Re: [Physics-Departmental-Computing] Services needed on a research computing desktop and laptop
Dear all, Apologies for this slightly spammy follow-up, but this seemed like a good group to ask about this: Until what I think was a few weeks ago, I was able to use ssh and screen-sharing (vnc) to access my machine at Imperial, on the wired network with a fixed host name and IP address. From on-campus I could do this directly, and from off campus it required the vpn. It was also possible to use ssh via the sshgw machine from off campus even without vpn. I had successfully done this from other macOS machines, as well as iPads and iPhone with appropriate ssh and screen-sharing software. Recently, all of these modes of access have become impossible. I do not think this is due to any changes on my machine itself. I have successfully been able to ssh from the machine to itself, but actually using its IP address, which I think at least means that it is accepting incoming ssh. But user error on my part certainly remains a possibility… Is anyone else experiencing this? Is it a known change? Is it related to Unified Access (Zscaler), which as far as I know has not yet been deployed? Did I miss a communication about this? (This page < https://www.imperial.ac.uk/admin-services/ict/self-service/connect-communica... <https://www.imperial.ac.uk/admin-services/ict/self-service/connect-communicate/remote-access/remotely-access-my-college-computer/> > is unclear about whether any of this is currently possible.) Many thanks, Andrew ______________________________________________________________________ Professor Andrew Jaffe a.jaffe@imperial.ac.uk<mailto:a.jaffe@imperial.ac.uk> Astrophysics Group +44 207 594-7526 Blackett Laboratory, Room 1018B Imperial College, Prince Consort Road London SW7 2AZ UK http://imperial.ac.uk/people/a.jaffe On 30 Nov 2022, at 10:39, Bantges, Richard J <r.bantges@imperial.ac.uk> wrote: Hi David (and everyone else), Having consulted with members in SPAT (those that have responded in time), here is our overview of services required on a research class machine: (Below are my definitions of service classes, others may have different ones of course) Admin Services: ICIS Authentication Services: LDAP, Licence Servers (e.g. Matlab, IDL, etc.) Communication Services: SSH (typically Port 22), FTP (?), Zoom, Access to Remote Data centres, Remote Desktop Gateway, Unified Access, VPN Data Sharing Services: SMB Servers, HTTP / HTTPS servers, NFS Servers, File Exchange (retired in 2 days?), Sharepoint, Onedrive, etc. Information Services: DNS, Library Journals Productivity Services: Office365, HPC Interactive Services (e.g. Jupyter Notebook, etc.), Software Centre Teaching Services: Blackboard, Starfish, Panopto, Secure College Webpages The above is probably a non-exhaustive list, and I've no doubt once a clearer picture emerges of what a Research Class machine might look like, then there will be the hope that this can be iterated / fine-tuned to accommodate any niche requirements inherent with the breadth of research activities and their associated diverse requirements. Thanks for your efforts towards defining this David. Best wishes, Rich -----Original Message----- From: David Colling <d.colling@imperial.ac.uk> Sent: 22 November 2022 20:17 To: Bresme, Fernando <f.bresme@imperial.ac.uk>; French, Paul (PHOT) M W <paul.french@imperial.ac.uk>; Keaveny, Eric E <e.keaveny@imperial.ac.uk>; Sternberg, Michael J E <m.sternberg@imperial.ac.uk>; Staffell, Iain L <i.staffell@imperial.ac.uk>; Pengelly, Ellen <e.pengelly@imperial.ac.uk>; Buchaca-Domingo, Ester <e.buchaca-domingo@imperial.ac.uk>; Bantges, Richard J <r.bantges@imperial.ac.uk>; Michalickova, Katerina <k.michalickova@imperial.ac.uk>; physics-departmental-computing <physics-departmental-computing@imperial.ac.uk>; Bryce, Craig T <c.bryce@imperial.ac.uk>; Bearpark, Michael J <m.bearpark@imperial.ac.uk> Cc: David Colling <david.colling@gmail.com>; Pearse, Will <will.pearse@imperial.ac.uk>; Cucinotta, Clotilde <c.cucinotta@imperial.ac.uk> Subject: Services needed on a research computing desktop and laptop Hi All, I am sending this to the Physics Departmental Computing Committee and to the departmental members of the FRCC so that they can gather information from their departments. As some of you know ICT are increasingly confining what people can do on college machines, even those bought on research grants and used by individual researchers. This has been most noticed by the change in the management of Macs. In my years involved in departmental computing, no issue has annoyed more people. Behind this is the increased number of attacks on university computing system which is visible both at Imperial and elsewhere. Some universities have been badly hit and have ended up paying £Ms to ransomware attackers. Apparently this is one of the things that keeps our President awake at night. This is clearly a threat that we have to take seriously, but it is also not clear how much damage could be done to college systems by a laptop or desktop