and Optiplex model lines, as well as some information about their consumer tablets and other devices.

Our new Dell outside sales representative is:

And our Dell Technical Contact is:

(Audio recording is available)

Reminder: ISG is running an interactive educational campaign through October, with a ‘Don’t Be the Fall Guy’ theme. Look for the safety signs as they move to different locations across campus and report their location online for a chance at winning an iPod and other prizes.

SAS 9.2 for Windows has just been made available. There is a short time to upgrade before 9.1 expires.
Updates for Acrobat Pro will be released by CIS soon; there have been many vulnerabilities patched recently but it takes time to package these with proper Key Server modifications.

Chris Grossi (CIS) presented an extensive update on the Google Migration project. His full slide deck is available for download.

Highlights:

• All active users are now moved off Exchange. The Exchange server will likely be shut down in early November. Some users have been moved to Google without yet opting in and will no longer receive new mail in the Exchange environment. (These are mostly people who rarely or never check email.) These users will need to contact CIS Help Desk when they want to enable their Google password and continue to access their mail.
• People continuing to use Outlook to access old PSTs without migrating to new user profiles or GASMO will need to switch Outlook to ‘offline’ mode after the Exchange server is shut down to continue accessing Outlook, or create a new profile connected to their PSTs without attempting to get new mail from the obsolete Exchange server.
• The MX record for Brown is planned to be moved to Google at the end of December. With this change Brown will be able to shut down its Proofpoint services in favor of anti-spam/anti-malware services at Google. CIS will continue to run a raw local SMTP server to handle automated message sending from reporting systems and dumb devices, but this will likely require registration of known connections that will need to continue to use it. Contact John Spadaro with questions.
• Currently Gmail allows 25MB messages (including attachments), but Proofpoint constrains message size to 15MB instead. After the move of our MX records and decommissioning of Proofpoint, messages will be able to be the full 25MB that Google supports.
• Exchange-enabled AD groups have been converted to Google Groups, more managers of these groups need to be identified. Management of groups can be delegated as needed to department IT or admin staff, contact Computing Accounts & Passwords (CAP) for more information.

Stephanie Obodda and Ken DeBlois spoke at length to present the emerging Brown IT Service Catalog, which has undergone some substantial usability testing and is close to being released.