Computing Systems

The project to replace EdLAN reached another milestone recently, with the completion of the migration of all subnets away from the old EdLAN core routers across to the new EdLAN distribution routers.  There’s now some tidying-up to be done, and the parts which might affect us in Informatics are scheduled for Tuesday 23rd.

Specifically, some static “summary routes” were added at the beginning of the project, the effect of which were to tell new-EdLAN to send any packets which it didn’t otherwise know how to route to old-EdLAN to be handled there, the intention being to make the migration process as straightforward as possible.  That’s no longer required, so these summary routes now need to be removed.

This affects us in Informatics, because we currently rely on those summary routes to arrange that our traffic to the rest of the University flows smoothly.  Back when we were first arranging the networking for the Informatics Forum we set up OSPF peering with the (old) EdLAN routers to allow us to exchange routing information,  That’s still in place, so our traffic to the rest of the University goes via the old-EdLAN routers.  (We have separate BGP peering with the new-EdLAN routers, and traffic to the rest of the world uses that.)

We can’t just drop our OSPF peering, because the summary routes would still cause traffic to us from the rest of the University to go to the old-EdLAN routers, which would drop it because they wouldn’t know how to get it to us.  Likewise, Information Services can’t just remove the summary routes, because our traffic to the rest of the University would still go out through the old-EdLAN routers, but the return traffic would take a different path, and that asymmetry would cause the University firewalls to drop it.

The plan, which we hope to implement on the 23rd, involves IS adding some temporary static subnet routes, which will be used in place of the summary routes.  They’ll allow IS to remove the summary routes and us to remove our OSPF peering with the old-EdLAN routers, while still keeping our traffic flowing.  Once that’s done, the individual subnet routes will be removed, one by one, while we test to ensure that traffic keeps flowing.

Once all this is done, we’ll be detached from old-EdLAN.  We’ll use OSPF internally within Informatics, and BGP to announce our routes to the new-EdLAN routers.

Please be aware of a current wave of phishing emails which purport to be voicemails with subjects such as “Voicemail (48 secs)”. These are scams designed to trick you into supplying various login and personal details, they are being sent from compromised accounts, which is why they look real. Please do not open these emails, but delete them.

The University will never ask you to supply personal information such as your National Insurance number or date of birth for EASE or DICE logins. Also you will never be required to click on a link to verify your account details, anything like this must always be considered dangerous. You must not click on any links in such messages and should always report it immediately to IS or the Informatics computing support team.

We understand that these emails can often appear quite believable and busy people can easily click on links before realising the implications. If anything like that ever happens to you, let us know immediately, we’re here to help.

Information Services provides a helpful guide on how to identify and avoid phishing emails.

You can contact us via our Support Form which is linked from our help site.

Singularity container platform is now available on Ubuntu DICE.

Singularity is a container platform, perhaps the most well-supported Docker alternative. It allows you to run containers that package up pieces of software in a way that is portable and reproducible. You can build or download pre-built images from external resources (including Docker Hub) and run them on DICE. Singularity is currently available on all Ubuntu Teaching Cluster nodes (landonia nodes).

More information can be found here

As always, for any issues or further help please use the computing support form.

As you’ll all be aware, the University is tightening up on network security in response to outside threats.    Within Informatics we have also been looking at ways to improve our security, and one area we have identified is that of self-managed machines in offices.

For many years we have provided network ports in offices and other “closed” areas, configured so that any machine connected to them is given an IP address, without the need to register in advance.  (We can do this because our network monitoring tools provide an audit trail linking the machine’s address with the port where it has been used.)  As well as allowing access to the rest of the University and beyond, this has given mostly-unrestricted access to internal Informatics resources.  It is this latter feature which is now under review.

Since we do not know how the machines using these ephemeral connections are configured and maintained, it has been concluded that it is now unacceptably risky to allow this unrestricted access to continue.  On a date to be announced, therefore, the configuration of the Informatics firewall will be changed so that these machines move from our “inner ring” to our “outer ring”.  They will still be protected against threats from outside Informatics, but our core systems will be protected against potential threats from them.

The effect you will see on one of these self-managed machines will be as follows:

• You will still receive a dynamically-allocated address for your machine.
• You will have the same access to the rest of the University and beyond as you do now.
• However, you will only have access to internal Informatics resources if they have explicit firewall arrangements in place to allow this access, or you connect through one of our login servers or use OpenVPN.  This is essentially the same level of access that you would have if you were using the University’s wireless service.

If you have any access pattern which you think might be affected by this change, please submit a support request.  We can then look at it and then either make a firewall change or advise on alternative access methods.

As you’ll be aware by now, EdLAN is changing, though rather more slowly than was originally anticipated for various reasons, and the way that Informatics connects to it has to change too.

Under the old EdLAN, the Informatics network in the central area (Forum, Appleton Tower, Bayes and Wilkie) had a 10Gbps connection to the EdLAN AT router, which carried our “bridged” traffic and most of our “routed” traffic to and from the rest of the University and beyond, and a 1Gbps connection to the EdLAN Old College router, which carried the rest of the “routed” traffic and acted as a hot-spare for the “bridged” traffic.

Under the new EdLAN we now have a 20Gbps connection to the Appeton Tower distribution router carrying “routed” traffic for AT and Wilkie, a separate 20Gbps connection to the AT distribution router which currently carries all of our “bridged” traffic, and a 20Gbps connection to the Forum distribution router which carries our Forum and Bayes “routed” traffic.  There is also a separate 20Gbps connection to the Forum distribution router, intended for “bridged” traffic which is currently mostly idle.

What we now need to do is to transfer the “bridged” traffic originating in the Forum and Bayes, which currently traverses our internal network before making use of our AT connection, so that it uses the Forum “bridged” connection instead.  There are a couple of reasons for this.  The first is that it will make the Forum/Bayes part of our network more independent of the Appleton Tower part of our network, as well as balancing the load across the various links better.

The second reason is that as EdLAN develops, and in particular as the edge roll-out takes place, anticipated to begin later this year, a fast direct path between our Forum core and the EdLAN Forum distribution router for “bridged” traffic will be a necessary part of that transition.

Making the change can’t be done completely transparently, though.  In order to avoid creating forwarding loops, which at 20Gbps would completely break the rest of our network, we need to reconfigure the traffic which is carried on our internal links first before bringing up the new “bridged” connection.  This will cause a break of a few seconds to the Forum traffic which currently transits through Appleton Tower, and in particular wireless and phones.  Only once that has been done will it be safe to patch in the new connection and bring it into service.

We’ll monitor the network after the change, of course, and our configuration system has had some additional constraints added which should mean that loops can’t be set up by accident in future.

The Chief Information Security Officer for the University announced on Monday 21st March that all users of the University VPN service MUST reset their password. Users of the Informatics OpenVPN service are not affected. Note that, as this is a centrally provided service, any queries or support requests must be directed to Information Services. Here are the full details of the announcement message:
Continue reading →

Following Russia’s attack on Ukraine, the National Cyber Security Centre (NCSC) is calling on all UK organisations to increase their vigilance for cyber attacks.

It is clear that various groups are now using this crisis as an opportunity to launch new phishing email attacks. For example, there are scams asking people to "Help Ukraine" and other scams are based on fake reports of "unusual sign-on activity"

You must always be very wary of any email which wants you to enter personal details or transfer money. The NCSC provides guidance on how to spot scam emails.

If you are unsure of the safety of any emails you receive please contact the Informatics Computing Team via the support form linked from our help site.