CAP Questions and Answers
Sample Firewall Exception Document
(This is a SAMPLE document)The following exceptions are granted to ?Network Access Practice? firewall rules.
All Security Zones
Authorized by MKJ 07-25-2005- All security zones are permitted outbound ICMP echo.
- All security zones are permitted inbound ICMP echo reply.
- All security zones are permitted inbound/outbound ICMP time-exceeded (needs review).
- All security zones are permitted inbound/outbound ICMP unreachable (needs review).
- All security zones are permitted inbound/outbound ICMP source-quench (needs review).
- All zones are permitted outbound SMTP TCP port 25 to designated mail servers.
- All zones are permitted outbound DNS to designated name servers.
- All zones are permitted outbound NTP UDP port 123 to designated time servers.
- All zones are permitted outbound SNMP trap UDP port 162 to designated management servers.
- All zones are permitted outbound SYSLOG UDP port 514 to designated management servers.
Operating Specific Exceptions
- All Solaris servers are permitted HTTPS access to SRS Net Connect
- All Windows servers are permitted access to SUS and AV software repositories.
Application Specific Exceptions
Application specific exceptions are documented per application in "Application Security" documents.
CAP Server Hardware and Software
1.1 Do you have minimum hardware specifications?
No. Hardware specifications depend on how your campus uses the server. MnSCU currently runs CAP servers with 3x300Mhz CPU?s (Internal Audit), 2x1GHz CPU?s (Data Extracts).
1.2 Can those of us who data mine as our job have our PCs classified as CAP Servers to improve server throughput?
No. The CAP server must be housed in a physically secure datacenter, on a network that has no client computers and a default deny all outbound firewall policy. Those requirements are inconsistent with desktop computers. (In other words ? if it is possible to use the computer as a desktop it is not possible to use the computer as a CAP server).
1.3 Do you have server performance numbers from actual testing?
The maximum number of concurrent users will be determined by the complexity and quality of the queries and applications.
1.4 What software do we need and who pays for what?
The following software is needed: (a) OS - Microsoft 2003 Server (b) Antivirus (c) Backup software (d) Oracle client (e) RDP licenses (f) Other data access software determined by campus (Access). Each MnSCU institution is reponsible for obtaining all needed software.Software on PC Work Station
2.1 What software do we need and who pays for what?
The only required desktop software is an RDP client. Windows XP, Solaris, Linux and Macs all have RDP clients.
Administration and Management
3.1 WillMnSCU manage any part of the software on the CAP server?
No.
3.2 WillMnSCU manage Usernames and Passwords on the CAP server?
No. Campuses are expected to managed CAP server user and file system security in a manner that meetsMnSCU security requirements.
3.3 What is our commitment for ongoing support for Campus CAP servers?
TBD. In general, though, the System Office will determine an SLA for availability of the Oracle servers to the CAP servers. Campuses are responsible for managing CAP server hardware, software, and users. MnSCU will manage the data center services that the CAP servers use.
Conversion of applications and queries
4.1. Do you have or does anyone else have any documentation on specific conversion problems or issues that have been encountered and hopefully solved?
None yet. We'll update this space as needed.
4.2 We have MS Access, Visual Basic 6, and Visual Net applications that run on user workstations. What procedure do we use to make these applications work with the CAP server?
VB, .Net and Access applications that are written using standard ?best practices? should run on a CAP server unmodified.
