Related News

Network and Infrastructure

After Server Registration - Where Do We Go From Here?

by Raymond Poon

The Computing Services Centre (CSC) so far has received over 456 server registrations from 50 departments. The largest groups of servers are from MEEM, IS, and DCO having 111, 63 and 34 servers respectively. Apparently many of these servers in the academic departments are accessed by staff and students for projects or learning purposes while the rest are accessed by external parties for information with some or no access control. Almost all kinds of network protocols are utilised and every conceivable service is provided including some critical yet high risk ones such as: SMTP, FTP, DHCP, DNS, IIS, etc.

By analyzing the data collected from the server registrations, the CSC has come to a conclusion that, since there are simply far too many servers out there offering disparate services under different operating systems on the campus network, it would be impossible for the CSC to offer direct help and secure to each and every one of them (a commitment which the CSC is always trying to achieve but now finally realizes infeasible).  In fact, what we really need now are, on one hand, to rely on server owners and administrators to help minimize the security risks of their own servers thereby improving the overall security of the entire campus network and, on the other hand, to introduce some campus-wide measures to assist them in managing their servers effectively. While the CSC is still trying hard to sort out the technical as well as procedural arrangements for the reinforcement of the total campus network security, the following measures are now planned to be implemented in the next few months:

  1. Any unregistered server and/or service will be immediately filtered from the network as soon as it is discovered and no advanced notice will be given.
     
  2. Any server when found to have been infected by virus, conducted illegal activities, posed serious threats to the security of the campus network, complained by external parties with compelling evidence, violated existing policies, etc., its network card address and/or IP address will also be immediately filtered from the network and no advanced notice will be given.
     
  3. For servers with repeated violations that cause substantial damages to other users on the campus network, an expert from one of the CSC-approved organizations will be hired, on their behalf at their expenses, to conduct such risk assessments as: vulnerability scans, penetration tests, etc. to ensure their fitness for network access. These servers will not be allowed to connect to the network unless they have passed all the tests recommended by the expert and shown sufficient threat prevention measures are or will be in place.
     
  4. All incoming access to the CityU servers (both central and departmental servers) with non-CityU IP addresses will be blocked by firewall at the perimeter of the campus network. As such, students and staff at home or abroad must therefore use VPN clients to access these servers.
     
     
  5. For services offered to the general public and provided by multiple servers, depending on the security requirements and the nature of services, some servers may be placed before or behind the firewall. In general, servers offering services utilizing critical or dynamic information will be placed behind the firewall for maximum or specially tailored protection while those utilize otherwise will be placed before the firewall (so called De-Militarized Zone, DMZ for short) with minimum or no security protection.
     
     
  6. For services offered to the general public and provided by a single server, if security is a concern and when situation warrants, its services and/or functions may need to divide between or among two or more servers so that Point e) can apply. If not, it can be placed either before (under-protected) or behind the firewall (over-protected) according to the dynamic of the information it utilizes.
     

The details of the implementation plan will be announced as soon as it is ready.  We hope with the help and the cooperation of our users, server owners and administrators, the negative impacts of the above-mentioned measures could be reduced to a minimum and our campus network can be still rich in services offered by many different parties yet made secure.