dtf report erez etzion 78 accu meeting december 5, 2007
TRANSCRIPT
DTF report
Erez Etzion78 ACCU MeetingDecember 5, 2007
Closure of VPN services• Motivation – risk of worms• Decision – discontinue on January 29th 2008• Recommended modifications listed on the IT site (mail, internal
web, DFS, Terminal services, SSH)• In some cases the alternative working methods are less convenient
and/or provide reduced performance compared to VPN. • Windows DFS File synchronization is not possible from off-site
without VPN. File transfer (including mapping a local disk to a WTS session) is possible.
• Remote installation of software was possible with VPN. This practice is not recommended therefore no alternative will be provided. Users must instead bring their computers physically to CERN.
78 ACCU Meeting Desktop Forum report, Erez Etzion 2
Special cases ..
• If a case were to arise where VPN is vital for the mission of the organization and no alternative solution is available within the timescale, a temporary extension could possibly be maintained for the user concerned. This would require that the case is justified and supported by the user’s Department Head (or Deputy). The configuration of the device and working method of the user connecting to VPN would need to be agreed by a member of the security team in order to minimise the risk.
78 ACCU Meeting Desktop Forum report, Erez Etzion 3
USER suggestionCISCO secured VPN access
78 ACCU Meeting 4Desktop Forum report, Erez Etzion
Restrictions on running Skype P2P software at CERN
• The use of Skype P2P telephony software is NOT permitted at CERN. • Article 4.1 of the Skype End User License Agreement allows computers
running Skype to be used to route third party traffic. The algorithm which Skype uses to select these so-called "supernodes" appears to take account of bandwidth availability. We have seen in practice that computers running Skype at CERN become supernodes rather quickly. Its use is therefore not permitted within the CERN site.
• To our knowledge, other IP telephony products do not cause such problems, e.g. Microsoft Messenger included by default in Windows/XP (but note that you may need to upgrade to the latest version). Information for NICE users is available at http://cern.ch/mmmservices/Tools/Messenger.
78 ACCU Meeting 5Desktop Forum report, Erez Etzion
NEWS - after a lot of effort there is good news. All has been agreed to allow the use of skype at CERN "as is" so with no support from CERN. This is waiting final approval by the office of the Department Head copied on this mail.