Re: network connection policies-procedures

[Brian Kaye <bdk () UNB CA>]

Here is the meat from the main network policy at the University of New
Brunswick. Interesting these are the policies that we have operated under
for years but had not formalized. We have not ever submitted them for
approval. We implemented them. Its one of these things about asking for
forgiveness later. We were operating under these policies so just wrote
them down. But we have not touched thsi one for a couple of years. We have
policies and procedure written fro a number of specific areas like
wireless, student supplied equipment on the residence network.


.....Brian Kaye
.....University of New Brunswick


Background: Computing Services is responsible for the operation of UNB's
data and voice networks and therefore has the authority
and responsibility to specify requirements for any devices that are
connected and enforce the policies set forth here and elsewhere.

Goal: This document is intended to formalize the policies with respect to
the computer networks for the University of Networks. Its is
not the acceptable use policy but more of an Acceptable Operations Policy.
The UNB Network and other computing resources is a
shared resource for the University community. The Rules of use outlined in
this document are intended as guidelines for the use of this
shared resource to help to maximize the availability of the network
resources for all. The university considers any violation of
acceptable use principles or guidelines to be a serious offense and
reserves the right to test and monitor security, and copy and
examine any files or information resident on systems attached to its
networks allegedly related to unacceptable use.

Scope: This policy applies to all segments of the University network. It
includes all administrative, academic and commercial networks
which are part of the University family of networks. The authority defined
by this policy extends to the device types which may be
connected to the University network and to accounts or services on those
devices. In the case of networking electronics this applies
to (but not restricted to) routers, repeaters, wireless devices,
telephones or switches as well as individual workstations or servers. In
addition this policy applies to individual workstations, servers, test
equipment of any type and any other equipment which may generate
or receive traffic on the network. It also extends to certain
configuration parameters of any device which could affect other parts of
the network.

In addition this policy authorizes Computing Services to examine any
personal computer, peripheral or network device for information
related to network incidents.

Appeal : If a party feels that they have been unfairly treated in the
implementation of this policy, the party can file an appeal with their
appropriate Vice President. The Vice-President will convene a meeting of
the relevant parties. His decision will be binding.


Implementation : All network users are expected to follow these rules:

  1.The networks and services provided to students, faculty and staff are
provided to enhance the educational experience and/or to assist in job
related activities. All other uses are considered secondary.
  2.All users are expected to use the network and resources on the network
in a diligent manner in keeping with the objectives of the University.
  3.No one shall permit access to University resources to persons or
devices not associated with the University. Use of accounts
are the responsibility of the holders of the accounts.
  4.No commercial activity is permitted across the University network.
Commercial organizations who have a presence on the UNB
    campus may not offer any services across the University network. These
organizations must use a separate network access for
    that purpose. The network provided to to these organizations is for
access to University resources and other research services
    connected to the University network.
  5.Operation of servers of any sort is not permitted on student networks.
Operation of servers on staff networks should be
    coordinated with Computing Services (CSD) so that they can be placed
in an optimal location on the network.
  6.No one shall attach a modem or any other communications device which
will provide an external connection to the university's
    network. This includes but is not limited to:
       bridges, routers or repeaters
       Modems which connect to a single machine
       Modems which connect to a terminal server
    Exceptions may be permitted for staff working from home or for
equipment in teaching labs when required for academic or
    research purposes. These must be cleared with CSD.
  7.All network connections are subject to the protocol and service
restrictions listed in the protocols document.
  8.Tunnelling of banned protocols or services is not permitted.
  9.Operation of any machine or protocol which unduly affects the
performance or operation of the UNB networks are not permitted
    and are subject to immediate disconnection.
  10.The use of the networks for game playing or the distribution of non
educational material is not acceptable. The University does
    recognize that some areas of research do use games. Computing Services
should be informed of the nature and time of such
    activities.
  11.The universities domain names that it has currently registered
(UNB.ca,UNBF.ca and UNB.edu) are for the exclusive use of the
    university.
  12.Use of domain ones other than the ones the university has reserved
for its use are not permitted.
  13.Sub domains (eg x.unb.ca) of the domains the university has reservred
will be allocated to appropriate university departments.
  14.All Internet domains used on the UNB network must end with the string
"unb.ca","unbf.ca", or "unb.edu".
  15.Internet domains for departments or faculties consist of either the
full name of the department or an approved abbreviation.
  16.All users are expected to use the network services and resources in a
responsible way. It is not acceptable to overload
    communications resources for any purpose.
  17.Scanning or monitoring of the network or any part of the network is
not permitted.
  18.All users are expected to use the accounts on services for their own
use. Sharing of accounts and passwords are not permitted.
  19.No one may operate a server of any type which permits relaying of
electronic mail or other information not destined or orginating
    from UNB. The only exception is the UNB Listserv which operates email
lists for various groups with which UNB has an interest.

