Issue 1 - Texas Tech University Health Sciences Center

TechTalk
The official newsletter of the TTUHSC Information Technology Division
Volume III, Issue I
May 2008
In This Issue:
Message From The CIO ................................. 1
Windows Vista Support ................................. 8
Tips - n - Tricks From The Help Desk ............ 4
NIU 2 Update .............................................. 11
The Faces Behind The Voices ......................... 5
Keeping An Eye On Security ........................ 13
techtalk
Editor: Yung Ng
Editorial Team:
TJ Greenwood
[email protected]
Ken Jarrell
[email protected]
Carla Myers
[email protected]
Yung Ng
[email protected]
INFORMATION TECHNOLOGY (IT)
DIVISION CONTACT
INFORMATION
AMARILLO:
1400 S. Coulter Street
Amarillo, TX 79106
(806) 354-5404
[email protected]
EL PASO:
4800 Alberta Avenue
El Paso, TX 79905
(915) 545-6800
[email protected]
www.ttuhsc.edu/elpaso/it
LUBBOCK:
Technology Services and
Information Services
3601 4th Street - STOP 9083
Lubbock, TX 79430
(806) 743-2870 - Reception
(806) 743-2875 - Help Desk
[email protected]
www.ttuhsc.edu/it
Office of the CIO and
HealthNet Education Services
3601 4th Street - STOP 7755
Lubbock, TX 79430
(806) 743-1500 - Reception
(806) 743-1555 - HealthNet
PERMIAN BASIN:
800 West 4th Street
Odessa, TX 79763
(432) 335-5108
[email protected]
www.ttuhsc.edu/odessa/it
TechTalk
message
from the
chief
information
officer
As you may have heard, we are currently deploying a new network to support
the Institution’s needs on all of our campuses. The network upgrade will not only
improve our network capabilities, it will also bring enhancements to our IT security infrastructure. There will be a number of security enhancements in the new
network, but two in particular will directly impact you:
•
Network Access Control (NAC),
•
Secure Socket Layer Virtual Private Network (SSL VPN)
Network Access Control (NAC) is a solution that allows us to provide appropriate
access based on user identity and also to ensure that each device connected
to our network has the appropriate security and compliance measures in place,
such as anti-virus software and operating system software updates. When
a computer initially logs onto the network, it will be checked to ensure that
the proper software and security measures are in place before being allowed
to access institutional information resources. Computers that don’t have the
appropriate protection will be routed to a web site that will provide instructions
on how to get the necessary software and updates installed on their computer.
Once the appropriate protections are in place, the user will then be able to
access institutional resources.
Secure Socket Layer Virtual Private Network (SSL VPN) is a service that allows
users to securely connect to our network from remote locations. The new VPN
service will allow additional concurrent users to remotely access the TTUHSC
network and eliminate the problem of multiple users at the same location (e.g. at
a hotel during a conference) being able to connect to the institutional network.
One other additional change is that you will be able to connect securely to the
network from any computer you are using even public access computers. The
secure connection is made through the web browser. User impact will require
minimal training which will be available on a web page on how to use the new
SSL VPN service. This will primarily impact those who travel frequently and only
have access to public computers. Initially, users will be moved to the new service on a request basis. The existing VPN services will still remain active as we
begin to transition TTUHSC users to the new device.
Keeping mission critical, personal and protected health information secure is
a major priority of the Institution and the IT Division. New security threats are
constantly appearing and the IT Division is dedicated to on-going research and
implementation of protective measures to insure that institutional information is
kept as secure as possible.
Michael T. Phillips
Chief Information Officer
PAGE 1
B Is For ...
By Neil Stout
Server Support III
In mid-February, the IT Division announced a new spam firewall service
from Barracuda Networks. Utilizing
both hardware and software configurations, the service offers multiple layers of defense including anti-spam,
anti-virus, anti-denial-of-service, and
other defenses to protect the TTUHSC
email system from attack. Barracuda
allows the user to easily mark email as
Spam or Not Spam and, in turn, aid
in training the service to be more efficient in the identification of junk mail.
What Is A Quarantine?
