Internet2 Network Security SIG

[Adair Thaxton <>]

Meeting notes are updated – if I missed anything, feel free to add it.

 

 

From: <> on behalf of Adair Thaxton <>
Date: Thursday, December 12, 2024 at 12:34 PM
To: Curtis, Bruce <>, <>
Subject: Re: [netsec-sig] Netsec-SIG BOF draft agenda

Please correct names and affiliations as necessary, I did my best 😊

 

https://spaces.at.internet2.edu/display/SWG/2024-12-12+Meeting+notes

 

 

From: <> on behalf of "Curtis, Bruce" <>
Date: Wednesday, December 11, 2024 at 1:15 PM
To: <>
Subject: [netsec-sig] Netsec-SIG BOF draft agenda

Draft agenda from the co-chairs for the  Network Security BoF for the Internet2 Network
Security Special Interest Group  at 12:10 pm December 12 in Suffolk room at TechEx.

Submit additional agenda items in a reply or just bring them up at the meeting tomorrow.

Was anyone affected by the Crowdstrike problem?
Can you tell us how bad it was for you?

Who was not affected by Crowdstrike but use a product that has equivalent permissions and could cause the same issues? (Show of hands?)

The CUPS vulnerability - This was an interesting case study in disclosure and (mis) information. How did people react in the early stages (9.9! ) if at all?
There were claims by the person who reported the vulnerability that Apple was vulnerable also and counter claims by others that Apple had changed enough of CUPs to not be vulnerable.
Still waiting for the other shoe to drop.


Any expected issues on your campuses with Microsoft end of support for Windows 10 on October 14 2025?

Anybody affected by the open DNS resolver on AppleTV?

Have you all applied patches or work arounds for the Blast-RADIUS vulnerability?


Have stats that 95% of malware is delivered over encrypted sessions influenced anyones decisions about Next Generation Firewalls at your perimeter?


Do you use a VPN with MFA as a way to use MFA for legacy services that don’t support MFA? (Prompted by discussion at the #higherednetcomm day before EDUCAUSE)

Do you use a Policy Based VPN?

Are you happy with the grouping functions of your VPN or network? Would you be happier if devices could be in more than one role/group/segment?

ACU in Abilene presented at the #higherednetcomm day before Educauase that they are using TailScale which supports devices being in more than one group (ZeroTier supports this also).

Any IPv6 and security related topics? (IPv6 Privacy addresses and logs. NAT and logs.)

Anybody implemented EAP-TEAP? Allows EAP chaining and in theory allows Microsoft Windows to log onto eduroam with machine cert rather than user cert so machines
         will be on the network even if no one is logged in. Useful for management. EAP-TEAP imple3mented in FreeRADIUS 3.2.3.


Anyone looking for help for a specific security issue at your campus?

Anyone looking for info on how others have handled a specific security issue at their campus?

Does anyone have interesting stories or reports on telemetry and/or flow analytics tools or data?

Reports on improvement in vulnerability management on your campus in the past year.

What are campuses current stances on border blocking and future plans? Is the Zero Trust movement influencing campuses to reduce border blocking? Or are campuses moving to more or different blocking at their borders?

Other reports, stories, comments etc?


What is Zero Trust? NIST SP 800-207
   • Builds up trust by considering the entire context of the session being established
   • Moves defenses from static, network-based perimeters to focus on users, assets, and resources
   • Assumes no implicit trust based solely on network location or device ownership
   • Focuses on protecting resources, not network segments
Bruce Curtis
Network Engineer  /  Information Technology
NORTH DAKOTA STATE UNIVERSITY
phone: 701.231.8527