Internet2 Network Security SIG

["Curtis, Bruce" <>]

Draft agenda from the co-chairs for the  Network Security BoF for the 
Internet2 Network 
Security Special Interest Group  at 12:10 pm December 12 in Suffolk room at 
TechEx.

Submit additional agenda items in a reply or just bring them up at the 
meeting tomorrow.

Was anyone affected by the Crowdstrike problem? 
Can you tell us how bad it was for you?

Who was not affected by Crowdstrike but use a product that has equivalent 
permissions and could cause the same issues? (Show of hands?)

The CUPS vulnerability - This was an interesting case study in disclosure and 
(mis) information. How did people react in the early stages (9.9! ) if at all?
There were claims by the person who reported the vulnerability that Apple was 
vulnerable also and counter claims by others that Apple had changed enough of 
CUPs to not be vulnerable.
Still waiting for the other shoe to drop.


Any expected issues on your campuses with Microsoft end of support for 
Windows 10 on October 14 2025?

Anybody affected by the open DNS resolver on AppleTV?

Have you all applied patches or work arounds for the Blast-RADIUS 
vulnerability?


Have stats that 95% of malware is delivered over encrypted sessions 
influenced anyones decisions about Next Generation Firewalls at your 
perimeter?


Do you use a VPN with MFA as a way to use MFA for legacy services that don’t 
support MFA? (Prompted by discussion at the #higherednetcomm day before 
EDUCAUSE)

Do you use a Policy Based VPN?

Are you happy with the grouping functions of your VPN or network? Would you 
be happier if devices could be in more than one role/group/segment?

ACU in Abilene presented at the #higherednetcomm day before Educauase that 
they are using TailScale which supports devices being in more than one group 
(ZeroTier supports this also).

Any IPv6 and security related topics? (IPv6 Privacy addresses and logs. NAT 
and logs.)

Anybody implemented EAP-TEAP? Allows EAP chaining and in theory allows 
Microsoft Windows to log onto eduroam with machine cert rather than user cert 
so machines 
         will be on the network even if no one is logged in. Useful for 
management. EAP-TEAP imple3mented in FreeRADIUS 3.2.3.


Anyone looking for help for a specific security issue at your campus?

Anyone looking for info on how others have handled a specific security issue 
at their campus?

Does anyone have interesting stories or reports on telemetry and/or flow 
analytics tools or data?

Reports on improvement in vulnerability management on your campus in the past 
year.

What are campuses current stances on border blocking and future plans? Is the 
Zero Trust movement influencing campuses to reduce border blocking? Or are 
campuses moving to more or different blocking at their borders?

Other reports, stories, comments etc?


What is Zero Trust? NIST SP 800-207 
   • Builds up trust by considering the entire context of the session being 
established
   • Moves defenses from static, network-based perimeters to focus on users, 
assets, and resources
   • Assumes no implicit trust based solely on network location or device 
ownership
   • Focuses on protecting resources, not network segments
Bruce Curtis
Network Engineer  /  Information Technology
NORTH DAKOTA STATE UNIVERSITY
phone: 701.231.8527