Quarantining is the process of placing a suspected spam email aside
into a special mailbox (known as a
Quarantine) so that it does not reach
your Inbox. It uses a scoring system
called Bayesian scoring which determines whether or not a given email
is spam or legitimate, based upon
messages that have been previously identified. If a message is scored
over a preset number, the Barracuda
Spam Firewall marks it as spam and
places it into a personal Quarantine
mailbox for either deletion or review
at a later date. By using this, you
can effectively reduce the amount of
spam that reaches your Inbox.
An important distinction to be made
is that Quarantining is not actually deleting the email. You may review the
items that have
been quarantined
and choose to
have the messages delivered to
your Inbox or delete the message.
You can do this by
way of your personal Quarantine
report or by going directly to the
Barracuda Spam
TechTalk
Firewall webpage (https://spammgr.
ttuhsc.edu/) and logging in using your
eRaider ID.
Why You May Need The Quarantine
By default, the Barracuda Spam Firewall is not quarantining your email. We
are blocking the highest rated spam
as they come in, but are allowing the
remainder of the messages to be delivered normally. However, this does
not filter out many messages that receive a high score, but are still likely to
be considered spam.
Quarantine to reduce the amount of
spam you deal with on a daily basis.
This will also help secure your email
as the chances are less likely for you
to accidentally open an email that may
contain a virus or a link to a malicious
website.
How To Configure The Quarantine
First, go to: https://spammgr.ttuhsc.
edu/ and log in by entering your
eRaider username and password in
the Username and Password fields
then click on the Login button (Figure
A).
After logging in, you will
see the Quarantine Inbox
(Figure B). This is where all
your messages that have
been quarantined will be
listed for viewing. If a message looks like spam, it can
be deleted simply by clicking on the Delete link next
to that message. Likewise,
if it is a valid message that
has been wrongly delivered
to the Quarantine, it can be
delivered to your Outlook InFigure A. Barracuda Spam Firewall login screen
box by clicking the Deliver
link next to the message.
If you are receiving more spam than Should you wish to ensure that the
usual or you are simply receiving a sender’s messages never get stuck
large amount of spam, we would rec- in the Quarantine again, you can add
ommend you enable your personal them to your personal Whitelist by
Figure B: Quarantine Inbox
See Barracuda on Page 3.
PAGE 2
Barracuda (continued)
clicking on the Whitelist link next to the message.
To turn on your personal Quarantine, first you’ll need to click on the Preferences tab near the top of the screen. This
will bring you to your Whitelist/Blacklist
page, where you can add or remove
email addresses of people you always
or never want email from respectively.
Click on the Quarantine Settings tab
near the top of the page to open the
Quarantine Settings page (Figure C) for
basic Quarantine options. It is important to note that if you wish to change
any of these options, always press Save
Changes before you leave the settings
page.
The Enable Quarantine setting does
Figure C: Quarantine Settings
just as it says: enables or disables your
Quarantine. When the Quarantine is enabled, any messages over a specific score (default is 6) will be delivered to the
Quarantine Inbox instead of your normal Inbox. When the Quarantine is not enabled, all messages will be delivered
directly to your Inbox, regardless of their score.
The Notification Interval setting describes how often you wish to receive a report containing the messages currently in
your Quarantine. This report will be delivered directly to your normal Inbox (unless specified otherwise in the Notification Address field) at whatever interval is selected.
After you have enabled your Quarantine, set whichever notification interval suits you and click Save Changes.
Your personal Quarantine is up and
running! If you wish to further customize your Quarantine or other features,
click on the Spam Settings tab near
the top of the page to bring up the
Spam Settings screen (Figure D).
The Enable Spam Filtering option allows you to completely turn on or
off spam filtering. It is highly recomFigure D: Spam Settings
mended that you leave this option set
to Yes, otherwise all messages, no matter their score, will be sent directly to your Inbox.
By default, the Use System Defaults option will be set to Yes. If you find that the default scores do not work for you
however, selecting No, then clicking on Save Changes will allow you to change the values for Tag (emails over this value
will have “[Suspected SPAM]” put into their subjects but delivered to your Inbox), Quarantine (messages will be delivered to the Quarantine Inbox), and Block (messages are simply deleted).
