As most of you are no doubt aware, our campus network and the
computers on it are increasingly threatened by people seeking to
steal information, conduct fraudulent transactions, deny service, or
simply demonstrate their ability to vandalize networks and attached
computers. A few computers at UVM have already been victimized.
Unfortunately, computers whose security has been compromised are a
threat to the entire campus network, not just that computer system.
Therefore it is essential that we protect all computers, even those
without valuable or confidential information. Even with increased
protection, some computers will be attacked, some successfully. It is
essential that we promptly detect and correct such intrusions.
At the urging of our external auditors, we have begun a process to
establish clearer security policies, strengthen our network defenses
and provide a higher level of default protection for computers on the
UVM campus network. In February UVM contracted with an external
consulting firm (Applied Computer Group) which specializes in network
security. Earlier this month they led a two-day examination with UVM
security experts of UVM's networking environment. A written report is
expected next week.
In the meantime, I have drafted a work-in-progress Web site
describing our plans at
Note that, among other things, the plan for strengthening of security
includes the following:
* A firewall
* Four classes of network protection
* Formal administrative requirements for unprotected servers.
Your feedback, comments and questions will help us craft security
policy and implementations that maximize the protection and minimize
disruption. However, as most of you know, it is difficult to enhance
security without some effort and, quite likely, some disruption.
Please let us know what you think by responding to this list, or if
you prefer, to me directly.