Archive for the ‘Network’ Category

Access to Windows Remote Desktop blocked from outside ETH

Tuesday, January 3rd, 2017

In the last few weeks we discovered some attempted attacks on the Windows Remote Desktop feature from sources outside of ETH.

In order to protect both your machines and our network, we decided to block RDP access from ETH-external networks. If you still need access from outside the ETH network (e.g. from home) you have to first open a VPN connection to ETH and then start the Remote Desktop client.

More information about installing the VPN client is available here.

Network upgrade at D-PHYS

Friday, September 23rd, 2016

In collaboration with our colleagues in Informatikdienste we will use the upcoming months to upgrade the D-PHYS network in order to make it ready for the future. In particular, we will enable the IEEE 802.1x protocol in our network that will allow us to virtually patch any VLAN to each individual client. This will also pave the way for the upcoming VoIP telephony deployment in D-PHYS. The migration will be a step-by-step process and we will visit each building and floor individually to address potential questions during the migration. The typical desktop or laptop computer will not notice the change except for a short interruption of < 1 min. Certain macOS clients will need a bit of persuasion however, the required steps are described here.
Things will look a bit different for new clients that connect to the D-PHYS network for the first time only after the migration: they will not display the well-known ISG D-PHYS landing page, but an OS popup or a generic ETH page. This works the same way as the ETH wifi. You either supply your n.ethz credentials in the popup or you log in via the landing page. Your machine will then be patched into the ETH docking network. If you have a specific reason to have your machine in the D-PHYS network (HPx::745 for the technically inclined), please let us know and we will register your MAC address in our database – just like you did in the past. All existing machines at D-PHYS have been preregistered for HPx::745 in order to avoid any confusion.
So please be ready when Alex shows up in your group and announces the migration date.

Scheduled Maintenance Downtime Starting on Thursday, 14th of April, 5pm

Thursday, April 7th, 2016

Due to required changes to our network infrastructure and some hardware maintenance, we’re scheduling a maintenance downtime for most D-PHYS servers starting on Thursday, 14th of April 2016, at 5pm. The downtime will last several hours and single services may be down for longer than others or will be down multiple times in a row.

We’ll update this posting as soon as things are back to normal.

Most D-PHYS services will be affected by that downtime, especially file servers and e-mail services, but also some virtual machines and most websites hosted by ISG D-PHYS are affected. (http://www.phys.ethz.ch/ and other AEM-hosted websites are not affected.)

E-mails coming in during the downtime will be held on the sender’s side and will arrive at D-PHYS with a delay. Sending e-mails won’t be possible during the downtime either.

After the migration we will benefit from a faster and more reliable network connection to our servers.

Update at 19:30: Most services are back to normal. Expect further downtimes for home directories and mail later this evening.

Update at 23:00: All services are available again.

Update Fri 09:00: After Thursday’s network migration a defective patch cable caused network problems on Friday morning.

Windows Server 2003 reaches its End-of-Life on July 2015

Thursday, June 25th, 2015

Microsoft will provide a final bunch of patches for Windows Server 2003 on July 14th. 2015. After then, no more security and stability fixes are going to be released. This means that still running Windows Server 2003 machines conflict with the ETH Bot (Acceptable Use Policy for Telematics) which requires that every computer connected to the ETH network must be fully updated and secured.

The central IT security group of ETHZ continuously inspects the network streams for signatures of XP and Windows Server 2003 computers. If you have a running Windows Server 2003 machine connected to the public network, please migrate the operating system to a newer version i.e Windows Server 2012.

If you have any questions or need help please do not hesitate to contact the ISG D-PHYS Helpdesk

Server Maintenances this Week: E-Mail and BackupPC

Tuesday, June 17th, 2014

We have scheduled a software maintenance of the D-PHYS mail server for tomorrow, Wednesday, the 18th of June 2014, starting in the late afternoon around 5pm. A downtime of all D-PHYS mail services during the evening will be part of the maintenance. The downtime is expected to take approximately 15 to 30 minutes.

During the downtime sending and receiving e-mails will not be possible and the web mail service will be not available. Incoming mails during the downtime will be delayed.

Additionally there will be a downtime of our “BackupPC” backup service for laptops and lab PCs due to server relocation on Thursday (19th of June 2014) starting around 9am.

Keep in Mind: Windows XP reached its End-of-Life one Month ago

Thursday, May 22nd, 2014

Microsoft provided a final bunch of patches for Windows XP in April 2014. Since then no more security and stability fixes are going to be released. This means that still running Windows XP machines conflict with the ETH Bot (Acceptable Use Policy for Telematics) which requires that every computer connected to the ETH network must be fully updated and secured.

