Educause Security Discussion mailing list archives
Re: Java vs. Banner
From: "Ludwig, David C." <dludwig () MIDDLEBURY EDU>
Date: Thu, 21 Feb 2013 18:30:45 +0000
We are of course dealing with the same issue. I am disturbed by the vagueness from Ellucian regarding when they'll be Java 7 ready especially considering how long it is taking just to address IE 9/10. We should have access to future Java 6 updates both through Ellucian and our Oracle licensing. We've had some discussions around limiting access to Banner INB from a set of VMs on a specific subnet. Those machine would be built with IE8, Java 6 etc and would be limited to only access Banner and a handful of other systems on campus (document management for example). Users could then do whatever they needed on their location machines as far as Java/IE upgrades and web browsing. But the access to Banner could only occur once logged into the a secured VM. As you said it is some work to implement, but would address both IE and Java issues plus provide additional security around the systems used to access Banner. Still very much in the discussion phase for us and it may not go anywhere, but it is the best idea I've seen tossed around so far. I'd be very interested to hear any other ideas. Lately we're spending way too much time on Java issues. David Ludwig Manager of Administrative Systems Library and Information Systems Middlebury College From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David Curry Sent: Thursday, February 21, 2013 1:09 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Java vs. Banner As those of you at schools using Banner know, Ellucian has still not certified Banner to run on Java 7; Java 6 (including the browser plug-in) must be installed on end users' desktops. Java 6, of course, has reached the end of its public update period, which means any future updates after the end of this month will come through Ellucian rather than Oracle (or so they tell us). Aside from the increased difficulty of trying to keep a down-rev version of Java installed on systems used by Banner users, especially since our users have admin rights and are therefore free to update Java when they want and will do so if another application asks them to, we are of course concerned that maintaining a down-rev version of the Java plug-in will expose these systems to increased risk of compromise because of security vulnerabilities. This is particularly worrying because, of course, the people who use Banner are also the people who work with lots of personally identifiable information. Java 7 support from Ellucian doesn't appear to be imminent, so we believe we need to find a medium-term solution to this problem that lets our Banner users continue to use Java 6, but does not expose them to increased risk by allowing them to use a browser containing the Java 6 plug-in to access the Internet. We have some preliminary thoughts on ways to address the issue, ranging from "use this browser to access Banner and that browser to access the Internet" (which doesn't come with a very high assurance level) to installing Windows XP Compatibility Mode on all Banner users' machines and running Banner+Java 6 in a virtual machine (a lot of work to implement). Before we go one way or the other, we thought we'd ask the list -- what is your school doing in response to the whole Java vs. Banner thing? Thanks, --Dave -- DAVID A. CURRY, CISSP * DIRECTOR OF INFORMATION SECURITY THE NEW SCHOOL * 55 W. 13TH STREET * NEW YORK, NY 10011 +1 212 229-5300 x4728 * david.curry () newschool edu<mailto:david.curry () newschool edu>
Current thread:
- Java vs. Banner David Curry (Feb 21)
- Re: Java vs. Banner Ludwig, David C. (Feb 21)
- Re: Java vs. Banner Kevin Wilcox (Feb 21)
- Re: Java vs. Banner Erlenbeck, Philip (Feb 21)
- Re: Java vs. Banner Greg Schmalhofer (Feb 21)
- Re: Java vs. Banner Erlenbeck, Philip (Feb 26)
- Re: Java vs. Banner Kevin Wilcox (Feb 21)
- Re: Java vs. Banner Ludwig, David C. (Feb 21)
- Re: Java vs. Banner David Curry (Feb 21)