Re: network connection policies-procedures

[Rodney Petersen <rpetersen () EDUCAUSE EDU>]

I am also very interested in learning about institutional security
policies that might be considered as "models" or an "effective practice"
that others can emulate.  The Security Task Force has a collection of
security policies at http://www.educause.edu/security/policies.asp and
we are looking to add to that collection.  I am especially interested in
policies that were recently developed or successful efforts at
establishing security policy within institutions of higher education.  I
will have an audience of college and university attorneys and
administrators later in the week who will be eager to learn of other
policies that they can turn to for guidance.

Thanks,

Rodney Petersen
Security Task Force Coordinator, EDUCAUSE


-----Original Message-----
From: Brian Kaye [mailto:bdk () UNB CA] 
Sent: Thursday, November 06, 2003 10:21 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] network connection policies-procedures


Here is the meat from the main network policy at the University of New
Brunswick. Interesting these are the policies that we have operated
under for years but had not formalized. We have not ever submitted them
for approval. We implemented them. Its one of these things about asking
for forgiveness later. We were operating under these policies so just
wrote them down. But we have not touched thsi one for a couple of years.
We have policies and procedure written fro a number of specific areas
like wireless, student supplied equipment on the residence network.


.....Brian Kaye
.....University of New Brunswick


Background: Computing Services is responsible for the operation of UNB's
data and voice networks and therefore has the authority and
responsibility to specify requirements for any devices that are
connected and enforce the policies set forth here and elsewhere.

Goal: This document is intended to formalize the policies with respect
to the computer networks for the University of Networks. Its is not the
acceptable use policy but more of an Acceptable Operations Policy. The
UNB Network and other computing resources is a shared resource for the
University community. The Rules of use outlined in this document are
intended as guidelines for the use of this shared resource to help to
maximize the availability of the network resources for all. The
university considers any violation of acceptable use principles or
guidelines to be a serious offense and reserves the right to test and
monitor security, and copy and examine any files or information resident
on systems attached to its networks allegedly related to unacceptable
use.

Scope: This policy applies to all segments of the University network. It
includes all administrative, academic and commercial networks which are
part of the University family of networks. The authority defined by this
policy extends to the device types which may be connected to the
University network and to accounts or services on those devices. In the
case of networking electronics this applies to (but not restricted to)
routers, repeaters, wireless devices, telephones or switches as well as
individual workstations or servers. In addition this policy applies to
individual workstations, servers, test equipment of any type and any
other equipment which may generate or receive traffic on the network. It
also extends to certain configuration parameters of any device which
could affect other parts of the network.

In addition this policy authorizes Computing Services to examine any
personal computer, peripheral or network device for information related
to network incidents.

Appeal : If a party feels that they have been unfairly treated in the
implementation of this policy, the party can file an appeal with their
appropriate Vice President. The Vice-President will convene a meeting of
the relevant parties. His decision will be binding.


Implementation : All network users are expected to follow these rules:

  1.The networks and services provided to students, faculty and staff
are provided to enhance the educational experience and/or to assist in
job related activities. All other uses are considered secondary.
  2.All users are expected to use the network and resources on the
network in a diligent manner in keeping with the objectives of the
University.
  3.No one shall permit access to University resources to persons or
devices not associated with the University. Use of accounts are the
responsibility of the holders of the accounts.
  4.No commercial activity is permitted across the University network.
Commercial organizations who have a presence on the UNB
    campus may not offer any services across the University network.
These organizations must use a separate network access for
    that purpose. The network provided to to these organizations is for
access to University resources and other research services
    connected to the University network.
  5.Operation of servers of any sort is not permitted on student
networks. Operation of servers on staff networks should be
    coordinated with Computing Services (CSD) so that they can be placed
in an optimal location on the network.
  6.No one shall attach a modem or any other communications device which
will provide an external connection to the university's
    network. This includes but is not limited to:
       bridges, routers or repeaters
       Modems which connect to a single machine
       Modems which connect to a terminal server
    Exceptions may be permitted for staff working from home or for
equipment in teaching labs when required for academic or
    research purposes. These must be cleared with CSD.
  7.All network connections are subject to the protocol and service
restrictions listed in the protocols document.
  8.Tunnelling of banned protocols or services is not permitted.
  9.Operation of any machine or protocol which unduly affects the
performance or operation of the UNB networks are not permitted
    and are subject to immediate disconnection.
  10.The use of the networks for game playing or the distribution of non
educational material is not acceptable. The University does
    recognize that some areas of research do use games. Computing
Services should be informed of the nature and time of such
    activities.
  11.The universities domain names that it has currently registered
(UNB.ca,UNBF.ca and UNB.edu) are for the exclusive use of the
    university.
  12.Use of domain ones other than the ones the university has reserved
for its use are not permitted.
  13.Sub domains (eg x.unb.ca) of the domains the university has
reservred will be allocated to appropriate university departments.
  14.All Internet domains used on the UNB network must end with the
string "unb.ca","unbf.ca", or "unb.edu".
  15.Internet domains for departments or faculties consist of either the
full name of the department or an approved abbreviation.
  16.All users are expected to use the network services and resources in
a responsible way. It is not acceptable to overload
    communications resources for any purpose.
  17.Scanning or monitoring of the network or any part of the network is
not permitted.
  18.All users are expected to use the accounts on services for their
own use. Sharing of accounts and passwords are not permitted.
  19.No one may operate a server of any type which permits relaying of
electronic mail or other information not destined or orginating
    from UNB. The only exception is the UNB Listserv which operates
email lists for various groups with which UNB has an interest.