used by a single (or team of) researcher(s). In discussions with ICT the most sensible approach seems to be that we define a class of machine that is a research desktop or laptop that ICT don't manage but which also has limited access to college central systems. Most of us have no reason to access payroll (say) and in fact would view it as a security breach if we could. We have a meeting on the 30th November where we will discuss this proposed set up. What I need going into is the list of services that researchers would need access to from these research machines, how that access would them + any other thoughts/comments. For example the sort of thing that occurred to me are: service: Office365 (including sharepoint, email, OneDrive teams etc) Access: Is access through the secure web portal enough for most of these plus a mail client providing secure access the the email. [I use Office365 much less than almost anybody to whom this email is going so am the least qualified to answer this one] Service: ICIS (Payslips, expenses claims etc) Access: Secure web access should be enough. Service: Starfish Access: Secure web access is sufficient. What other services are needed and how? Other comments: - I don't think that it is unreasonable to have a requirement that the disks of all research laptops are encrypted in case they are lost when travelling. The performance hit is minimal and if that is important then running on a laptop might not be ideal. So please do send me your thoughts (on services mainly) and comments. For once I would not be against you sending to everybody as I would welcome debate on this. Best, david _______________________________________________ Physics-Departmental-Computing mailing list Physics-Departmental-Computing@imperial.ac.uk https://mailman.ic.ac.uk/mailman/listinfo/physics-departmental-computing
This looks like an issue with (or a deliberate change made to) the College's perimeter firewall so I'd suggest raising an incident ticket with the ICT service desk. I know ICT security/networks are tightening up a lot of the existing external access routes. Andy On Fri, 9 Dec 2022, Jaffe, Andrew H wrote:
Dear all, Apologies for this slightly spammy follow-up, but this seemed like a good group to ask about this:
Until what I think was a few weeks ago, I was able to use ssh and screen-sharing (vnc) to access my machine at Imperial, on the wired network with a fixed host name and IP address. From on-campus I could do this directly, and from off campus it required the vpn. It was also possible to use ssh via the sshgw machine from off campus even without vpn. I had successfully done this from other macOS machines, as well as iPads and iPhone with appropriate ssh and screen-sharing software.
Recently, all of these modes of access have become impossible. I do not think this is due to any changes on my machine itself. I have successfully been able to ssh from the machine to itself, but actually using its IP address, which I think at least means that it is accepting incoming ssh. But user error on my part certainly remains a possibility…
Is anyone else experiencing this? Is it a known change? Is it related to Unified Access (Zscaler), which as far as I know has not yet been deployed? Did I miss a communication about this? (This page< https://www.imperial.ac.uk/admin-services/ict/self-service/connect-commun icate/remote-access/remotely-access-my-college-computer/ > is unclear about whether any of this is currently possible.)
Many thanks,
Andrew
______________________________________________________________________ Professor Andrew Jaffe a.jaffe@imperial.ac.uk Astrophysics Group +44 207 594-7526 Blackett Laboratory, Room 1018B Imperial College, Prince Consort Road London SW7 2AZ UK http://imperial.ac.uk/people/a.jaffe
On 30 Nov 2022, at 10:39, Bantges, Richard J <r.bantges@imperial.ac.uk> wrote:
Hi David (and everyone else),
Having consulted with members in SPAT (those that have responded in time), here is our overview of services required on a research class machine:
(Below are my definitions of service classes, others may have different ones of course) Admin Services: ICIS Authentication Services: LDAP, Licence Servers (e.g. Matlab, IDL, etc.) Communication Services: SSH (typically Port 22), FTP (?), Zoom, Access to Remote Data centres, Remote Desktop Gateway, Unified Access, VPN Data Sharing Services: SMB Servers, HTTP / HTTPS servers, NFS Servers, File Exchange (retired in 2 days?), Sharepoint, Onedrive, etc. Information Services: DNS, Library Journals Productivity Services: Office365, HPC Interactive Services (e.g. Jupyter Notebook, etc.), Software Centre Teaching Services: Blackboard, Starfish, Panopto, Secure College Webpages
The above is probably a non-exhaustive list, and I've no doubt once a clearer picture emerges of what a Research Class machine might look like, then there will be the hope that this can be iterated / fine-tuned to accommodate any niche requirements inherent with the breadth of research activities and their associated diverse requirements.
