Re: Outside Entities Computers

[Adam Stone <adstone () LBL GOV>]

I'm amazed by the level of central control some orgs on this list seem to
have.  In any large research university there are going to be thousands of
short and long term visitors, visiting faculty devices, visiting postdoc
devices, industrial partner devices, experimental devices provided directly
by vendors who want to test them, faculty-owned devices, collaboration owned
devices, etc.    On any given day, we have hundreds of devices on our
network that are not "ours" and our network is modest in comparison to large
research university.

That said, our philosophy is that minimum standards apply whether the
central IT org controls the device or not and irrelevant of who owns it.
Scanning and IDS provide assurance that the device is behaving within some
realm of reasonableness - we do not require root on the box or control of
the OS to have that level of assurance.  If the device misbehaves, they are
bounced from the network until they explain it or fix it.  Network
registration gives us a contact person.  We take steps to minimize the
impact of a single misbehaving device by putting monitoring at many
distributed points and by minimizing the overlap between various webs of
trust.  This not only allows for the patterns researchers expect (bring
devices, work with others), it makes clear where the locus of responsibility
for security sits: End Users and System Administrators (not the central IT
or central security organization).


Adam Stone
IT Policy
University of California - Lawrence Berkeley National Laboratory









On 12/14/07, Lovaas,Steven <Steven.Lovaas () colostate edu> wrote:
> For those of you that run centrally administered networks, it may be easy
> enough to just say "if it's not centrally managed it doesn't get full
> access." For Universities with more distributed IT structures, this is
> harder. Short term guest access is one thing, but there are any number of
> classes of devices whose users are going to require ongoing access to the
> main network, and whose OS and apps are not going to be centrally managed.
> ROTC is a case in point. Funds and procurement rules are generally federal,
> and they basically do their own thing. But because they're also working with
> students they need access to all the things that other departments need.
>
> This would be a great case for defining a separate security zone with a
> firewall and some sort of remote application access (citrix or SSL vpn or
> something of that sort).
>
> There's a more general question, though, that Buz brings up. Do you allow
> non-University clients at all? If so, how do you deal with them?
>
> Steve
>
> ============================================
> Steven Lovaas, MSIA, CISSP
> IT Security Manager
> Academic Computing & Network Services
> Colorado State University
> 970-297-3707
> Steven.Lovaas () ColoState EDU
> ============================================
>
>
> -----Original Message-----
> From: Buz Dale [mailto:buz.dale () USG EDU]
> Sent: Friday, December 14, 2007 8:30 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Outside Entities Computers
>
> I would think if the ROTC brought up a machine on campus it would be
> be a federal (DOD) Gov't machine.  As such, it should have very strict
> requirements.  It's possible the staff in your local ROTC are not
> aware of this.
>
> Also, do you have a connection policy about machines connecting to
> your network? A special VLAN or Lan they can be placed on outside of
> your firewall and considered hostile?
>
> Luck,
> Buz
>
> On 12/14/07, jason rinne <jasonrinne () hotmail com > wrote:
> > The ROTC department here on campus has brought in two of their own
> computers
> > to use in their office.  My concern is security (anti virus, windows
> > updates) on the computer itself and identifying who was logged in and
> when
> > in case an issue ever came up.
> >
> > Would anyone like to share their thoughts or policies on outside
> entities
> > (such as ROTC) bringing in their own computer for use in their office on
> > campus?
> >
> >
> >
> >
> > Jason Rinne
> > IT Department
> > Missouri Valley College
> > Marshall, MO
> > www.moval.edu
> > ________________________________
> > Don't get caught with egg on your face. Play Chicktionary! Check it out!
>
>
> --
> Buz Dale                                buz.dale () usg edu
> IT Security Specialist              1-888-875-3697 (In GA)
> 1-706-583-2005
> Office of Information and Instructional Technology
> University System of Georgia
> GMT -5:00