Take care in changing the default values for Tag, Quarantine, and Block, since putting too low of a value can cause legitimate messages to be incorrectly classified as spam or deleted completely! It is highly recommended that the Block
value not be changed from its default of 9 for this reason.
More information about Anti-Spam is available at http://www.ttuhsc.edu/it/helpdesk/anti-spam.aspx. For additional
information or assistance, please contact your local campus IT Help Desk.
TechTalk
PAGE 3
tips -n- tricks from
the help desk
How To Connect To Your Work Computer From Home Using
Remote Desktop (when both are running Windows XP)
First, you will need to know your work computer name. Directions for obtaining this can be found at http://www.
ttuhsc.edu/it/helpdesk/pcname.aspx and was also included in an earlier Tips-n-Tricks column from Volume 1, Issue 1 of
TechTalk (http://www.ttuhsc.edu/it/newsletter/documents/techtalk_0506.pdf.)
Work Computer Preparation
Right-click on the My Computer icon located on the Desktop and
select Properties. From the System Properties window, click on the
Remote tab. Check the check box next to “Allow users to connect remotely to this computer” to enable remote desktop. (Your work computer name is also displayed here if you have not obtained it earlier).
Then click on the Select Remote Users button. You should see an entry for your TTUHSC\eRaider_username listed on the Remote Desktop
Users window and, having verified these settings, click OK to accept
the settings and close the window.
If either the check box was not checked or your TTUHSC\eRaider_
username was not listed and you do not have the permissions to
modify those settings, please contact your local IT Help Desk for assistance in enabling those requirements on your work computer for
Remote Desktop to work.
Home Computer Setup
Important: Your work computer must be turned on to be able to connect to it from home. If your internet service provider is not TTUHSC,
you will need to use a TTUHSC VPN connection on your home computer for Remote Desktop to be able to connect to your work computer. (TTUHSC VPN information is located at http://www.ttuhsc.edu/
it/helpdesk/vpn).
There are two ways to begin Remote Desktop. Either go to Start >
All Programs > Accessories > Remote Desktop Connection or Start
> All Programs > Accessories > Communications > Remote Desktop Connection. After clicking on Remote Desktop Connection, enter
your work computer name in the Computer: field and then click on
Options. You can modify the quality of the Remote Desktop Screen
Size and Color depth to your preference under the Display tab and
tweak the Performance options under the Experience tab. Do note
that higher settings may result in a slower connection. Then click on
Connect and, if prompted with a username/password credentials window, enter your TTUHSC\eRaider_username and password. You will
then be connected to your work computer.
To end your session, close the Remote Desktop Window or go to Start
> Disconnect on your work computer.
Note: Once you have configured and tested the Remote Desktop Options to your liking, you can click on the Save As button under the
Remote Desktop Connection General tab to save a preconfigured shortcut icon to your desktop.
TechTalk
PAGE 4
The Faces Behind The Voices Of ... Permian Basin IT
You’ve spoken to them. Now, it’s time to meet the hard working staff of the Permian Basin IT Help Desk.
Brad Erwin
Tremaine
Butler
Unit Manager
Unit Manager
Brad has been with the Permian Basin Health
Sciences Center IT Department for five years
now. Before coming to the HSC, he was
self employed in the computer service business, working in the Odessa/Midland and
surrounding area. All in all, Brad has been
working in the IT field for the past eleven
years. When not working, he enjoys playing
a quick round of golf.
Tremaine was born in Odessa and raised in
San Antonio. However, he quickly found his
way back to good old West Texas and has
been with the Permian Basin IT Department
for three years now.
Jared is the newest member of the Permian
Basin IT Department. He started working in
the department as a PC/Network Support
staff in September 2007. Additionally, Jared
also doubles as a programmer for the department.
Justin joined the Permian Basin IT Help Desk
team in 2004. He is a 2002 graduate of Permian High School and is currently attending
the University of Texas at the Permian Basin
in pursuit of a degree in business. He has 4
years experience in PC/Network support.
Jared is from Odessa and graduated from
UTPB in 2007 with a double major in Computer Science and Mathematics.
When not at work, Justin enjoys listening to
music and playing a variety of sports including basketball and golf.
TechTalk
Besides watching and participating in all
sports, Tremaine spends most of his free
time with his three year old son.
