• McMaster
  • McMaster A-Z Index
• Academics
  • Undergraduate Studies/Programs
  • Graduate Studies/Programs
  • Part-Time Studies & Continuing Education
  • Departments & Faculties
• Alumni
  • About the Alumni Association
  • Alumni Events
  • Services & Benefits
  • Programs for Alumni
  • Alumni Networking
  • Keep in Touch
  • Homecoming
  • Alumni Weekend
  • Students & Young Alumni
  • Giving to McMaster
• Discover McMaster
  • About the Campus
  • Fast Facts
  • Governance
  • History of McMaster
  • How to Get to McMaster
  • Policies, Procedures & Guidelines
  • President's Message
  • Provost & Vice-President (Academic)
  • Strategic Plan
  • Teaching and Learning at McMaster
• Future Students
  • Undergraduate
  • Graduate Studies
  • MBA Program
  • Continuing Education
  • Parents
  • Student Services
  • Virtual Tour
• Library
  • About the Libraries
  • Contact Us
  • Course Reserves
  • Library Catalogue
  • Library Services
  • My Account / Book Renewal
• Research
  • Canada Research Chairs
  • Endowed & Industrial Chairs
  • Ethics in Human Research
  • McMaster Innovation Park
  • Office of International Affairs
  • Partnership Opportunities
  • Research Centres & Institutes
  • Research Policies & Procedures
  • Science in the City
• Current Students
  • Student Affairs
  • Student Resources
    • Chaplaincy
    • Human Rights & Equity
    • Information Technology
    • Office of Academic Integrity
    • Ombuds
    • Parking & Transit
    • Registrar
    • Safety & Security
    • Student Financial Aid & Scholarships
    • Student Accounts
  • Student Government
    • Graduate Students
    • Part-time Students
    • McMaster Students Union
  • Campus Life
    • Clubs
    • Events

University Technology Services

• Switched Subnets & Privacy
• Server Systens & the Campus Firewall
• UTS Home

Many people do not realise how insecure most networks are. Even modern switched networks remain vulnerable to sniffers, which are programs that capture traffic on a segment of the network, and can view all passing information, even to the extent of inserting commands without knowledge of the victim. Using a sniffer, someone can potentially see your email, your account passwords, URLs visited, and read the contents of your messages unless you take precautions.

Encryption is particularly important to protect your identity (userid and password) during the authentication process, even if you are not concerned about securing the content of your messages. At a minimum, you should avoid applications that send userids and passwords in clear text, and instead use applications that encrypt them. You should avoid such applications as: POP and IMAP email clients without the option to encrypt the userid and password, as well as telnet and ftp, which authenticate using plain text.

Switched Subnets and Privacy
Traffic is vulnerable to sniffing primarily within the sub-network (subnet – typically a building or lab or virtual LAN – vlan) to which the client machines connect, whereas the building and backbone segments of the campus network are less easily attacked. Subnets and vlans are used to partition the campus network, routing local traffic locally, localising broadcast traffic, and confining traffic congestion within the particular subnet on which it occurs. This approach assists to a limited degree with security, in that users in the departmental neighbourhood may notice if a stranger plugs in a computer (loosely analagous to a ‘neighbourhood watch’ programme).

Machines in private offices are registered to an accountable individual - a specific University employee - and issued a static IP number. Optionally, the machine can be registered with off-campus access enabled (i.e. allow Internet access; otherwise it can only access on-campus networking services). If a machine does not have off-campus access enabled, tje owner can request that the port be placed on the MacConnect network to require authentication of the user as a member of the McMaster community.

Public area network access for portable computers (wired or wireless ‘MacConnect’ connections), use network access control (Cisco Clean Access) to ensure security of the authentication process during session initiation, as well as to perform some validity checks on the client machine before providing access. With a large distributed network the risk of snooping is greater than in private office areas, and with increased use of on-line systems for confidential information, such as student registration and financial data, it is increasingly important to provide an environment within which the network can be considered 'safe' by default. Use of the VPN is recommended to ensure security when accessing the University network from off-campus, enabling such tasks as system management to be performed as securely as if from on-campus.

The MacConnect mechanism is being extended to connect public-area data jacks, such as those located in classrooms, but until this is complete, done (it depends on the currency of the networking electronics in the another mechanism is provided for mobile computers. This entails registering the computer’s network card MAC address to enable dynamic IP address assignment (DHCP) within the room or building area where the portable computer will be used.

Why is off-campus access to the Internet controlled?
Anonymous use of the network contravenes the acceptable use policies of our Internet suppliers and peer networks, so public-area users must log in to access resources on campus and on the Internet, and private office users must register their computer before use. Registration enhances security as well as fulfilling our ISP obligations by ensuring that if problems are brought to our attention, they can be traced back to the system causing the problem and promptly rectified. If this is not done, other users systems can become infected by malfeasant code.

UTS provides off-campus access to the general Internet, as well as to other peer networks through ORION Networking, and Cogent Communications. ORION provides data communications services to support the research education and information transfer needs of its members. Access to the Internet is available to all members of the University, on the proviso that they have authenticated to identify themselves as members of the community at the time of use (cf. policy: Code of Conduct).

With MacConnect access, whether wired data jacks or wireless access points, the individual must identify her/himself using a pre-established McMaster account (the same account you may already use for web proxy, modem pool, or student lab access) (cf. UTS Accounts for Access to Network Services), before accessing the network.

Server Systems & the Campus Firewall
By default, the campus firewall is configured to protect the majority of McMaster computers from common forms of outside attack. Machines protected by the firewall are not visible to network queries initiated from an off-campus source, although they can themselves initiate interaction with off-campus network services, provided off-campus access is enabled.

Servers (machines configured to provide networking services) must be registered in an exception list in order to escape this firewall protection and be accessible to queries originating from off-campus sources. Machines on the exception list are then unprotected by the general-purpose campus firewall, and particular care must be taken by the system administrator to ensure that all necessary precautions have been taken to shield them from outside attack. These precautions might include private firewall hardware or software with rules specific to the service provided (i.e. more narrowly focused on the customers served than the generic rules that apply to everybody in the campus firewall).

Machines need not be included in the server exception list in order to be administered by McMaster staff from an off-campus location. The VPN service can be used for this purpose, since once a tunnel is established, the system administrator can proceed as if she/he were located on-campus, with all traffic encrypted.