A plan by the Firedrake software development group in Maths to use four rackmounted Mac Minis in a build farm to help develop a Mac version of this software has been completely scuppered to date by ICT's insistence that all Macs - even those used as servers only accessible via ssh on isolated networks not connected to any College network - must be remote-managed by ICT via Apple DEP. With hindsight Maths should have bought these Macs from, say, PC World in Kens High St, not through an "authorised Apple dealer". Regarding services - and speaking for both the Maths dept and the Condensed Matter Theory group in Physics (CMTH) - almost all these research users use Linux or Mac desktop/laptop systems for whom the most important services are ssh (including services that rely on ssh such as scp & sftp) and https-based network connectivity. Most Linux/Mac applications use (or can easily be configured to use) ssh & https transports and ssh itself can also be used to create VPNs, using its tunneling & port forwarding features. Access via ssh to external services, institutions, etc is vital for these users as is the ability to use ssh for remote access into Maths & CMTH systems. Maths research IT is server-based & independent of central ICT services although for backwards compatability, login services on a few systems do access a subset of the College user account authentication maps via the central LDAP servers and central ICNFS home directory storage is used by some users with low storage space requirements. On the other hand, the workstation-based CMTH cluster is entirely independent of ICT with its own LDAP and user storage servers. With departmental facilities like these, many research users have no real need to use central services other than the network and DNS look-up servers, and there should be no need for research systems to be policed in the way ICT envisage. The College has a perimeter firewall and ICT are at liberty to run penetration/security tests on any systems they are unhappy about. Andy On Tue, 22 Nov 2022, David Colling wrote:
Hi All,
I am sending this to the Physics Departmental Computing Committee and to the departmental members of the FRCC so that they can gather information from their departments.
As some of you know ICT are increasingly confining what people can do on college machines, even those bought on research grants and used by individual researchers. This has been most noticed by the change in the management of Macs. In my years involved in departmental computing, no issue has annoyed more people. Behind this is the increased number of attacks on university computing system which is visible both at Imperial and elsewhere. Some universities have been badly hit and have ended up paying £Ms to ransomware attackers. Apparently this is one of the things that keeps our President awake at night. This is clearly a threat that we have to take seriously, but it is also not clear how much damage could be done to college systems by a laptop or desktop used by a single (or team of) researcher(s).
In discussions with ICT the most sensible approach seems to be that we define a class of machine that is a research desktop or laptop that ICT don't manage but which also has limited access to college central systems. Most of us have no reason to access payroll (say) and in fact would view it as a security breach if we could. We have a meeting on the 30th November where we will discuss this proposed set up. What I need going into is the list of services that researchers would need access to from these research machines, how that access would them + any other thoughts/comments. For example the sort of thing that occurred to me are:
service: Office365 (including sharepoint, email, OneDrive teams etc) Access: Is access through the secure web portal enough for most of these plus a mail client providing secure access the the email.
[I use Office365 much less than almost anybody to whom this email is going so am the least qualified to answer this one]
Service: ICIS (Payslips, expenses claims etc) Access: Secure web access should be enough.
Service: Starfish Access: Secure web access is sufficient.
What other services are needed and how?
Other comments:
- I don't think that it is unreasonable to have a requirement that the disks of all research laptops are encrypted in case they are lost when travelling. The performance hit is minimal and if that is important then running on a laptop might not be ideal.
So please do send me your thoughts (on services mainly) and comments. For once I would not be against you sending to everybody as I would welcome debate on this.
Best, david
_______________________________________________ Physics-Departmental-Computing mailing list Physics-Departmental-Computing@imperial.ac.uk https://mailman.ic.ac.uk/mailman/listinfo/physics-departmental-computing