University of Glasgow network connection policy

University of Glasgow network connection policy

Purpose

The University of Glasgow provides a comprehensive data communications infrastructure underpinning the important role Information Technology plays in the University's teaching, research and administration functions. This infrastructure supports a wide range of intranet and internet services via a high bandwidth campus backbone that connects standards based Local Area Networks (LANs) in all University premises. A centralised model for infrastructure management and support has been adopted as this provides a number of benefits with respect to quality, consistency, reliability, conformance, security and on-going development. To maintain the integrity, security and proper operation of the University's campus network requires order, standards, procedures and policies governing the following.

  • Who can connect
  • What can and can't be connected
  • How do systems connect
  • What address and name space can be used
  • What services can be run
  • What services can be accessed
  • What security measures should be implemented
  • What measures will be taken to monitor compliance  

Scope

This policy covers the connection of all equipment to the University's centrally managed campus network and building Local Area Networks. It also covers the indirect connection of equipment to the University's campus network via remote access servers.

The University's Computing Service (GUCS) is responsible for the data communications infrastructure in terms of:

  • Backbone fibre optic cabling
  • Building premises distribution schemes (UTP flood wiring)
  • Backbone and Building LAN Routers
  • Routing services
  • Building LANs - Ethernet Switches and hubs
  • IP address and name space
  • Novell address and name space
  • AppleTalk address and name space
  • Support services
    • Network management/maintenance
    • Security
    • DNS
    • E-mail relays
    • WWW servers
    • WWW caches
    • Directory services
    • File store services
    • Value added services  

GUCS is therefore the logical entity to co-ordinate, manage and support all connections to the campus network and ensure compliance with this connection policy.

A relatively few departments, for historical reasons, have authority to manage their own or elements of their own Local Area Network. Departments in this category must adhere to this and all other University Information Technology Policies.

It is important to note that all equipment physically or indirectly connected to the University's campus network must be associated with, and used in support of the University's statute, strategic aims and mission otherwise the University may be in breach of its legal and or contractual obligations.

Policy

Who can connect

The University's data communications infrastructure is designed to support the teaching, research and administrative functions of the University. All University service departments, faculties and research groups will therefore have the right to connect to the campus network and gain access to the University's information technology resources. In addition other groups may be connected under the following categories:

  • Other research groups - e.g. MRC, HEP etc
  • Honorary Clinical staff
  • Affiliated/Associated companies engaged in collaborative ventures, teaching and or research/commercialisation activities. NB, if Internet connectivity via SuperJANET is required then an appropriate license may be needed
  • Sponsored/Proxy licensees and Visitor connections provided in accordance with the SuperJANET connection policy

It is a breach of this policy to provide connectivity for any groupings out-with the categories described above.

It is important to note that this policy together with other policies ratified by the University Court shall apply irrespective of groupings. Details of all policies relating to the use of networked information resources, at the University of Glasgow, may be viewed at http://www.policy.gla.ac.uk

What can and can't be connected

Technology

The University has implemented the IEEE 802.3 Ethernet standards as the technology of choice for the University's campus backbone and building Local Area Networks; augmented in certain areas by 802.11b/a/g compliant Wireless Local Area Networks. Routing protocol support is provided at 'wire rate' for the IP and IPX protocols with software (considerably less than 'wire-rate') support for the AppleTalk protocols. Any equipment requiring a connection to the campus network must therefore incorporate a 'standards compliant' Ethernet network interface card (NIC) and a supported protocol stack. The requirements for Wireless LAN deployments are specified in the 'University of Glasgow Wireless Local Area Network Policy'

Equipment can only be connected to the campus network if it meets the technology standards and all regulatory standards with respect to electrical, safety and environmental operation. Network connection points have been provided to support the following equipment types:

  • User workstations including open access workstations
  • Staff/Student/Visitor provided workstations at selected flexible access locations
  • Central/Faculty/Department servers and Computer clusters
  • Networked printers and photocopiers
  • Specialised equipment e.g. imaging, scanners, process control systems and Videoconferencing equipment  

Restrictions

This policy forbids Faculties, Departments, Users or other groups from extending centrally provided network connection points in an ad-hoc manner; or connecting equipment or installing software that could be used to monitor or record network traffic, or still or moving images of the surrounding area without proper authorisation. It is therefore a breach of this policy to connect any of the following equipment or services without authorisation.