The central IT security group of ETHZ continuously inspects the network streams for signatures of XP computers. In the D-PHYS public networks they still detect around 15 Windows XP based computers. If you have a running XP machine connected to the public network, please migrate the operating system to a newer version i.e Windows 7.

In case you are forced to keep Windows XP up and running, you can migrate the machine to our eXile network. Simply send the required information to isg@phys.ethz.ch after you’ve read and understood the eXile Terms-of-Use, so we can prepare the machine for the eXile network.

If you have any questions or need help please do not hesitate to contact the ISG D-PHYS Helpdesk

Heartbleed OpenSSL Bug and D-PHYS Services

Friday, April 11th, 2014

On Monday the public was made aware of a severe bug in OpenSSL, a cryptography library which is used as the core of many cryptographically secured IT services. Since the bug was in the Heartbeat extension it has been named “Heartbleed”.

This bug allowed attackers to stealthily access parts of the memory used for cryptographic actions, i.e. it may include digital keys in use on servers or passwords transferred over encrypted connections.

If you used any password-protected D-PHYS web services or the D-PHYS mail server between 12th of December 2013 (or used the BackupPC web-interface since end of 2012) and Tuesday, the 8th of April 2014, there is a very small chance that your D-PHYS password and possibly other transmitted data may have been leaked to an attacker. We currently have no indication that this has actually happened on our servers.

To be safe, you might want to change the password of your D-PHYS account and any other account where the same password is used. See this Heise article for a discussion (in German) about whether you should change your password or not.

(more…)

How to keep your Windows XP Installations living on after End-of-Life

Friday, February 7th, 2014

As announced in an earlier post last year, Microsoft is going to end the support for Windows XP in April 2014.logo

After this date the central network security group of the ETH will frequently scan our public networks to identify any existing Windows XP machines. Every Windows XP detected by such a scan will be disabled on the network level since it is strictly prohibited to keep this operating system up and running on the public network of ETH.

Since we are aware that there may be Windows XP machines living on after the end-of-life date, we worked out a solution to support these situations and to help you not to get in conflict with the network usage regulations.

We founded a project called eXile which provides very locked down network environments that are monitored by advanced security techniques and provide excessive firewall setups. Furthermore eXile provides easy interfaces for you to manage your computers and overview the security state and network access to your machines in eXile.

You can send your machines to the eXile when they match one of the following scenarios:

  • Lab computers (controlling, collecting measure data, or monitoring other systems)
  • Industrial computers
  • Embedded systems

The following applications are not suitable for eXile and need to be migrated to a supported operating system:

  • Office Computers
  • Computers on which internet access needs to be available
  • Computers on which emails are received and sent
  • Computers that provide any services to public computers in the internet

Please note that eXile should not be seen as an excuse not to migrate your Windows XP to a supported operating system as soon as possible. The purpose of eXile is really only to address those few machines that are somehow locked to their operating system.

Nevertheless we invented eXile to address the Windows XP end-of-live problem, it is capable to take up any other computer for which you want to have an extra level of security or on which you run any other outdated or insecure operating system.

If you think your remaining Windows XP computers are candidates to send to eXile, we would be happy if you could send a message to isg@phys.ethz.ch  and inform us about the number of computers and what application you are using these computers for. Later this month a web interface will be made available on https://exile.phys.ethz.ch/ where you can directly register every machine you want to send to eXile.

After eXile is fully online, another post will be submitted here.

HIT Building: Network Interruption next Friday Morning, 9th of March

Tuesday, March 6th, 2012

ID-Kom plans to upgrade the access routers of the HIT building next Friday morning (9th of March) between 6:00 and 7:30am. This causes a network interruption for about 15 minutes during this time in the HIT building.

All D-PHYS Servers located in HIT D 13 are not affected by this interrupt and are reachable from outside the HIT building at any time.

Network Interruption Today from 7pm to 8pm

Wednesday, December 7th, 2011

Today, the 7th of December 2011, around 7pm, there will be a complete network interruption in the whole Department of Physics for about one hour. The central ETH IT Services (“Informatikdienste”) will replace the hardware of the core router to the HPx network zone (includes the HIT building).

Wireless LAN should not be affected, but as the servers will be offline, too, you won’t have access to files or mails on the servers, i.e. don’t expect to be able to work during the network downtime. The technicians will reconnect the servers first, so access to the servers from the outside of the Department or via WLAN will be restored earlier than 8pm. Workstations and printers will get network access back afterwards.