MinUWet - Feature Update
MinUWet has been live on campus for more than a month. A few additions were made this month.
- CSAG recommended Windows 2000 not be added to the MinUWet supported OS list. Supporting 2000 would require me to do more work, and it doesn't have standardized features. The general concensus was that 2000 is history and we should be looking forward.
- "memory", after reporting a minuwet success, minuwet now stores the MAC address so the user is preapproved for one week. The memory feature is local to each NAA (it's not shared among NAAs), but this is still an improvement over forcing a run every time. Machines that fail minuwet are not rememberred.
- many PDAs are now recognized, even ones which erroneously report Windows 95 as the OS. I'm working with individuals as they report their findings.
- previously, FireFox users could enable a special stealth mode so their systems would not be detected as running Windows. A new NAA feature overcomes the stealth mode. It is still possible to fool us, but it's getting harder, while at the same time the memory feature is making cloaking less important to the user.
MinUWet Memory Details
- the new memory feature significantly reduces the number of times 'responsible' Windows users must run MinUWet.
- approximately 2/3rds of MinUWet users' sessions are pre-approved
- should not result in greater vulnerabilities, because clients' computers had current AV defs and system patches within last seven days
MinUWet Presentation
I presented MinUWet at a friday morning IST seminar on April 7th. Some of the popular topics were
- PDA support - we will soon (this week) support more PDAs
- only requiring minuwet once-per-week - it will be greatly appreciated
- what if a visiting scholar's laptop fails? Reg seemed to answer this one before I had a chance, we simply don't want vulnerable computers on our network, no matter who owns them.
- I summarized that we are maybe a year or two ahead of others, but that client validation agents will eventually be commonplace. Reg added that we are being very liberal.
Villages, Unmanaged Grads, MinUWet and NAAs
Village computers and unmanaged grad student computers in offices have a lot in common with wireless computers:
- they frequently have viruses and consume our IT support time
- they frequently are involved in large uploads and downloads, and we must hunt them down
- often they are laptop devices and so they can move around
- they should be on client-only subnets, or even better, behind a firewall
I am increasing believing we should consider putting them behind MinUWet and NAAs.
- minuwet is effective at reducing virus threats
- the NAA traffic shaping is effective at reducing overuse, this contrasts with the present system which involves punishment after-the-fact.
- the present village system was largely written by someone who will be retiring.
- it makes sense to users if we use consistent logic on campus and in the residences.
There are changes we can make to match our needs:
- the NAA rulesets can effectively be turned into a binary search rather than the current linear search
- if we use the NAAs as bridges (rather than routers), we can use hardware based traffic prioritization rather than current software based queues. This could allow the system to be more scalable.
Engineering Computers Servers Moving
Most critical Engineering Computing servers will be moving to the new Physics wing (the SharcNet server room) later this month.
Email Address Issues
- current discussions about UW Email mention the problem of blank UWdir Email addresses fields
- Reg also runs into problems reporting network security issues when users have no UWdir Email forward
- some of those blank Email fields have nexus accounts, so we can use the organization of nexus to determine which department sponsors the userid, and then ask them to update the field!
- I submitted detailed lists of users to each faculty on campus, here is a summary
- 90358 users in uwdir
- 30% - 26759 have no uwdir Email entry (many are historical and not important)
- 10% - 9453 with no Email entry exist on nexus
- 10% - 8676 are nexus and UWuserids (prob. students) who never activated Nexus account nor can use it to logon through nexus
- 0.9% - 775 are or were active nexus accounts
- AHS : 9
- Arts : 65
- CS: 185
- Eng: 100
- FES: 24
- Math: 296
- Sci: 93
- 0.7% - 662 have not been logged into nexus in 2006
- 0.1% - 110 are active nexus accounts (used in 2006), we must update them