  • Ethernet Hubs, Switches or Bridges
  • Firewalls
  • Proxy servers
  • Protocol Routers
  • Access gateways including remote access servers and multi user systems
  • Wireless LAN access points
  • Network cameras, including web cams that do not comply with the University's policy on Surveillance
  • Any equipment configured in promiscuous mode for the purpose of monitoring or recording Network traffic not specifically addressed to that equipment e.g. Network traffic with a source or destination MAC address other than the Unicast address of the equipment
  • Installing software on workstations or servers that would enable unauthorised monitoring of Network traffic
  • Staff/Student/Visitor provided workstations to network connection points other than flexible access connection points
  • Any equipment, which is not associated with, and used in support of the University's statute, strategic aims and mission

If there is a legitimate requirement to extend or augment the communications infrastructure via any of the above, then this requirement must be discussed and agreed with GUCS. In particular GUCS will provide advice and support on the use, role and deployment of the following:

  • Protocol Routers
  • Firewalls and Proxies - NB the University may have existing framework agreements for recommended equipment
  • Wireless LAN deployment and policy  - NB the University may have existing framework agreement for recommended equipment
  • Remote access solutions - Ref: Bastion host and Universal Access Policies
  • Network Monitoring activities

If the requirement is to install a Network Camera or Web Cam then this must comply with the University's policy on Surveillance and be approved by Central services and the Data Protection officer.

Equipment found to be attached to the campus network in violation of this policy will result in a request to the owners of the equipment to disconnect it. If this is not done in a timely manner then the equipment and any systems operating behind it will be blocked from accessing the campus network. The unauthorised connection of network monitoring equipment or unauthorised use of network monitoring software will be considered an act of gross misconduct.

Disclaimer

The University accepts no responsibility for any loss or damage to hardware, data or software arising directly or indirectly from the use of its computing facilities, and makes no warranty, express or implied, regarding the facilities or their suitability for any particular purpose.

Rights

The University reserves the right to modify, upgrade, withdraw or otherwise alter the facilities it provides.

The University reserves the right to examine all systems, data and software in use on its facilities, and to monitor usage, in order to ensure conformance with all relevant University Policies and to ensure the facilities function in a secure, efficient and effective manner.

How do systems connect

Network connection points provide the primary means by which suitable equipment is connected to a Local Area Network and hence the University's campus network. The University has adopted 'industry standard' Premises Distribution Schemes (PDS) as the data communications wiring standard for all University buildings; to date approximately 18,000 (PDS) network connection points are available over the entire campus. Each connection point is presented as an RJ45 connector mounted within a suitable faceplate and containment system. The data transmission media used is industry standard unshielded twisted pair (UTP) cable providing four pairs of wires per connection point. The UTP cables run radialy from each connection point to specialized termination panels located within secure wiring closets that also house campus network and building LAN active components.

Premises Distribution Schemes are generic systems capable of supporting a wide variety of applications including data communications and telephony services. Increasingly the University's PDS systems are being used to provided telephone connection points as well as network connection points. This development further emphasises the security status associated with the many building wiring closets.  To maintain the physical integrity of the services running over centrally provided PDS systems dictates that access to building wiring closets be restricted to GUCS authorised personnel and their approved sub-contractors. It is therefore a breach of this policy for any other personnel to access any wiring closet for purposes other than dealing with a serious environmental incident e.g. removing power to avoid risk of fire etc.

Network activations i.e. activating an Ethernet service on a centrally provided network connection point must be performed by authorised GUCS personnel. The procedure for obtaining an active Ethernet network connection is as follows.

