ANL Computer Systems Administrator Rule

Memo

The Physics Division has recently been migrating to a new network infrastructure. Besides being faster and more up-to-date, the new network infrastructure allows the Division to more fully comply with the cyber-security rules here at Argonne. Specifically, the network hardware supports segmentation of the network into zones. For the purpose of this discussion, there are 2 zones in the Division--a PHY zone and a visitor zone.

The cyber-security rules issued by the laboratory in compliance with DOE regulations require that all machines in the PHY zone be installed, configured, and administered by an approved ANL systems administrator. Machines that are not administered by an approved ANL administrator are considered to be visitor machines and must be connected into the visitor zone. The visitor zone provides internet connectivity, but from the lab's network perspective, is considered non-ANL, untrusted, and off-site. This means that a visitor machine has limited access to lab and divisional network resources.

As part of ongoing efforts to improve our compliance with the ANL cyber-security rules, the Division is proposing to implement the following rule:

A machine connected to PHY network zone must be administered by an approved ANL systems administrator.
There are, of course, many aspects to implementing this policy. For example, its implementation requires the upgrade of all PC's to Windows 2000 or to the equivalent system for the Apple-based systems. In addition, a number of modifications to the Division's systems will have to be made to allow access to printers and to web-based facilities from the visitors network. More details are given on the web at
http://www.phy.anl.gov/computers/admins.html>
We welcome comments and suggestions regarding this policy and its implementation by September 23 at the latest. Please send email to compsteer@phy.anl.gov. If you require technical clarification, you should send email to teh@phy.anl.gov.

Thank you.


The Visitor Zone

The visitor zone was conceived as a compromise between Argonne's traditional open-access networks and current DOE mandates regarding cyber-security. It provides network connectivity for non-ANL machines while limiting their access to Argonne's network resources via prescribed channels. Visitor machines are not assigned anl.gov names and there are likely legal liabilities that Argonne avoids by doing so.

While it provides full network connectivity, the visitor zone also limits access to the division's PHY networks and in general to other lab-wide network resources. For example, the division's resources on the PHY network cannot be shared with machines on the visitor net. That is, file shares, printers, etc., are not accessible by visitor machines. However, resources on the visitor network are fully accessible from machines on the PHY network, provided the individual resource is configured for access.

The Physics Division will set up some resources on its visitor network to support basic computing. An obvious example is printing. Access to other lab-wide resources can made available via proxy servers. The specific proxy services will be set up on a as-need basis and will be reviewed to make certain they do not violate cyber-security rules.

The PHY Zone

The rule mainly affects users of Windows and Macintosh computers who currently have administrative control of their assigned machines. Simply put, the rule requires that users relinquish these privileges. In return, the division will assign an administrator who will be responsible for properly configuring and maintaining the machine securely for the user.

In order for administrators to carry out their responsibilities, the machine's operating system must support the concept of a privileged user. This means that Windows machines must be upgraded to Windows 2000 or later. Similarly, MacOS machines must be upgraded to MacOS X. Earlier versions of these OSes will be phased out. These machines will then be configured to have a privileged administrator account and non-privileged user accounts.

If, for some reason, the machine cannot be made to conform to the rule, then it will be disconnected from the PHY network zone and relocated to the visitor zone.

The task of implementing this rule is expected to take several months. The division has set a goal of completing its implementation within a year, but will make every effort to be done within six months.

Personal machines

Since ANL has no legal jurisdiction over personal machines, they go, by default, into the visitor zone. A user is permitted to have a personal machine connected to the PHY zone as long as he agrees to relinquish administrative control over his machine and grants it solely to an ANL approved systems administrator.