Wired network - Gina Cody School of Engineering and Computer Science
The ENCS wired network is a high speed network service that includes connection, installation and support for authorized users within the Gina Cody School user community.
Related policy: Policy on vulnerability management
Who can use it?
Faculty, staff, and authorized students within the Gina Cody School.
How much does it cost?
There is no cost associated with this service.
How to get it?
- Complete and submit the New IT equipment setup request form (requires ENCS username/password) for all devices that need to be connected to the ENCS network for the first time.
- If a device has already been connected to ENCS network and needs to be connected to another network jack, complete and submit the IT Equipment Moving Request Form (requires ENCS username/password).
- For any other support request relating to the ENCS wired network, contact the Service Desk.
Service availability
24/7
Documentation
The School makes every effort to provide a fair amount of bandwidth to the members of the community, both internally and externally.
- Internal: The network is segregated into subnets and virtual networks (VLANs) for teaching, research labs, and infrastructure to minimize or reduce interference between these networks.
- External: The usage of commercial internet usually does not fall within the acamedic use of ENCS network resources. Thus, at full speed download each user is allowed to "borrow" one full 1 full gigabit until the connection is throttled, which usually takes about 2 hours, until another full gigabit becomes available. Exceptions to this rule include all known patch sites, known software/hardware vendors, legitimate software repositories, and otherwise non-profit and academic and research organisations. The exception list is maintained manually. To add a site to the list, contact the Service Desk.
Concordia's IT department understands the growing need to run virtual machines (VMs) on research computers, multiple operating systems, and cloud computing. Generally, the preferred way to run VMs on research equipment is behind network address translation (NAT) of the host operating system. In case the VMs need to be first-class citizens on the researcher's network along with other computers, the policy is to assign both virtual MAC and IP addresses.
The researchers then statically configure the MAC address on their VM configuration. Running a lot of VMs on a researcher's subnet this way may result in exhausting the available IP address space, In that case, the researcher would be asked to move to a larger private subnet, on a case-by-case basis.
Some VM vendors have preset organizationally unique identifier (OUI) for their MAC addresses (e.g., VMWare and Xen) and some don't. In this case, a "locally administered" MAC address is used. This is done to ensure uniqueness of the MAC addresses on our network to avoid network conflicts. If the researchers require the VMs with such a setup, the supervising professor or a designated lab admin should open a ticket with the Service Desk requesting to connect a VM.
Since June 2008, all computers in the Gina Cody School of Engineering and Computer Science have client-only network access. This means that they are able to initiate connections to other computers outside their local network, but are not able to accept traffic initiated from machines outside their local network, with the following exceptions:
- Remote Desktop connections tunnelled through tunnel.encs.concordia.ca;
- VNC connections tunnelled through tunnel.encs.concordia.ca;
- SSH connections tunnelled through tunnel.encs.concordia.ca;
- SSH connections originating from any machine within any ENCS network with a Concordia IP address; and
- Connections to a service explicitly authorized on a particular machine pursuant to a request by the full-time faculty member responsible for the network to which the machine is connected.
Authorization to offer network service will generally be granted for a specific machine upon receipt of a proper request to the Service Desk.
How to request permission to offer network service:
To request permission to offer a network service, the responsible faculty member must contact the Service Desk and specify:
- The reason for offering the service
- The service being offered, including the protocol and port number (or numbers)
- The computer that will offer the service
- The ENCS username of the person who will administer the computer
- Any desired restrictions on the clientele for the service (e.g., ENCS only or Concordia only)
“Grandfathering”
User-managed computers that have been acting as servers prior to June 18, 2008 have not been automatically blocked, but an administrator will communicate with the responsible faculty members to determine precisely which services need to be offered. This ensures that these machines can be smoothly integrated into the new framework.
Vulnerability monitoring
All computers in the Gina Cody School of Engineering and Computer Science, including user-managed computers, must allow vulnerability scanning by two Nessus vulnerability scanners: 132.205.96.199 and 132.205.96.150. No computer should deny service to these addresses. If a user-managed computer is found to have a known vulnerability, the registered administrator of the machine will be notified and must take the required action to correct the problem.
FAQ
Each network jack can only be connected to the machine to which it is assigned. Plugging another computer to a jack without informing the Service Desk will not work. The new computer's Ethernet (MAC) address must be registered before it will have access to the internet.
Note: it is strictly forbidden to spoof MAC addresses on the ENCS network as these acts bring in liability to the Faculty and the University.
If a device has already been connected to ENCS network and needs to be connected to another network jack, complete and submit the IT Equipment Moving Request Form (requires ENCS username/password).
Only School faculty and staff can request a network connection in a public access lab. Graduate students may request a network connection in a graduate student office and/or a research lab. The only computers that are entitled to be connected to the ENCS network are School-owned desktops or laptops.
Computers that offer services to the internet beyond the School run a risk of being remotely attacked and compromised if they have known vulnerabilities. The consequences range from mere inconvenience to the loss of confidential research data. In order to minimize this risk, Concordia's IT department regularly checks for known vulnerabilities and takes action to protect the computer (and its neighbours) against compromises based on the assessed level of risk.
The action taken to protect the vulnerable machine may be the immediate removal of the infected machine from the network. External access to the machine will be restored as soon as a new scan establishes that the vulnerability is no longer present.
Note: having an operating system that is “end-of-life” by its vendor and is no longer receiving updates and security patches (example: Windows XP and below, OS X 10.{1-5}) is considered a vulnerability and such machines will be quarantined.
In all cases, the owner of the machine, its administrator and its known privileged user(s) will be notified by email. The message will include a personalized and password-protected URL providing full information about the scan as well as details about the action needed to solve the problem.