Jared Wilson
Justin Stewart
PC/Network
Support &
Programmer
PC/Network
Support
PAGE 5
PostX Encryption
By Andrew Howard -
For Your Email
Server Support II
Email encryption is not really a topic that most people read/talk/think
about on a daily basis. More people
find reading tax law more stimulating and understandable than most
articles written on email encryption.
Hopefully, this will be slightly more
interesting and enlightening.
Recently the HIPAA Privacy and Security Committee updated the operating
policy and procedure for the
electronic transmission of
Protected Health Information (PHI). The new revision
means TTUHSC employees
can now send Electronic
PHI (EPHI) via email to nonTTUHSC domains.
When
the end user is sending an
email that contains EPHI in
the body of a message or as
an attachment, the email will
have to be encrypted if its final destination is outside of
the TTUHSC domain.
TTUHSC utilizes an email encryption solution from IronPort called an
email.
Figure 1 shows a simplified flow
chart of the encryption process.
1. The user sends the encrypted
email.
2. The message is pushed to
the recipient and the recipient
opens the email.
Figure 1
3. The recipient authenticates and
gets the message key.
There are two ways to encrypt
emails through the IEA - manual and
automatic. To manually encrypt an
email, simply add [ss] or [send secure] to the Subject line of an email
that needs to be encrypted. (See
Figure 2 for an example.)
Once the email is
sent, IronPort will detect the Subject line
tag [ss] and encrypt
the email. The Subject line tags [ss] and
[send secure] are removed from the subject line upon encryption. So the recipient
receives an email that
has a Subject Line of
“Medical
Records”
not “[ss] Medical Records”.
Currently, the automatic email encryption portion of the IEA is still in
Figure 2
IEA and is short for IronPort Encryption Appliance. There are four basic
steps when sending an encrypted
TechTalk
4. The message is decrypted and
displayed.
the development phase, but a brief
overview of how the IEA automatiSee PostX on Page 7.
PAGE 6
PostX (continued)
cally encrypts email is needed. The
IEA is capable of scanning emails for
certain words, phrases, and number
patterns. To do this, the IEA utilizes a set of lexicon files that contain
the words, phrases, and number
patterns that TTUHSC determines
warrant encryption. These words,
phrases, and number patterns are
all numerically weighted and, once a
certain numerical weight is reached,
the email is automatically encrypted.
The lexicon files the IEA uses include
financial and medical words/phrases
and can be updated as needed.
Figure 3
Email is only encrypted if its destination is outside of the TTUHSC domain. Email sent inside the TTUHSC.
EDU domain will not be encrypted.
This means if a user manually encrypts an email with [ss] or [send
secure] and sends it to an email address ending with TTUHSC.EDU it
will not be encrypted. The email will
be unencrypted with the Subject Line
tag of [ss] or [send secure] still present when the recipient receives the
email.
When you get an encrypted email,
you will get a notification email like
the example shown in Figure 3.
Figure 4
Once the encrypted email is received, the
user simply opens the securedoc.html attachment. If it is the user’s first time opening an encrypted email, there will be a
Register button that will take the user to a
registration page to create a profile. (See
Figure 4.)
Clicking the Register button, the user is
taken to a secure page (Figure 5) where
they can enter their information and activate their account.
Figure 5
TechTalk
See PostX on Page 8.
PAGE 7
PostX (continued)
Once the user has registered, they
can open the securedoc.html attachment again and will be taken
to the following screen as shown in
Figure 6.
The user has to enter their password and click the Open button to
read the encrypted email.
The IronPort IEA is compatible
with all email platforms. Not only
can users receive encrypted email
using AOL, Yahoo!, Gmail, Hotmail, Thunderbird, Lotus Notes,
or Groupwise, but users can also
send encrypted mail from TTUHSC’s Outlook Web Access page.
For more information or help with
encrypting your email, please contact your local IT Helpdesk or go to
the Help Desk’s Email Encryption
page at http://www.ttuhsc.edu/it/
helpdesk/emailencryption.aspx.
