It is convenient to be able to connect one's own laptop (or even desktop) to the network. In most cases, a direct connection to the Internet offers little more than convenience and often tedious hours ensuring the configuration is correct. Computers within the university trust internal machines more than external machines: ensure your machine cannot be used to attack other machines. In particular, attacks on US military computers tend to result in fairly serious reprisals. (Please advise all members of the group if this has happened and we will arrange a vacation until the missiles and invasion force have departed.)
This may turn into a tediously long list of "do"s and "don't"s -- mainly "don't"s I fear. It may be summarised as "use a little common sense" but experience has shown that some more concrete definitions are required.
In order to communicate on the Cavendish network, you will need an appropriate IP address. Please do not use an IP address from College -- this will probably not work and may well cause network problems. IP addresses are given automatically to registered machines. If the details asked for below seem confusing, please consider whether running a machine connected directly to the Internet as a whole is necessarily something you want to do.
To register your machine, mail the Computing Officer (CO) firstname.lastname@example.org with the following information:
- Your name.
- Your Email address.
- Your room number.
- The MAC address (AKA Hardware address) of your computer. (MAC address contains some help in finding this if you're stuck
- The operating system of your computer - with version. ("Windows XP" isn't enough - "Windows XP Home" might be)
- Confirmation that your computer runs no network services. (If you're running an SSH server, that might be permissible)
- Confirmation that your computer responds to ping requests. (At least from 188.8.131.52/16)
- Confirmation that your computer runs a fully licensed virus scanner which is set to update automatically. (If it came with a free version which is going to time-out after some months, this is not acceptable - you're unlikely to remember to buy a new version and Frank isn't going to remember to chase you. PhD students, post-docs and staff are covered by the University's site licence for VirusScan, so make the most of it: http://www.ucs.cam.ac.uk/support/anti-virus/) NB - this licence also covers home use by members of the university...)
- Confirmation that your computer has automatic updates (or equivalent) enabled.
- If this is a replacement machine, please say so - IP addresses are a finite resource!
Ownership, insurance, electrical safety, commercial use
You own it. It's your responsibility. Software (legitimate or otherwise) installed on it is not the concern of the group unless it causes network or security problems (and you *don't* get to determine whether something is causing network or security problems, sorry). The university, department or group can request the machine to be disconnected at any time - unless the Pool is asked otherwise, the reaction to a request for disconnection will be to disconnect the machine first and ask questions later. Any piece of equipment operating from the mains *must* be tested for electrical safety. Regulations from the Joint Academic Network prohibit commercial use of the network.
Web Browsing and Email
- Please configure your browser to automatically detect setting
- Please use hermes for email, through the Web Interface or by configuring your-mail-program-of-choice.
Who is responsible for the system?
Either the system is fully integrated into the group's system and run by the CO, or (much more likely for personal machines) it is not. There is no half-way house. It is not possible for the CO to be responsible for some aspects of a system which has been installed or configured by someone else.
What can the group provide?
Currently a direct connection to the Cavendish network, so the question is more `what can the Cavendish provide?'.
In addition, all our printers are accessible via our print servers. The appropriate file server(s) and their services (printers and network shares) are also available to those who wish to use them.
What will the group not provide?
We will not recognise any form of client-side authentication.
How should any machine connected be configured?
It is important that people outside the Cavendish (or Cambridge) cannot use your machine to inject traffic onto our network (or syphon it off).
Do keep the machine patched up to date (for windows this means using windows automatic update at the very minimum) with security patches.
Windows 7/8 Security
Windows 7/8 is generally a lot better with regards to default security that Windows XP, but that doesn't mean there aren't still vulnerabilities that aren't being discovered and patched on a regular basis.
In order to take advantage of these patches, we require that you either set your machine to update automatically, or you run the update manually when convenient (eg. Just before or after a measurement run that might take a week, assuming that rebooting during this would be catastrophic to your research).
We will not be amused if we are called to your machine and discover it requires 178 updates installing.
You should also ensure you have some form of Antivirus software. The University provides this at http://www.ucs.cam.ac.uk/support/anti-virus/
Windows XP Security
Windows XP has now gone end of life, so we are removing it from the network. There are still a number of machines around, but this number is getting smaller and generally we are only allowing machines to stay when there is not alternative.
In their wisdom, Microsoft have enabled by default things that you should really have turned off. The [UCS] (University Computing Service) have very kindly provided a list of those things that need to be turned off for a secure XP computer:
- How to secure Win XP for use on a network
- More windows security hints and tips.
- How to get at the hidden XP administrator account and maybe even set a password for it!
For those who run systems which offer significant external services (typically UNIX), the list of the good, bad and ugly is:
We like: ping, identd.
We can ignore: talkd, daytime, time, echo, discard, sshd.
We absolutely cannot tolerate: mail servers (pop, imap or sendmail), news servers (nntp), netstat, bind, IRC, NFS servers, anon ftp, passwordless accounts, httpd.
We don't like: daemons running as root whose functioning you cannot explain and justify.
(There is a friendly probing service provided by the University Computing Service - this works *only* if the machine responds to 'ping', which is a requirement of being connected to the network. It *is* possible to detect machines which do not respond to 'ping': these machines are connected illegally - read the Computer Misuse Act if you don't believe it - such machines will be disconnected and treated as the interlopers they are.)
To put it another way, we do not mind (much) what services are available from the physical computer (console), we mind a lot what services are offered to the world.
The only other way of causing major upsets is by excessive use of broadcasts or by emitting malformed packets.
The UCS recommendations (to be found on their security page) include an extremely strong recommendation that people running UNIX should read the newsgroup ucam.security.announce and a recommendation for ucam.comp.announce. Such newsgroups should be read at least weekly.
If you are running a Windows computer then please keep the OS up to date:
- Set Microsoft update to install automatically (or at least to download automatically and bug you to agree to install frequently).
The ultimate sanction
Any machine which is persistently found in an insecure state will, after a reasonable number of warnings, be disconnected, possibly permanently. (NB - the current CO views 'reasonable number of warnings' as a very small number...) The group is far too attached to its computers to permit anything to remain that is a risk to them. We also owe this service to the rest of the Cavendish and University. One person's recklessness can easily cost another part of the University substantial sums, as has been shown recently.
And try to find that elusive balance between running a computer and actually doing some research.