Re: Java vs. Banner

["Ludwig, David C." <dludwig () MIDDLEBURY EDU>]

We are of course dealing with the same issue.  I am disturbed by the vagueness from Ellucian regarding when they'll be 
Java 7 ready especially considering how long it is taking just to address IE 9/10.  We should have access to future 
Java 6 updates both through Ellucian and our Oracle licensing.  We've had some discussions around limiting access to 
Banner INB from a set of VMs on a specific subnet.  Those machine would be built with IE8, Java 6 etc and would be 
limited to only access Banner and a handful of other systems on campus (document management for example).  Users could 
then do whatever they needed on their location machines as far as Java/IE upgrades and web browsing.  But the access to 
Banner could only occur once logged into the a secured VM.  As you said it is some work to implement, but would address 
both IE and Java issues plus provide additional security around the systems used to access Banner.  Still very much in 
the discussion phase for us and it may not go anywhere, but it is the best idea I've seen tossed around so far.
I'd be very interested to hear any other ideas.  Lately we're spending way too much time on Java issues.

David Ludwig
Manager of Administrative Systems
Library and Information Systems Middlebury College

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David 
Curry
Sent: Thursday, February 21, 2013 1:09 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Java vs. Banner

As those of you at schools using Banner know, Ellucian has still not certified Banner to run on Java 7; Java 6 
(including the browser plug-in) must be installed on end users' desktops. Java 6, of course, has reached the end of its 
public update period, which means any future updates after the end of this month will come through Ellucian rather than 
Oracle (or so they tell us).

Aside from the increased difficulty of trying to keep a down-rev version of Java installed on systems used by Banner 
users, especially since our users have admin rights and are therefore free to update Java when they want and will do so 
if another application asks them to, we are of course concerned that maintaining a down-rev version of the Java plug-in 
will expose these systems to increased risk of compromise because of security vulnerabilities. This is particularly 
worrying because, of course, the people who use Banner are also the people who work with lots of personally 
identifiable information.

Java 7 support from Ellucian doesn't appear to be imminent, so we believe we need to find a medium-term solution to 
this problem that lets our Banner users continue to use Java 6, but does not expose them to increased risk by allowing 
them to use a browser containing the Java 6 plug-in to access the Internet. We have some preliminary thoughts on ways 
to address the issue, ranging from "use this browser to access Banner and that browser to access the Internet" (which 
doesn't come with a very high assurance level) to installing Windows XP Compatibility Mode on all Banner users' 
machines and running Banner+Java 6 in a virtual machine (a lot of work to implement).

Before we go one way or the other, we thought we'd ask the list -- what is your school doing in response to the whole 
Java vs. Banner thing?

Thanks,
--Dave




--

DAVID A. CURRY, CISSP * DIRECTOR OF INFORMATION SECURITY

THE NEW SCHOOL * 55 W. 13TH STREET * NEW YORK, NY 10011

+1 212 229-5300 x4728 * david.curry () newschool edu<mailto:david.curry () newschool edu>