Figure 6
Windows Vista Support
Jeremy Freeman, Unit Manager, and Ken Jarrell, PC/Network Support III
Over the past year, TTUHSC IT has received numerous questions concerning services not supported by
the Windows Vista operating environment. TTUHSC is taking the approach of many universities and other
institutions in organizing a carefully planned approach to the support of Windows Vista installations on institutional machines. Currently, TTUHSC uses several essential hardware and software applications not supported by Windows Vista.
IT support staff have been involved in testing Windows Vista within our environment, as well as troubleshooting known problems with third-party software and peripherals. The goal is to meet certain specifications
and recommendations and find solutions to issues before distributing Windows Vista to compatible TTUHSC
computers. Many services offered by TTUHSC, but not supported by Windows Vista, have been addressed.
However, a couple of inconvenient compatibility issues remain. Both wireless and VPN connectivity involve
security measures that will be satisfied once the Network Infrastructure Upgrade, currently underway, has
been completed.
TTU has begun providing their employees and students the ability to purchase an upgrade copy of Windows
Vista Ultimate for TTU work-at-home use, as well as, a download option for Windows Vista Enterprise through
eRaider. (Windows Vista Enterprise is only for computers within the TTU campus that are connected to the
TTU network.) Please be aware that until the resources and services that TTUHSC provide and the main third
party vendor applications that TTUHSC support are compatible with Windows Vista, options for purchasing
or downloading and the support for installations on work computers of Windows Vista will not be available to
the TTUHSC community. TTUHSC IT does realize that most new, personal computer purchases come preinstalled with Windows Vista. Students, faculty, and staff using computers with Windows Vista will continue to
receive the same assistance with supported services and software as those using Windows XP.
If you have any questions, please feel free to contact the IT Help Desk at (806) 743-2875 or email ithelpdesk@
ttuhsc.edu.
TechTalk
PAGE 8
What’s New For Microsoft
Office 2007
By Ken Jarrell, PC/Network Support III b
Earlier last year, Microsoft released
the new Office 2007 system, including updated versions of Access, Excel, Outlook, PowerPoint,
Publisher and Word - all with more
features and an easier to use workspace. TTUHSC IT has recently begun supporting Office 2007 as well
as assisting with upgrade plans for
other departments.
With the added features and capabilities of Office 2007, a new
of tabs that make sense for spreadsheet work including tabs for working with formulas, managing data,
and reviewing. These tabs simplify accessing application features
because they organize the commands in a way that corresponds
directly to the tasks people perform
in these applications.
In addition to streamlining the document authoring experience, Office
2007 also centralizes all the things
Figure 1
workspace design was created,
significantly reducing the chore
of fumbling through numerous
menus, toolbars, and dialog boxes.
The traditional menus and toolbars
have been replaced by the Ribbon,
a new device that presents commands organized into a set of tabs.
(See Figure 1.)
The tabs on the Ribbon display the
commands that are most relevant
for each of the task areas in the applications. For example, in Office
Word 2007, the tabs group commands for activities such as inserting objects like pictures and tables,
doing page layouts, working with
references, doing mailings, and reviewing. The Home tab provides
easy access to the most frequently
used commands.
Office Excel 2007 has a similar set
TechTalk
you can do with a document: share
it, protect it,
print it, publish
it, and send it.
The new workspace
brings
together the capabilities of the
Microsoft Office
system into a
single feature on
the workspace:
the
Microsoft
Office Button.
This offers two
major
advantages. First, it
helps users find
these valuable
tasks. Second,
it simplifies the
core
authoring
scenarios
by allowing the Figure 2
Ribbon to focus on creating great
documents. (See Figure 2.)
Certain sets of commands are only
relevant when objects of a particular type are being edited. In past
versions of Microsoft Office, these
commands, usually in the form of
toolbars, were difficult to find and
use. In Office Excel 2007 for example, the commands for editing a chart are not relevant until
a chart appears in a spreadsheet
and the user is focusing
on modifying it. Clicking
on a chart causes a contextual tab to appear with
commands used for chart
editing. Contextual tabs
only appear when they are
needed and make it much easier to
See Office 2007 on Page 10.
PAGE 9
Office 2007 (continued)
find and use the commands
needed for the operation at
hand. They also bring needed functionality to the user’s
attention at the most appropriate time. (See Figure 3.)