Remedy: Violation of these policies and/or the Acceptable Use Policy are
subject to immediate disconnection of the offending
device(s) and/or accounts. See the Policy on Disconnection from Network
for a description of the enforcement of these guidelines.

The University reserves the right to examine the content of any machine
which it owns or is connected to its network.


On Thu, 6 Nov 2003, Dorette Kerian wrote:

> Date: Thu, 6 Nov 2003 08:07:58 -0600
> From: Dorette Kerian <dorette.kerian () MAIL UND NODAK EDU>
> Reply-To: The EDUCAUSE Security Discussion Group Listserv
>     <SECURITY () LISTSERV EDUCAUSE EDU>
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] network connection policies-procedures
>
> Colleagues,
>
> We've found some models of network policies at some of your web sites and developed a proposed policy--the meat of it 
> is copied below.
> * We're looking for ways to make it more effective, more acceptable, or otherwise better and would appreciate your 
> suggestions.
> * I'd also like to hear from those who tried this approach--successes and failures--to benefit from your lessons 
> learned.
> * And maybe for those who didn't try--the benefit of knowing why.
> * Also, if you have procedures to implement network policies including approval and authorization processes, would 
> you be willing to share those?
> If you would respond directly to me at dorette.kerian () mail und nodak edu, I'd synthesize for the list.
>
> I'm sending this to both the Security and CIO lists so my regrets if you received this twice.
>
> Thanks for your consideration.
>
> Dorette.
>
> Dorette Kerian, Director
> Information Technology Systems and Services
> University of North Dakota
> dorette.kerian () mail und nodak edu
> 701.777-3880
>
> It is the policy of the University that no equipment, beyond a network interface card supporting a single IP address, 
> be connected to the campus network without first notifying and gaining approval from ITSS Network Services. Users of 
> the network may be required to authenticate when connecting a device to the network.  Adding cabling (with the 
> exception of the ANSI/EIA/TIA standard patch cable at the network outlet) or networking components (including, but 
> not limited to, routers, switches, hubs and wireless access points) without approval or authorization is prohibited. 
> Equipment found to be attached to the campus network in violation of this policy may be disconnected and/or blocked 
> from accessing the network without notice and may result in disciplinary action.  Under no circumstances may an 
> external network be interconnected to act as a gateway to the University network without ITSS' explicit approval.
>
> The integrity, security, and proper operation of the university campus network requires an orderly assignment of IP 
> addresses and the correct configuration of computer systems and peripheral equipment attached to the network. Network 
> performance and correct name resolution suffer when addressing conflicts occur. Therefore, all connections to the 
> campus network need to be coordinated with IP addresses assigned statically where needed, or through ITSS DHCP 
> services, or those known and approved by central IT.  Individuals and/or departments are required to register 
> services with ITSS, (i.e., Dynamic Host Configuration Protocol (DHCP), Domain Name System (DNS), Simple Network 
> Management Protocol (SNMP)) to insure that these services do not interfere with the functioning of centrally provided 
> network based services.  All network connections must take into account performance, security, and privacy.
>
> Note:  This policy does not apply to campus local networks that are not connected to the campus backbone or that are 
> known by ITSS to exist behind designated routers for firewalls.
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
> http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.