TO: UCSB IT Staff
FR: Sam Horowitz, Chief Information Security Officer
Now that COVID-19 has reached our area, many UCSB faculty, staff, and students are starting to work remotely. The campus looks more like spring-break than part of a quarter. This remote workforce means that many people will be physically away from their desktop, IoT, and server equipment.
COVID will not stop patch Tuesday nor updates from Linux and other distributions. Systems on campus must remain patched, especially for critical vulnerabilities. The SOC will continue weekly vulnerability scans and notifications. Responsible administrators must act on these.
Ask faculty and staff who are leaving campus to turn off their desktop and lab machines if they won’t be used. Please remind them that they need to maintain systems that they leave running.
Remote system and network administration have risks. Remember the 11 Commandments for network and system administrators that Kevin Schmidt, Director, Network, Communications and Security Services sent to CSF last year in the wake of an outage from remote administration. It’s a good idea to keep these in mind and to share them with non-IT staff that manages desktops, IoTs, and servers across the campus.
- Never make a network change unless you can roll it back.
- Changes made from remote/off-site locations are generally a bad idea.
- Out-of-band access is a very good idea.
- Whenever available, use the vendor’s configuration management tools, such as “configure terminal revert timer 2” or “commit confirmed 2”, to automatically revert changes if they are not explicitly confirmed within a few minutes.
- Never create a network loop.
- Understand what a loop is and its implications.
- Use spanning-tree on all switches.
- On Linux systems, carefully scrutinize bond vs. bridge devices to ensure the correct type is used for each situation.
- Do not trust Linux network restarts as the results may be incomplete or inconsistent. Reboot to ensure consistent application of network configuration.
- If your network equipment provides rate-limit protection options, establish limits on Broadcast, Unknown and Multicast (BUM) traffic consistent with your planned network services.
- Test network configurations on an isolated network before connecting to production networks.
- If things break after you make a change, assume your change caused the breakage and investigate immediately. Report your outage to the NOC at x7755 in case the outage is of wider scope than you realize.
- Document specific repeatable steps (commands) that can be uniformly and repeatedly applied to networked devices. Ensure all team members have the same information.
- Make network topology changes outside of business hours.
- Share planned network-related changes ahead of time. Changes may be shared via the ETS Production Change Request process or by sending a brief email to firstname.lastname@example.org describing the planned change, start and end times, and potentially-affected networks.
- Default passwords and user IDs - never.
- Never be afraid to ask for help/advice/experience of others. We are all part of the same team.
The bonus item, No. 11, is a strength of working at UCSB where we have talented and knowledgable people. Information sharing has been the primary purpose of CSF, so don’t hesitate to ask.