Network changes for self-managed machines

As you’ll all be aware, the University is tightening up on network security in response to outside threats.    Within Informatics we have also been looking at ways to improve our security, and one area we have identified is that of self-managed machines in offices.

For many years we have provided network ports in offices and other “closed” areas, configured so that any machine connected to them is given an IP address, without the need to register in advance.  (We can do this because our network monitoring tools provide an audit trail linking the machine’s address with the port where it has been used.)  As well as allowing access to the rest of the University and beyond, this has given mostly-unrestricted access to internal Informatics resources.  It is this latter feature which is now under review.

Since we do not know how the machines using these ephemeral connections are configured and maintained, it has been concluded that it is now unacceptably risky to allow this unrestricted access to continue.  On a date to be announced, therefore, the configuration of the Informatics firewall will be changed so that these machines move from our “inner ring” to our “outer ring”.  They will still be protected against threats from outside Informatics, but our core systems will be protected against potential threats from them.

The effect you will see on one of these self-managed machines will be as follows:

  • You will still receive a dynamically-allocated address for your machine.
  • You will have the same access to the rest of the University and beyond as you do now.
  • However, you will only have access to internal Informatics resources if they have explicit firewall arrangements in place to allow this access, or you connect through one of our login servers or use OpenVPN.  This is essentially the same level of access that you would have if you were using the University’s wireless service.

If you have any access pattern which you think might be affected by this change, please submit a support request.  We can then look at it and then either make a firewall change or advise on alternative access methods.


This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply