Educause Security Discussion mailing list archives
Re: network connection policies-procedures
From: Rodney Petersen <rpetersen () EDUCAUSE EDU>
Date: Mon, 10 Nov 2003 08:58:33 -0700
I am also very interested in learning about institutional security policies that might be considered as "models" or an "effective practice" that others can emulate. The Security Task Force has a collection of security policies at http://www.educause.edu/security/policies.asp and we are looking to add to that collection. I am especially interested in policies that were recently developed or successful efforts at establishing security policy within institutions of higher education. I will have an audience of college and university attorneys and administrators later in the week who will be eager to learn of other policies that they can turn to for guidance. Thanks, Rodney Petersen Security Task Force Coordinator, EDUCAUSE -----Original Message----- From: Brian Kaye [mailto:bdk () UNB CA] Sent: Thursday, November 06, 2003 10:21 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] network connection policies-procedures Here is the meat from the main network policy at the University of New Brunswick. Interesting these are the policies that we have operated under for years but had not formalized. We have not ever submitted them for approval. We implemented them. Its one of these things about asking for forgiveness later. We were operating under these policies so just wrote them down. But we have not touched thsi one for a couple of years. We have policies and procedure written fro a number of specific areas like wireless, student supplied equipment on the residence network. .....Brian Kaye .....University of New Brunswick Background: Computing Services is responsible for the operation of UNB's data and voice networks and therefore has the authority and responsibility to specify requirements for any devices that are connected and enforce the policies set forth here and elsewhere. Goal: This document is intended to formalize the policies with respect to the computer networks for the University of Networks. Its is not the acceptable use policy but more of an Acceptable Operations Policy. The UNB Network and other computing resources is a shared resource for the University community. The Rules of use outlined in this document are intended as guidelines for the use of this shared resource to help to maximize the availability of the network resources for all. The university considers any violation of acceptable use principles or guidelines to be a serious offense and reserves the right to test and monitor security, and copy and examine any files or information resident on systems attached to its networks allegedly related to unacceptable use. Scope: This policy applies to all segments of the University network. It includes all administrative, academic and commercial networks which are part of the University family of networks. The authority defined by this policy extends to the device types which may be connected to the University network and to accounts or services on those devices. In the case of networking electronics this applies to (but not restricted to) routers, repeaters, wireless devices, telephones or switches as well as individual workstations or servers. In addition this policy applies to individual workstations, servers, test equipment of any type and any other equipment which may generate or receive traffic on the network. It also extends to certain configuration parameters of any device which could affect other parts of the network. In addition this policy authorizes Computing Services to examine any personal computer, peripheral or network device for information related to network incidents. Appeal : If a party feels that they have been unfairly treated in the implementation of this policy, the party can file an appeal with their appropriate Vice President. The Vice-President will convene a meeting of the relevant parties. His decision will be binding. Implementation : All network users are expected to follow these rules: 1.The networks and services provided to students, faculty and staff are provided to enhance the educational experience and/or to assist in job related activities. All other uses are considered secondary. 2.All users are expected to use the network and resources on the network in a diligent manner in keeping with the objectives of the University. 3.No one shall permit access to University resources to persons or devices not associated with the University. Use of accounts are the responsibility of the holders of the accounts. 4.No commercial activity is permitted across the University network. Commercial organizations who have a presence on the UNB campus may not offer any services across the University network. These organizations must use a separate network access for that purpose. The network provided to to these organizations is for access to University resources and other research services connected to the University network. 5.Operation of servers of any sort is not permitted on student networks. Operation of servers on staff networks should be coordinated with Computing Services (CSD) so that they can be placed in an optimal location on the network. 6.No one shall attach a modem or any other communications device which will provide an external connection to the university's network. This includes but is not limited to: bridges, routers or repeaters Modems which connect to a single machine Modems which connect to a terminal server Exceptions may be permitted for staff working from home or for equipment in teaching labs when required for academic or research purposes. These must be cleared with CSD. 7.All network connections are subject to the protocol and service restrictions listed in the protocols document. 