Galleries are at the heart of
the redesigned applications.
Galleries provide users with
a set of clear results that
users can simply “pick and
click” to achieve the desired
results from their document,
spreadsheet, presentation,
or database. By presenting
a simple set of potential results, rather than a complex
dialog box with numerous
options, Galleries simplify
the process of producing
professional looking work.
However, the traditional dialog box interfaces are still
available for those wishing a
greater degree of control over the result of the operation. (See Figure 4.)
Figure 3
Live Preview is a new technology that shows the results
of applying an editing or formatting change as the user
moves the pointer over the
results presented in a Gallery.
This new, dynamic capability
streamlines the process of
laying out, editing, and formatting so users can create
excellent results with less
time and effort.
These enhancements make
up only some of the most
significant updates to the
Microsoft Office system in
more than a decade. Soon,
staff, faculty, and students of
TTUHSC will be able to take
advantage of these features
in Microsoft Office 2007.
Figure 4
TechTalk
PAGE 10
Progress Update On The
Network Infrastructure
Upgrade 2 Project
By Joe Bilbro,
Managing Director
Network, Systems, & Security
To most TTUHSC network customers, the Network Infrastructure Upgrade 2 (NIU2) project will appear to have
never happened. Other than some obscure announcements warning of outages and downtimes, the average
customer using the network between the hours of 6AM and 6PM will never know that the infrastructure supporting the TTUHSC network has been completely gutted (with the exception of the existing fiber and copper cables)
and replaced with new state of the art networking equipment. This is, in fact, our goal: an upgrade that is totally
transparent to our customers.
After a long and complex RFP process, TTUHSC signed a contract late last year with AT&T to replace our 10 year
old network infrastructure with new networking equipment from Nortel Networks. Valued at $3,000,000, the upgrade will replace end of life Cisco networking gear with new ultra high speed equipment. The new equipment will
be placed at each TTUHSC campuses in Amarillo, Dallas, El Paso, Lubbock, Midland, and Odessa.
AT&T has partnered with Nortel to provide TTUHSC with a turn-key network upgrade. Nortel is the primary implementation contractor and is working closely with the TTUHSC networking team to design and deploy the new network. The new equipment brings improvements in redundancy, speed, management, and security to the TTUHSC
network.
Redundancy improvements are significant. Single Cisco core switches are being replaced with two tightly integrated, totally redundant Nortel 8600 series core switches. Each Nortel switch houses redundant power supplies,
and is backed up by redundant UPSs. In the unlikely event of a switch failure, an automatic failover to the other
switch will occur in less than 50 milliseconds, while maintaining all active network connections.
Network speed is also significantly improved. The core network bandwidth is being upgraded to 10Gb, with edge
closet speeds increasing from 1Gb to 4Gb. All office network connections currently at a speed of 10Mb will increase to 100Mb. Additionally wireless access points will be upgraded from 802.11b (11Mb) to 802.11g (54Mb).
Managing a network with 15,000 connection points is not a trivial task. Sophisticated management tools must also
be deployed to avoid being drowned in too much data. We have purchased Nortel’s Enterprise Switch Manager,
Enterprise Network Management System, and Enterprise Policy Manager to allow our networking staff to quickly
receive alerts, isolate and troubleshoot network problems, and manage and maintain hardware and software networking assets.
The NIU2 RFP called for significant improvements in network security. The Nortel solution includes deployment
of Secure Network Access Switches at all campuses, which will ultimately prevent infected PCs from attaching to
our network. (Please see the security article on the Network Access Controls on page 13 of this issue of TechTalk
for more details on this exciting technology.) Additionally Nortel Threat Protection System 2070s will be deployed
to detect network threats such as viruses, trojan horses, worms, denials of service, and malware in real time. This
will augment our existing Tippingpoint Intrusion Detection Systems/Intrusion Prevention Systems.
See NIU 2 on Page 12.
TechTalk
PAGE 11
NIU 2 (continued)
Before continuing further, it is important to define some of the network
terms used thus far.
Edge Switch – Edge switches connect PCs and printers in offices,
clinics, and classrooms to the core
switches. Edge switches are located
in edge switch closets.
