Securing Mechanical Engineering Networks

Jon Klozik (senior systems admin) and Matthew New (IT manager) review changes being made to security policies before adjusting firewall rules.
Jon Klozik (senior systems admin) and Matthew New (IT manager) review changes being made to security policies before adjusting firewall rules.

When coordinated and planned correctly, collaboration between faculty, students, and information technology can maintain security while allowing researchers the flexibility needed to drive innovation in a constantly changing engineering environment. “Maintaining PI autonomy and creating a secure environment is critical and increasingly challenging,” says Department Chair Ellen Arruda. 

In an ongoing effort to further secure the Department of Mechanical Engineering’s (ME) research networks, and in compliance with U-M’s Insecure Remote Access Protocol Remediation Project, Mechanical Engineering Information Technology (ME-IT) leveraged the technologies built into the university’s Next Generation Firewall (NGFW). An internal review by ME-IT uncovered that some labs used insecure remote access points when leveraging software such as TeamViewer, Chrome Remote Desktop, AnyDesk, and others. Students, staff, contractors, and faculty were using the software to gain remote access to systems on campus for many reasons, including many that were appropriate. 

Prior to the review, ME-IT was securing known systems running TeamViewer with Duo for local logins; however, it didn’t provide a level of security that the local IT staff were comfortable with. In 2023, ME-IT began monitoring and logging all traffic from the university’s NGFW through an automated, custom report looking for all allowed remote-access connections. They filtered out RDP & SSH, leaving a list of outbound traffic communicating to services like TeamViewer and AnyDesk. 

Working with department faculty and IT leadership, ME-IT established a policy to restrict new outbound connections using insecure remote access and suggested alternatives like RDP and SSH, which require Duo in the ME environment. “From a campuswide perspective, the Information Assurance team is currently exploring how we can better identify remote access tools and limit them to those that are unit-approved. The proactive approach ME-IT is taking is phenomenal, and the type of security-focused work I encourage all units to do,” adds Executive Director of Information Assurance and Chief Information Security Officer Sol Bermann.

Once everyone migrated off the unsecured remote access software, ME-IT used policies in the NGFW to block those applications altogether. ME-IT monitors for dropped attempts and proactively contacts labs to offer secure workarounds. The few use cases that required screen-sharing and privacy, particularly on macOS and Linux with a graphical user interface, were dealt with on a case-by-case basis, requiring VPN and NoMachine software, controlled and secured via the firewall. Department administrator Michelle Barnett says, “It’s truly wonderful to see the seamless collaboration between our IT team, faculty, and students. By working together, they ensure that the technological needs and preferences of all stakeholders are met, fostering an environment where everyone feels supported and satisfied. This collaboration not only enhances the overall user experience but also promotes a sense of community and inclusivity within our institution.”

When working with outside 3rd parties that need remote access, ME-IT recommends that labs leverage remote screen control over Zoom. This way, ME labs can monitor all activity instead of allowing unfettered access to ME (and U-M) networks. All other remote connections, such as RDP, SSH, and SSH w/ X11 forwarding, require the 2-factor protected UMVPN. Having secured the networks this way, ME ensures access to those with valid (and trusted) university credentials.