8.Tunnelling of banned protocols or services is not permitted. 9.Operation of any machine or protocol which unduly affects the performance or operation of the UNB networks are not permitted and are subject to immediate disconnection. 10.The use of the networks for game playing or the distribution of non educational material is not acceptable. The University does recognize that some areas of research do use games. Computing Services should be informed of the nature and time of such activities. 11.The universities domain names that it has currently registered (UNB.ca,UNBF.ca and UNB.edu) are for the exclusive use of the university. 12.Use of domain ones other than the ones the university has reserved for its use are not permitted. 13.Sub domains (eg x.unb.ca) of the domains the university has reservred will be allocated to appropriate university departments. 14.All Internet domains used on the UNB network must end with the string "unb.ca","unbf.ca", or "unb.edu". 15.Internet domains for departments or faculties consist of either the full name of the department or an approved abbreviation. 16.All users are expected to use the network services and resources in a responsible way. It is not acceptable to overload communications resources for any purpose. 17.Scanning or monitoring of the network or any part of the network is not permitted. 18.All users are expected to use the accounts on services for their own use. Sharing of accounts and passwords are not permitted. 19.No one may operate a server of any type which permits relaying of electronic mail or other information not destined or orginating from UNB. The only exception is the UNB Listserv which operates email lists for various groups with which UNB has an interest. Remedy: Violation of these policies and/or the Acceptable Use Policy are subject to immediate disconnection of the offending device(s) and/or accounts. See the Policy on Disconnection from Network for a description of the enforcement of these guidelines. The University reserves the right to examine the content of any machine which it owns or is connected to its network. On Thu, 6 Nov 2003, Dorette Kerian wrote:
Date: Thu, 6 Nov 2003 08:07:58 -0600 From: Dorette Kerian <dorette.kerian () MAIL UND NODAK EDU> Reply-To: The EDUCAUSE Security Discussion Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] network connection policies-procedures Colleagues, We've found some models of network policies at some of your web sites and developed a proposed policy--the meat of it is copied below. * We're looking for ways to make it more effective, more acceptable,
or otherwise better and would appreciate your suggestions.
* I'd also like to hear from those who tried this approach--successes
and failures--to benefit from your lessons learned.
* And maybe for those who didn't try--the benefit of knowing why. * Also, if you have procedures to implement network policies including
approval and authorization processes, would you be willing to share those?
If you would respond directly to me at
dorette.kerian () mail und nodak edu, I'd synthesize for the list.
I'm sending this to both the Security and CIO lists so my regrets if you received this twice. Thanks for your consideration. Dorette. Dorette Kerian, Director Information Technology Systems and Services University of North Dakota dorette.kerian () mail und nodak edu 701.777-3880 It is the policy of the University that no equipment, beyond a network
interface card supporting a single IP address, be connected to the campus network without first notifying and gaining approval from ITSS Network Services. Users of the network may be required to authenticate
when connecting a device to the network. Adding cabling (with the exception of the ANSI/EIA/TIA standard patch cable at the network outlet) or networking components (including, but not limited to, routers, switches, hubs and wireless access points) without approval or authorization is prohibited. Equipment found to be attached to the campus network in violation of this policy may be disconnected and/or blocked from accessing the network without notice and may result in disciplinary action. Under no circumstances may an external network be interconnected to act as a gateway to the University network without ITSS' explicit approval. The integrity, security, and proper operation of the university campus
network requires an orderly assignment of IP addresses and the correct
configuration of computer systems and peripheral equipment attached to
the network. Network performance and correct name resolution suffer when addressing conflicts occur. Therefore, all connections to the campus network need to be coordinated with IP addresses assigned statically where needed, or through ITSS DHCP services, or those known
and approved by central IT. Individuals and/or departments are required to register services with ITSS, (i.e., Dynamic Host Configuration Protocol (DHCP), Domain Name System (DNS), Simple Network Management Protocol (SNMP)) to insure that these services do not interfere with the functioning of centrally provided network based
services. All network connections must take into account performance,
security, and privacy. Note: This policy does not apply to campus local networks that are not connected to the campus backbone or that are known by ITSS to exist behind designated routers for firewalls. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- network connection policies-procedures Dorette Kerian (Nov 06)
- <Possible follow-ups>
- Re: network connection policies-procedures Brian Kaye (Nov 06)
- Re: network connection policies-procedures Doug Sandford (Nov 10)
- Re: network connection policies-procedures Rodney Petersen (Nov 10)