Edge Switch Closet – Edge switch
closets are small rooms housing networking equipment located throughout the TTUHSC campuses. A given
edge switch closet usually contains
many edge switches which service
from 100 - 500 PCs. There are over 75
network closets in the TTUHSC network (counting regional campuses).
All equipment in a given closet will
be replaced in a single night. Plans
are to do multiple closets every other
night with equipment configuration
and staging in the interleaved days.
Core Switch - Core switches connect all edge switches to the main
network. When a core switch is
down, all edge switches attached to
that core switch are down.
Wireless Access Point (WAP) WAPs provide access to the network
via a wireless connection. A typical WAP provides wireless network
coverage to a circular area within a
150 foot radius. TTUHSC currently
deploys 190+ WAPs that support
802.11A/B. They will be replaced
with new Nortel WAPs that support
802.11A/B/G.
The types of outages that could be
expected during this upgrade process include:
Lubbock Campus Core Switch
Outages – These outages are the
most disruptive. When the Lubbock
TechTalk
Core switches are down, WebCT,
email, IDX, Baseline Web, and all other services hosted in Lubbock will be
unavailable for ALL campuses. However, regional campuses should have
network access to the Internet and to
other regional campuses during Lubbock Core switch outages. These
outages will, in most cases, not begin until after 7PM CDT (6PM MDT)
and not last more than 10 hours. We
have already completed this piece of
the upgrade!
Regional Campus Core Switch
Outages – When the regional campus core switches are down, the
regional campus network and all local regional campus resources (e.g.,
servers, network printers, network
file shares, etc) will be unavailable.
These outages will, in most cases,
not begin until after 7PM local time
and not last more than 10 hours. We
anticipate that these after-hours outages will not last more than a week at
each regional campus.
Edge Switch Closet Outages –
When an edge switch closet is down,
any PCs and printers attached to
those switches cannot access the
network or any network resources
(e.g., the Internet, network printers,
servers, and applications like IDX,
Baseline Web, TechSIS, TechFIM,
WebCT, etc.) These outages will, in
most cases, begin at 6PM local time
and not last more than 10 hours.
Wireless Outages – WAPs will be out
of service whenever the edge switch
the WAP is attached to is down or
the WAP is being replaced. Wireless
access in the area(s) serviced by a
given WAP(s) will be unavailable during these times.
With the good must come some bad.
The bad news of this upgrade is that
there will be some down times. We
have already had nominal downtimes to replace the core equipment
in Lubbock.
The next round of upgrades will be
the edge switch closets in Lubbock,
scheduled to begin May 12, 2008.
While edge closet upgrades may occasionally cause a PC to think it is a
printer, or vice versa, we do not expect many problems from this part
of the upgrade, and any problems
encountered will be quickly resolved
with a call to the IT Help Desk.
Once all Lubbock edge closets are
completed, the project will proceed
according to the tentative schedule
below:
•
El Paso (June 1st)
•
Odessa/Midland (mid-June)
•
Amarillo (July 1st), and,
•
Dallas (mid-July).
Additional information on outages
and outage dates are available on
the NIU Project Calendar and After
Hours Outages web page at http://
www.ttuhsc.edu/it/helpdesk/niu/.
We encourage our customers, especially those who work late, to keep
checking the outage web page to
know when their office areas will be
affected. Edge closet upgrades will
start promptly at 6PM.
We are very excited about our new
network and our new network partner Nortel. We know that this new
network will position our Institution
to continue on its educational and
research path to excellence for the
next decade.
PAGE 12
Network Access Controls
(And What That Means
For The User)
By Lane Timmons
Senior Director
Security & Networking
Each day at Texas Tech University Health Sciences Center, about 10,000 individual users take advantage of network resources. These users include students, faculty, staff, vendor partners, and
guests of all types. Generally speaking, each of these user types needs or wants access to different
resources on the network. For example, just about everyone utilizes email services and the Internet.
Then students may be studying using the WebCT services while faculty and staff may be accessing
and updating patient’s medical records or working with scheduling and billing. Our guests may be
working to support specific computer systems on the network such as air handler control systems,
electron microscopes or large printers and copiers. Unfortunately, guests (or anybody with a laptop)
can bring with them undesirable and uninvited viruses or other malicious code. These computers
could then work to undo our security measures from within our network and behind our main line
defenses against Internet attacks. Therefore, these mobile computers place our Patient Health Information and all the other vital computerized services that we offer at risk.
