**Attending**
Chris Misra, U. Mass (chair)
Joe St. Sauver, Internet2/U. Oregon
Ken Klingenstein, Internet2
Terry Gray, U. Washington
Rodney Petersen, Educause
Deke Kassabian, U. Penn.
Doug Pearson, REN-ISAC/Indiana U.
Mark Poepping, CMU
Chas DiFatta, CMU
Steve Olshansky, Internet2 (scribe)
**Action Items**
[AI] (Anyone interested) in participating in Deke’s “security and privacy issues related to installed endpoint agents” panel at the Fall Internet2 Member Meeting please contact Deke.
[AI] (All Interested) in participating in a side call to discuss the 2-port Internet document, please send mail to Ken and Terry.
**Discussion**
We reviewed Joe’s matrix of proposed areas of work for Internet2 related to security, which will be submitted to AMSAC in the context of the strategic plan.
Comments:
While spam is obviously a problem, it isn’t really a security issue, except as it relates to phishing. OTOH compromised hosts used to send spam are clearly a security issue.
2-port Internet issues could be more in the category of network management, but to the degree that it is important it will likely remain on the list.
This matrix is intended to be very inclusive, to be prioritized later in the context of Internet2’s carrying capacity and community priorities. Some or many of these areas might e.g. be taken up with the STF, or perhaps by them alone.
It was noted that many institutions are very decentralized and/or understaffed, which came to light in the context of responses to the recent DNS vulnerabilities. How could or should this affect our recommendations?
Highlighted as important separate areas:
- Management/governance issues around distributed services
- DNSSEC (e.g. training & awareness)
- Password management and improvement (i.e. multi-factor authn)
- Deke proposed a session for the Fall Internet2 Member Meeting
on the topic of security and privacy risks associated with agents installed on endpoints for NAC etc. [AI] (Anyone interested) in participating in this panel please contact Deke.
- Doug discussed problems related to un-patched vulnerabilities observed across .edu. In response to the recent DNS issues, Doug undertook significant outreach to public lists populated by higher-ed IT and security staff and managers, but we saw very little response. What else could we be doing in our outreach?
- The group discussed Terry and Ken’s 2-port Internet document.
This falls more into the category of network management than security, although it falls really at the intersection of the 2. This is in response to seeing campus networks being closed down to ports 80 and 443, and the problems applications have in traversing firewalls.
If this does in fact seem to be an overarching significant theme, then Ken will work to elevate it to a flagship issue for Internet2 since it affects advanced applications which are at the core of its mission. Consensus on the call is that if we can move the discussion forward, which it appears this document is a good step toward doing, then this is a worthy effort. It was also noted that CIOs really need to embrace this for it to have a positive effect, ultimately.
Videoconferencing was discussed as a potential driver for changing network architecture, but other advanced applications would seem to be more significant drivers since videoconferencing is somewhat easily accomplished by end users on their own.
The growing ubiquity of wireless devices and virtualization are factors that are affecting network management, and may be countering the importance of high-speed networking going forward. Thus the appropriate strategic investment decision making to support high performance applications becomes a tricky question.
[AI] (All Interested) in participating in a side call to discuss this document, send mail to Ken and Terry.