**Attending**
Chris Misra, U. Mass (chair)
Terry Gray, U. Washington
Jim Pepin, Clemson
Mike Van Norman, UCLA
Mark Poepping, CMU
Ken Klingenstein, Internet2
Doug Pearson, REN-ISAC/Indiana U.
Kevin Miller, Duke
Deke Kassabian, U. Penn
Renee Frost, Internet2
Rodney Petersen, Educause
Steve Olshansky, Internet2 (scribe)
**Action Items**
[AI] (Ken) will write a one-pager on the 2-port Internet, strategies associated, and why it is important in higher ed.
[AI] (All) review today's discussion about network access control and think how to roll it into a brief document for sharing with the community.
**Discussion**
- 2-port Internet conversation continued
Identity, trust and the Internet activity within ISOC is under way. RL "Bob" Morgan may attend the next IETF meeting and if so will be talking about this.
How does the security architecture for campuses problem fit with the 2-port Internet discussion? Should we focus less on solving problems that security creates by using IAM?
Firewall traversal continues to be a significant topic for researchers. Placing security devices (firewalls) closer to hosts needing protection and away from the perimeter seems to be a logical approach for sophisticated network infrastructures.
3 potential strategies:
1) define campus network architectures that offer flexible capabilities in port management for the research community
2) create a web page to request ports opened
3) leverage identity in the basic protocols (IETF) to obtain the desired result - lowered friction. This is a longer term approach.
Alternatively:
1) L1 or L2 bypass infrastructure
2) (quasi-) real-time modification of L3 blocking apparatus. "Architected control points" was suggested as a good term for this
3) build overlay network that avoids the problem by tunneling everything over port 443
It was noted that one of the founding principals of the Internet that led to its success was to keep the core simple and apply what you need to get work done between cooperating users at the endpoints.
Firewall traversal strategies seem to have a lot of difficulties for users, v. overlay strategies which bring their own security issues.
We can probably effect campus behavior within the US (via the Campus Expectations Task Force - CETF), and to some degree with our international NREN partners. Working through the IETF process will take longer.
- Deke's endpoint agent discussion
There is concern about the ability of installed software agents posing security risks since they by definition have extensive access to their hosts and can record a great deal of sensitive data. These could be significant threats to privacy.
Campuses have obvious goals in protecting their networks, but universities are very diverse and transient communities and very different from controlled corporate environments, with different expectations about privacy.
One campus related its experience with an agent-based monitoring system that posed such significant privacy and security concerns that it was deemed unusable. Attacks are increasingly aimed at security products, and thus can increase potential exposure rather than reducing it.
Mobile devices such as phones and PDAs were discussed, and generally campuses try to prevent sensitive data from being put on them. However in the medical environment, they are very dependent upon mobile devices and thus must accommodate them. How?
What is the policy? Are the systems capable of supporting different policies for different devices, for different types of access?
Q: What deliverables would make sense for Salsa in this area? E.g. how best to share this dialog and open it up more broadly?
A: Perhaps a one-pager position paper to share for comment and input? Brief presentation(s) at the Fall Internet2 Member Meeting - both a track session and as part of a current topics session? At the Educause Annual Conference?
Government policy, cloud computing, and IdM were mentioned as factors bringing added complexity to this topic.
[AI] (Ken) will write a one-pager on the 2-port Internet, strategies associated, and why it is important in higher ed.
[AI] (All) review today's discussion about network access control and think how to roll it into a brief document for sharing with the community.