====== Network Connectivity Changes and Defender Requirement ======
===== Announcement from the CISO =====
"Effective June 10, 2024, OIT will begin blocking connections from the Internet to our internal campus networks, and all systems must have Microsoft Defender installed and running. We understand that your departments may have systems that require inbound connections from the Internet, and we will have an exception process in place for you to request that your system(s) requiring access from the Internet be documented. [...] Any university-owned system identified on the network without Microsoft Defender installed and running will be removed from the network until the device is compliant."
\\
=== More information at the UT Employee Hub ===
* [[https://liveutk.sharepoint.com/sites/OIT/SitePages/IS-Network-Access.aspx|Accessing campus resources from off-campus]]
* [[https://liveutk.sharepoint.com/sites/OIT/SitePages/IS-Microsoft-Defender.aspx|Microsoft Defender]]
===== Networking =====
==== What will change? ====
Most importantly, these changes only affect __incoming__ Internet network connections. Access __to__ the Internet from your system will not be affected. You will continue to be able to browse the web, download files, etc. without noticing any difference. Connections from within the UT network (e.g. remote desktop connections from one system on campus to another) are also not affected. Only connections originating from outside the UT network are affected by this change.
The main takeaway for most users will be that all connections from off-campus will require the use of the UTK [[https://utk.teamdynamix.com/TDClient/2277/OIT-Portal/KB/ArticleDet?ID=130338&_gl=1*1s8v4u9*_ga*NTk2MjE3NzcxLjE2OTMzNDQyNDI.*_ga_275S8CRNYW*MTcxNTYxOTQ2OS4xMjYuMC4xNzE1NjE5NDY5LjAuMC4w|VPN]].
=== Windows and MacOS Desktop/Laptop Systems ===
For the majority of regular desktop/laptop systems, nothing will change. You will continue to use the UT network in much the same way as before. Remote connections to desktops will continue to work through the UTK [[https://utk.teamdynamix.com/TDClient/2277/OIT-Portal/KB/ArticleDet?ID=130338&_gl=1*1s8v4u9*_ga*NTk2MjE3NzcxLjE2OTMzNDQyNDI.*_ga_275S8CRNYW*MTcxNTYxOTQ2OS4xMjYuMC4xNzE1NjE5NDY5LjAuMC4w|VPN]].
=== Linux Desktop/Laptop Systems ===
Secure Shell (SSH) connections to systems on the UT network will require the use of the [[https://utk.teamdynamix.com/TDClient/2277/OIT-Portal/KB/ArticleDet?ID=130338&_gl=1*1s8v4u9*_ga*NTk2MjE3NzcxLjE2OTMzNDQyNDI.*_ga_275S8CRNYW*MTcxNTYxOTQ2OS4xMjYuMC4xNzE1NjE5NDY5LjAuMC4w|VPN]]. If you need to have your SSH connections accessible from the Internet without the VPN requirement, you will need to file an network exception request (see below).
=== Linux Lab/Virtual Lab Systems ===
Connections to EECS Linux lab systems (e.g. Hydra) and virtual lab systems (e.g. VLSI) will require use of the UTK VPN. **This includes both SSH and RealVNC connectivity.**
=== Servers ===
If your system provides services to other UTK systems (e.g. shared network drives), you will not need to request an exception. However, any incoming network connection __from outside the UT network__ will either need to go through the UTK [[https://utk.teamdynamix.com/TDClient/2277/OIT-Portal/KB/ArticleDet?ID=130338&_gl=1*1s8v4u9*_ga*NTk2MjE3NzcxLjE2OTMzNDQyNDI.*_ga_275S8CRNYW*MTcxNTYxOTQ2OS4xMjYuMC4xNzE1NjE5NDY5LjAuMC4w|VPN]] or you will need to request an exception. Examples of services that require exceptions include:
* Public-facing (non-intranet) web servers (http and https).
* SSH servers that need to be accessible to non-UTK users.
* Public file sharing services such as anonymous FTP or SFTP.
For all services not managed by the EECS IT staff, the system owner will be responsible for requesting a network access exception.
==== Network Exception Request ====
=== Online Form ===
OIT has prepared a web form for single-system exceptions. If you have multiple exceptions to request, you may also fill in a spreadsheet and submit them in bulk. Please visit [[https://utk.teamdynamix.com/TDClient/2277/OIT-Portal/Requests/ServiceDet?ID=54151]] for more information.
=== Exception Details ===
The form and spreadsheet require several pieces of information about the exception you wish to request. See below for some examples:
^ Source (IP name and/or number if known) ^ Destination (IP name and/or number) ^ What service does this provide? ^ What protocols are required for continued access to this system? ^ Network Port(s) (if applicable) ^ Why are you requesting access from off-campus? ^ Who accesses this service? (NetIDs) ^
| 1.2.3.4 | myserver1.eecs.utk.edu | REST API server for project X | http, https | 80, 443 | To provide API access for our customer, Widget Inc. | Widget Inc. support personnel |
| Public access | myserver2.eecs.utk.edu | Public-facing web server for project Y | http, https | 80, 443 | Main website for project Y | general public |
| 30.40.50.70/24 | myserver3.eecs.utk.edu | Login server for collaborators | OpenSSH | 22 | To allow our collaborators to access our research system remotely | Users at Spacely Sprockets coming in from the network specified |
If you need assistance with filling out an exemption request, please contact EECS IT or the OIT Help Desk.
===== Microsoft Defender =====
The OIT security office now requires all __UT-owned__ systems to run the //Microsoft Defender for Endpoint// (MDE) security software. MDE is a cybersecurity platform that provides advanced threat protection, attack surface reduction, and integrated security capabilities for enterprise networks and devices. MDE is available for Windows, MacOS, and Linux. OIT reserves the right to remove any system from the network that does comply with the Microsoft Defender requirement.
==== What will change? ====
=== Windows Desktop/Laptop Systems ===
If your UT-owned Windows Desktop or Laptop was set up by EECS IT, it is already running MDE and you will not need to make any changes. In the very unlikely event that you have a UT-owned Microsoft Windows system that was not installed and configured by the EECS IT staff, please contact us as soon as possible for remediation.
=== MacOS Desktop/Laptop Systems ===
For over a year, EECS IT has installed MDE on all MacOS systems that we process at the help desk. However, please confirm that your system is properly protected by MDE. You can check your menu bar for the Defender shield logo. When clicking on this, you should see a menu similar to the one below:\\
{{:news:defender_mac.png?200|}}\\
If you do not see the Defender shield logo in your MacOS menu bar or you get any errors, please contact EECS IT at your earliest convenience.
=== Linux Desktop/Laptop Systems ===
For any Linux system not managed by EECS IT, you will be responsible for installing MDE. This requires an //onboarding package// provided by OIT. You can download Defender for Linux from the [[https://webapps.utk.edu/oit/softwaredistribution/|UT Software Distribution]] page. If you are currently using a configuration management system, such as Ansible to configure your Linux system(s), automatic onboarding is possible. For assistance, please contact the [[https://help.utk.edu|OIT Help Desk]].
=== Servers ===
All Windows and Linux servers must also be protected by MDE. There is currently an annual charge of $61 per server for Defender for Endpoint for any server system, Windows and Linux. Research groups will be responsible for funding these costs, whether or not those servers are managed by EECS IT.
If your server system is currently managed by EECS IT, you will be contacted by us to arrange for MDE purchase and installation. For self-managed servers, please contact EECS IT so we can assist you with the purchase and onboarding of your system.