You are here

Network service access to user-managed machines (NAG)

Since June 2008, all computers in the Faculty of Engineering and Computer Science other than AITS-managed servers have "client-only" network access; that is, they are able to initiate connections to other computers outside their local network, but are not be able to accept traffic initiated from machines outside their local network, with the following exceptions:

  • Remote Desktop connections tunnelled through login.encs.concordia.ca;
  • VNC connections tunnelled through login.encs.concordia.ca;
  • SSH connections tunnelled through login.encs.concordia.ca;
  • SSH connections originating from any machine within any ENCS network with a Concordia IP address; and
  • connections to a service explicitly authorized on a particular machine pursuant to a request by the full-time faculty member responsible for the network to which the machine is connected.

Authorization to offer a specific network service will generally be given for a particular machine upon receipt of a proper request.

Procedure for requesting permission to offer network service

To request permission to offer a network service, the responsible faculty member must send a message to "servicedesk AT encs.concordia.ca" specifying

  • a reason for offering the service;
  • the service to be offered, including the protocol and port number (or numbers) to be used;
  • the computer that will offer the service;
  • the ENCS username of the person who will administer the computer;
  • any desired restrictions on the clientele for the service (e.g., ENCS only or Concordia only).

"Grandfathering"

User-managed computers that had been acting as servers prior to June 18, 2008 have not been automatically blocked, but AITS staff will communicate with the responsible faculty members to determine precisely which services need to be offered, so that these machines can be smoothly integrated into the new framework.

Vulnerability monitoring

All computers in the Faculty of Engineering and Computer Science, including user-managed computers, must allow vulnerability scanning by AITS's two Nessus vulnerability scanners: 132.205.96.199 and 132.205.96.150. That is, no computer should deny service to these addresses. If a user-managed computer is found to have a known vulnerability, the registered administrator of the machine will be notified and must take the required action to correct the problem.

See more on: