Introduction While ITC has developed rather voluminous documentation for departmental migrations to the More Secure network, the process is typically quite simple and not difficult to accomplish. However, a little early testing and planning will go a long way towards easing the workload involved with your department's migration. At this time (Spring/Summer 2004), ITC is only working with departments with LSPs who will be able to do the majority of the work themselves and need only occasional assistance from ITC. Our longer term goal is for most faculty and staff workstations to be migrated to the More Secure network. The basic steps in the migration process are: Network Tools Access Obtain permission from your Department Chair or Dean for access to the Network Tools. These tools will allow you to move your users between the Less and More Secure networks, change their Ethernet speed between 10 and 100 Mbps, turn ports on and off, and access some diagnostics. Note: the tools control Ethernet ports that are centrally managed and have a single attached workstation. These are the ports that are associated with a telephone or for which the department is paying the $5/month network jack charge. Send email to secnet-info @ Virginia EDU for a copy of the request form that needs to be signed by the LSP and the Dean or Department Chair. Initial Testing Skim over the rest of the documentation and then move your personal workstation to the More Secure network and start using this computer for all of your normal work. This will help to ensure that the applications used commonly in your department function properly on the More Secure network. You will most likely find that all of your departmental applications work without problems. A large number of common applications and services were tested during the early stages of the More Secure network project. If your department operates a Windows server environment, pay particular attention to your workstation and server configuration. If your workstation has a standard configuration and use WINS to locate your servers, simply moving your workstation to the More Secure network with the network tools should work well. If you do not use WINS, please see the section on Broadcast Services later in this document before moving your workstation. Departmental Migration The process for migrating your department's workstations is pretty much the same as for moving your personal computer. You use the Network Tools to locate each user's computer, switch the computer's network port to the More Secure network, and then reboot the workstation to obtain its new IP address on the More Secure network. We recommend that all LSPs carefully read the sections on migrating servers and Active Directories before attempting to migrate these services to the More Secure network. Migrating your servers is typically the last step in a departmental network migration. Migration Documentation Before you begin developing your plan for moving devices to the MSN, it is important to determine the set of devices that will be moved. Moving all the devices you have identified may not be possible. Verify that the More Secure network is available in your building. The secure network will eventually be available in all buildings. If you do not find your building in the More Secure network Building List, send email to secnet-info@virginia.edu and ask about the priority of your building. Determine your approach. 1. Plan the overall migration process and set a tentative timetable 2. Consider how you wish to share information with your department 3. Review the Departmental Decisions listed in the Rules 4. If you wish to move your users, have your Dean or Department Chair sign the Form required to give you access to the Network Management Tools. Identify the devices you wish to move. A checklist (coming soon) has been developed to help you with your move. It is for your use only; you do not need to submit it to ITC. So, if you'd like to make any changes, please fee free to do so. If you think your changes would help other LSPs, let us know ( secnet-cdp@virginia.edu ) and we'll try to incorporate them. As discussed in the Rules, some devices are not allowed or cannot function on the MSN and in evaluating the procs and cons of security, you may decide it doesn't make sense to move others. 1. Workstations Not Allowed: • Departmental Public Lab workstations • Workstations which interface with both the MSN and the standard University network, including wireless • Workstations which are accessible when the owner is absent. (Machines on the MSN must be in a physically protected space.) • Privately-owned workstations (examples include Undergraduate and Graduate student-owned workstations). Require Further Consideration: • University-owned workstations that are used by graduate students. Very often graduate students are working with sensitive data that should only be available to devices on the MSN. If this is the case, then the graduate student must have a faculty sponsor and an Exception Form (link to form coming soon) signed by both the student and the professor. Any such machine must be centrally managed, using login authentication, etc. If, however, the data is not sufficiently sensitive to require this level of protection, then other means of protecting the machine should be explored. • Communication between workstations when one of them is not on the MSN. If two workstations comunicate with each other and one of them is moved to the MSN, then all communication must be initiated by the one this is on the MSN. It this isn't possible, then the workstation should not be moved. 2. Servers Not Allowed: • Servers that interface with both the MSN and the standard University Network • Servers that are accessible when the administrator is absent. (Servers on the more secure network must be in physically protected space.) Require Further Consideration: • A Server that is accessed by students for course-related work/materials. Such servers should be secured by other means such as a firewall. Anyone not on the MSN must use a MSN VPN to gain access; however, MSN VPNs are only for faculty, staff, and students with a work-related need. Note: a system that holds sensitive information such as credit card numbers, social security numbers, birth dates, etc, should be located on a Level-3 network. Servers on Level-3 networks can be accessed from both on and off of the More Secure network. • Servers that must be freely accessible from outside the MSN Some faculty and staff maintain servers that host information used by people both within and outside of UVa. Once such a server is moved to the MSN, it will not be publicly accessible. • Departmental centrally managed push servers. If you provide centrally managed services and you are moving some of the clients that take advantage of these services to the MSN, then you will need to set up another server on the MSN to handle your secure clients. If you have a departmental Norton AntiVirus server, you may not need to set up another server. Using the departmental server, you can configure clients to run auto-update or go to the Symatec site. • Active Directories with Exchange Services Since inbound holes will not be made in the MSN, moving Exchange Services is not recommended. Doing so may cause replication and schema problems with Active Directory. Leaving the domain controllers on the public network and protecting them with a Windows IPSec policy will simplify your life. 3. Printers/Other Sevices (Coming Soon) Remember that users on the regular University Network can not send jobs to printers that are on the MSN. Help Help Desk (434-924-3731) Help Request Form ITC How-to Guides ITC Technology Glossary About ITC Services Directory Contact Info • Feedback Form Site Info • Page Updated: 2008-01-07 © 2008 by the Rector and Visitors of the University of Virginia Standards & Policy Disclaimer P3P Privacy Policy Accessibility: WAI • 508 Web Standards: XHTML • CSS University of Virginia Information Technology and Communication 108 Cresap Road P.O. Box 400217 Charlottesville, Virginia, 22904-4217 USA © 2008 by the Rector and Visitors of the University of Virginia. The information contained on the University of Virginia’s Department of Information Technology and Communication (ITC) website is provided as a public service with the understanding that ITC makes no representations or warranties, either expressed or implied, concerning the accuracy, completeness, reliability or suitability of the information, including warrantees of title, non-infringement of copyright or patent rights of others. These pages are expected to represent the University of Virginia community and the State of Virginia in a professional manner in accordance with the University of Virginia’s Computing Policies.