Thanks for your efforts towards defining this David.
Best wishes, Rich
-----Original Message----- From: David Colling <d.colling@imperial.ac.uk> Sent: 22 November 2022 20:17 To: Bresme, Fernando <f.bresme@imperial.ac.uk>; French, Paul (PHOT) M W <paul.french@imperial.ac.uk>; Keaveny, Eric E <e.keaveny@imperial.ac.uk>; Sternberg, Michael J E <m.sternberg@imperial.ac.uk>; Staffell, Iain L <i.staffell@imperial.ac.uk>; Pengelly, Ellen <e.pengelly@imperial.ac.uk>; Buchaca-Domingo, Ester <e.buchaca-domingo@imperial.ac.uk>; Bantges, Richard J <r.bantges@imperial.ac.uk>; Michalickova, Katerina <k.michalickova@imperial.ac.uk>; physics-departmental-computing <physics-departmental-computing@imperial.ac.uk>; Bryce, Craig T <c.bryce@imperial.ac.uk>; Bearpark, Michael J <m.bearpark@imperial.ac.uk> Cc: David Colling <david.colling@gmail.com>; Pearse, Will <will.pearse@imperial.ac.uk>; Cucinotta, Clotilde <c.cucinotta@imperial.ac.uk> Subject: Services needed on a research computing desktop and laptop
Hi All,
I am sending this to the Physics Departmental Computing Committee and to the departmental members of the FRCC so that they can gather information from their departments.
As some of you know ICT are increasingly confining what people can do on college machines, even those bought on research grants and used by individual researchers. This has been most noticed by the change in the management of Macs. In my years involved in departmental computing, no issue has annoyed more people. Behind this is the increased number of attacks on university computing system which is visible both at Imperial and elsewhere. Some universities have been badly hit and have ended up paying £Ms to ransomware attackers. Apparently this is one of the things that keeps our President awake at night. This is clearly a threat that we have to take seriously, but it is also not clear how much damage could be done to college systems by a laptop or desktop used by a single (or team of) researcher(s).
In discussions with ICT the most sensible approach seems to be that we define a class of machine that is a research desktop or laptop that ICT don't manage but which also has limited access to college central systems. Most of us have no reason to access payroll (say) and in fact would view it as a security breach if we could. We have a meeting on the 30th November where we will discuss this proposed set up. What I need going into is the list of services that researchers would need access to from these research machines, how that access would them + any other thoughts/comments. For example the sort of thing that occurred to me are:
service: Office365 (including sharepoint, email, OneDrive teams etc) Access: Is access through the secure web portal enough for most of these plus a mail client providing secure access the the email.
[I use Office365 much less than almost anybody to whom this email is going so am the least qualified to answer this one]
Service: ICIS (Payslips, expenses claims etc) Access: Secure web access should be enough.
Service: Starfish Access: Secure web access is sufficient.
What other services are needed and how?
Other comments:
- I don't think that it is unreasonable to have a requirement that the disks of all research laptops are encrypted in case they are lost when travelling. The performance hit is minimal and if that is important then running on a laptop might not be ideal.
So please do send me your thoughts (on services mainly) and comments. For once I would not be against you sending to everybody as I would welcome debate on this.
Best, david _______________________________________________ Physics-Departmental-Computing mailing list Physics-Departmental-Computing@imperial.ac.uk https://mailman.ic.ac.uk/mailman/listinfo/physics-departmental-computing
participants (2)
-
andy thomas
-
Jaffe, Andrew H