August 2021 CIO Update
Welcome back to a new school year! While we are still greatly impacted by the pandemic, this year certainly feels a little more “normal” than last year. For this month’s entry, I feature two of our infrastructure services as well as mention Technology Services’ participation in VCU’s governance.
VPN Overview
VCU’s “RamsVPN” solution has provided a flexible and secure method to allow staff and students to perform critical jobs and learning functions prior to and throughout the pandemic. While we cannot anticipate all the changes due to COVID-19’s impact, we certainly know that remote work and learning will continue to be integral to our university’s success in the coming decades. Therefore, with this important technology in mind: the following is an overview of how our remote users access on-campus resources securely using VPN and firewall protections.
The infrastructure design uses the concept of a “firewall sandwich” that has an outer Palo Alto Next Generation firewall pair securing and inner Cisco ASA firewall VPN solution called “RamsVPN” followed by a secondary internal Palo Alto Next Generation firewall pair to secure the large networks of Academicnet, Mednet, SecNet and of course the University Computer Center’s server farms.
To access internal networks or server resources, the external internet connecting users are allowed in through the outer firewalls to connect to the RamVPN external network interface with their provided Comcast, Verizon or other public IP address. After passing through authentication with LDAP and being separated as to which level of access they are allowed into the VCU network; their public IP address is removed, they are given a VCU-owned routable IP address and sent out the inside interface of the RamsVPN to reach the Internal firewalls. After leaving the RamsVPN the user’s connection must be allowed into the destination internal firewall and finally permitted to connect to the server or inside a network like Secnet and the like.
The advantages of such a design are the physical and logical layers of security which must be crossed allowing the opportunity to inspect and correct potential malicious activity. Initially when a user starts a connection, the border firewall will apply various inspections and source network filter lists to ensure connections are not coming from known criminal or suspect locations around the world. When the user authenticates themselves on the RamsVPN they will need to have an active and user-specific account on the university’s authentication system and as well have access to the dynamic second form of authentication provided by “DuoAuth”. Finally the internal firewall deeply restricts traffic to selected TCP/UDP ports prior to allowing any access to the internal servers and workstation network. Any incorrect step on this pathway to the internal systems will result in the user being denied access to the resource, most likely requiring a call to IT Support Center for assistance.
Over the coming years it is anticipated that while the functionality of firewalls and VPNs will not be diminished it is very possible that the form in which they are provided will change. One example of this is VCU’s move to the Cloud for the wireless network, which uses complex control and analytics in the Cloud while having a light and flexible hardware solution on the campus. Taking this concept one step further it could very well be that the firewall and VPN are in the cloud with minimal physical hardware deployed on the campus to control the access to VCU’s on-campus server farms and buildings.
University Computer Center (UCC): Windows Server Support Services
The University Computer Center’s (UCC) mission is to provide secure, reliable, and cost-effective computing power, data storage, and system backup and recovery services with 24×7 operations and systems support to the VCU community.
As part of these services, the UCC has a team of Operating System Specialists who support the Windows server environment and is responsible for building and maintaining Windows devices that reside at the computer center. Support of these systems includes standardized server provisioning, security and patching, operating systems support, driver and firmware updates, system monitoring and alerting, as well as data backup and recovery. Signed service level agreements (SLA) with server owners are used for these systems.
The Windows team collaborates with customers, other UCC units, Network Services and the Information Security to provision servers for customers and their applications. Standard procedures for server provisioning are followed to ensure reliable systems are built to the specifications requested by customers.
According to this PBS article, cyber attacks are on the rise and can be devastating for businesses and universities: https://www.pbs.org/newshour/nation/why-ransomware-attacks-are-….
Servers are configured to meet the minimum security baselines, as defined by the Information Security department, which helps to prevent ransomware and other cyber attacks from being successful. Thwarting such attacks involves a combination of enforcing security best practices through operating system hardening as well as deploying and maintaining anti-malware solutions. More details about how Windows servers are secured at the UCC can be found here: https://docs.google.com/document/….
In addition to enforcing security best practices during the server provisioning process, Microsoft security patches are applied on the second Tuesday of every month. Windows Server Update Services is used to deploy the patches and to report on the status of the installation.
Additionally, each quarter, Information Security runs a vulnerability scan on all VCU servers and other technologies. The results of the scans are reviewed by the Windows team and any vulnerabilities are remediated. UCC operating system analysts will work with the application owner to schedule and execute remediation activities thus reducing the possibility of a cyber attack.
Another action that is performed quarterly are firmware and driver updates on physical servers that are hosted in the datacenter. Applying these vendor supplied updates ensures the servers are secure and helps maintain their reliability.
A system tool is used to monitor the health of servers and the server infrastructure. Alerts are sent to UCC staff as well as the application owner and appropriate action is taken to resolve any issues that arise.
The UCC currently supports 430 Windows Servers including test, development, and production servers. Of these, 385 are virtual servers running on VMware and 45 are physical Dell servers.
Technology Services Representing in Staff Senate
I’m happy to see that once again Technology Services has strong representation in the VCU Staff Senate. Serving this year are Lisa Beggs, Chris McDonald, and Hannah Steighner, with Chris and Hannah serving on the Executive Committee as Vice President and Technology Officer. Thanks to this year’s senators as well as those who have previously served!
Here’s to a great Fall semester!
Alex