Remedy: Violation of these policies and/or the Acceptable Use Policy are
subject to immediate disconnection of the offending
device(s) and/or accounts. See the Policy on Disconnection from Network
for a description of the enforcement of these guidelines.

The University reserves the right to examine the content of any machine
which it owns or is connected to its network.


On Thu, 6 Nov 2003, Dorette Kerian wrote:

> Date: Thu, 6 Nov 2003 08:07:58 -0600
> From: Dorette Kerian <dorette.kerian () MAIL UND NODAK EDU>
> Reply-To: The EDUCAUSE Security Discussion Group Listserv
>     <SECURITY () LISTSERV EDUCAUSE EDU>
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] network connection policies-procedures
>
> Colleagues,
>
> We've found some models of network policies at some of your web sites 
> and developed a proposed policy--the meat of it is copied below.
> * We're looking for ways to make it more effective, more acceptable,
or otherwise better and would appreciate your suggestions.
> * I'd also like to hear from those who tried this approach--successes
and failures--to benefit from your lessons learned.
> * And maybe for those who didn't try--the benefit of knowing why.
> * Also, if you have procedures to implement network policies including
approval and authorization processes, would you be willing to share
those?
> If you would respond directly to me at
dorette.kerian () mail und nodak edu, I'd synthesize for the list.
> I'm sending this to both the Security and CIO lists so my regrets if 
> you received this twice.
>
> Thanks for your consideration.
>
> Dorette.
>
> Dorette Kerian, Director
> Information Technology Systems and Services
> University of North Dakota
> dorette.kerian () mail und nodak edu
> 701.777-3880
>
> It is the policy of the University that no equipment, beyond a network

> interface card supporting a single IP address, be connected to the 
> campus network without first notifying and gaining approval from ITSS 
> Network Services. Users of the network may be required to authenticate

> when connecting a device to the network.  Adding cabling (with the 
> exception of the ANSI/EIA/TIA standard patch cable at the network 
> outlet) or networking components (including, but not limited to, 
> routers, switches, hubs and wireless access points) without approval 
> or authorization is prohibited. Equipment found to be attached to the 
> campus network in violation of this policy may be disconnected and/or 
> blocked from accessing the network without notice and may result in 
> disciplinary action.  Under no circumstances may an external network 
> be interconnected to act as a gateway to the University network 
> without ITSS' explicit approval.
>
> The integrity, security, and proper operation of the university campus

> network requires an orderly assignment of IP addresses and the correct

> configuration of computer systems and peripheral equipment attached to

> the network. Network performance and correct name resolution suffer 
> when addressing conflicts occur. Therefore, all connections to the 
> campus network need to be coordinated with IP addresses assigned 
> statically where needed, or through ITSS DHCP services, or those known

> and approved by central IT.  Individuals and/or departments are 
> required to register services with ITSS, (i.e., Dynamic Host 
> Configuration Protocol (DHCP), Domain Name System (DNS), Simple 
> Network Management Protocol (SNMP)) to insure that these services do 
> not interfere with the functioning of centrally provided network based

> services.  All network connections must take into account performance,

> security, and privacy.
>
> Note:  This policy does not apply to campus local networks that are 
> not connected to the campus backbone or that are known by ITSS to 
> exist behind designated routers for firewalls.
>
> **********
> Participation and subscription information for this EDUCAUSE 
> Discussion Group discussion list can be found at 
> http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.