This is one of the primary reasons behind Network Access Control (NAC) systems. It allows the Information Technology Security team to be able to verify that computers belong on the network and
that those computers are safe and following best practices and Institutional policies. In addition,
NAC can prevent certain computers from attempting to access servers with no reason, such as an
outside vendor’s computer attempting to access medical records servers. Since there is no need
for that access, there should be no “pathway” for that computer to access the server. Therefore,
any virus that a guest computer might be infected with will have no opportunity to infect or otherwise “bother” Institutional services/servers.
While it is important that each authorized individual has the ability to access the systems they need
in order to do their jobs, it is not important that someone working on the air conditioner units have
access to the servers containing TTUHSC’s medical records. In fact, best security practices would
state just the opposite is true. Network security should actively seeks to reduce unnecessary access whenever possible. That way, if the vendor/partner brings a laptop computer which is infected
onto our network, that computer will have restricted access and therefore limit the potential damage to a much smaller group than “every computer on the network”.
In order to enable NAC to understand which computers should have general access to the network
and which ones shouldn’t, a special client must be installed on all Institutional computers. This client is known as the “Tunnel Guard” agent. The Tunnel Guard agent serves to authenticate the computer on the network. It then verifies that it has all necessary patches, antivirus software, and meets
all Institutional policies concerning network security. If a computer joins the network that doesn’t
have the client installed, NAC treats the new computer as a guest and provides it very restricted
access to network resources.
See Security on Page 14.
TechTalk
PAGE 13
Security (continued)
The primary network resource that the guest computers will have access to is “remediation” services. The process of remediation allows the user to have access, via a special web page to instructions, help desk contact information, software, and other tools in order for their computer to
become authorized to access network resources as needed to perform their job functions. This is
accomplished by the temporarily unauthorized user opening a web browser, then they will be automatically redirected to TTUHSC remediation services website.
Proactively, PC Support will add the Tunnel Guard agent onto the Institutional computer image that
Dell pre-loads onto all computers destined for TTUHSC. Most of the desktop computers at TTUHSC
will have the agent pre-installed without the users having to do anything. However, currently existing
desktop computers and computers purchased by individuals, such as laptops, will need to have the
agent installed. The Information Technology Division is working on several ways to do this including
“pushing” the agent and remediation services. Remediation options will include a webpage with all
the software and instructions needed for a user to get the agent installed and their computer added
to the network. It is a fairly simple and straight forward process but, of course, the Help Desk and
PC Support will be available to assist users as needed.
By bringing an infected laptop from outside onto the network, the guest user unknowingly circumvents many of the defenses designed to prevent intrusion from the Internet. It’s also a tempting goal
for someone who might be intentionally trying to circumvent network defenses. All the firewalls and
intrusion prevention systems in the world won’t do you any good if you allow unrestricted access to
your local area network. If someone can simply walk up and plug in to a network (or utilize a wireless
network), and thereby circumvent all the defenses which have been prepared to prevent unwanted
traffic from arriving from the Internet, that network is very much at risk. Network Access Controls
prevents this situation and adds another layer of protection for any network. The point being this
will stop unauthorized access to vital network resources. That is why TTUHSC is planning to deploy
Network Access Controls.
While NAC will certainly create some extra work for the PC Support and Help Desk groups as well
as new users and people with new computers, it is very important that we take the time and effort
necessary to perform the needed steps. Given the state of security and the current environment on
the Internet plus all the rules and regulations governing privacy for patient health information and
financial concerns, it is very important that Texas Tech University Health Sciences Center take the
steps necessary to protect our valuable and private data. Network Access Controls will provide a
major step forward towards a more secure network and help us to guarantee patient health information remains private.
Letters To The Editor
Do you have a question or a concern for the IT Division? Or do you just want to share a comment
about the service you recently received?
Send it to the Editor at [email protected]. Please note: all submissions to Letters To The Editor become the property of the IT Division and may be edited for content/length.
TechTalk
PAGE 14