  • All Faculties, departments, research groups or other 'groupings' must forward details of their Nominated representatives to the Admin department at GUCS, e-mail admin@compserv.gla.ac.uk
  • All requests for activations must be submitted via Nominated representatives
  • Nominated representatives should determine the following
    • Network connection ID in the form of the xx/yy/zz code located on the network connection faceplate
    • Equipment type and proposed use
    • Type of Ethernet connection 10 or 100Mbs
    • Sub-net, if known, that the connection is to be activated on
    • Account code for charging purposes
  • Representative should forward requests in writing or via e-mail
    (net-admin@compserv.gla.ac.uk ) to the admin department, Computing Services

Providing the necessary details.

Flexible network access facilities are available that provide authorised users, who wish to use their own systems, access to their work related Information Technology resources. Further details are available from the University's Universal Access Policy.

This service is strictly limited to the connection of personal workstations i.e. it is a breach of this policy to connect any system that provides 'Server' functionality to the flexible access network.

What address and name space can be used

The University owns address and name space, which is used to partition the network into manageable sub-networks and uniquely identify all connected end-systems. The main address space is allocated via logical sub-net partitions taken from the globally unique University of Glasgow Class 'B' IP network address. The current method of partitioning provides around 254 sub-nets, each with a maximum address space of 254 entries. Further divisions within sub-nets are possible as is the aggregation of sub-nets into larger chunks. The IPX address partitions (wire addresses) follow their IP equivalents since there is a close relationship between their address structures. For Apple systems an in-house solution based on logical sub-net numbers has been adopted. What is crucial is that addresses are allocated to sub-nets and end systems in a way that ensures uniqueness, manageability and avoids wasting a precious resource. For these reason the following rules will apply.

IP addressing

Routable sub-nets are allocated by the GUCS Network group as required to meet user demand. Although the main address space is limited within the University's Class B range current usage indicates that there is sufficient space to handle moderate expansion. If future demand exceeds the capacity of the Class B range then solutions based on the University's Class C allocations or Private address space (RFC 1918) will be implemented.

The procedure for obtaining a unique IP address for use on the campus network is as follows:

  • All requests should be submitted via Nominated faculty/departmental representatives
  • Nominated representatives should determine if a previous allocation is available for use
  • Nominated representative should e-mail hostmaster@compserv.gla.ac.uk with a request for a new allocation or an indication that a previous allocation has been re-used.
  • Nominated representatives should include the following information in their e-mail:
    • Ethernet MAC address
    • System specification, including operating system and applications software
    • System designation - Server or workstation
    • Meaningful domain name to be associated with the new or re-used allocation
    • Assurances that the system will be kept up to date with respect to:
      • Operating system and applications patch levels
      • University approved anti-virus software and virus definition files
  • If a block of addresses are required then a detailed case must be submitted by the Nominated representative
  • Requests for 'address blocks' for future use will not be granted. To avoid hoarding and wasting a valuable resource only addresses that are required immediately will be granted
  • GUCS reserves the right to reclaim IP addresses that have not been used for six months or more
     

In environments where IP addresses are allocated to systems via approved BootP or DHCP servers, then procedures for recording each MAC address (or user), IP address and date/time stamp associations must be implemented. The recommended way to implement this requirement for BootP/DHCP clients that remain at fixed locations is to maintain a static binding between each MAC address and IP address association wherever possible.

It will be a breach of this policy for an IP address to be acquired and used by any other means, in particular:

  • Users or Nominated representatives must not borrow or appropriate addresses from colleagues or other sources
  • Users or Nominated representatives must not guess or scan for free addresses based on a knowledge of the sub-net in use
  • Users or Nominated representatives must not use reserved address space i.e. the sub-net broadcast addresses, default gateway addresses or those reserved for managed network equipment (normally addresses <= 20)
  • Users must not change their unique address assignment unless instructed to do so by their nominated representative, IT support, Hostmaster or GUCS network support


IPX addressing

IPX wire addresses are derived from the sub-net and IP sub-net address where the Novell servers are to be located, e.g.

A Novell server requiring connection to a sub-net with an IP subnet address of 130.209.10.0 would use a Novell IPX wire address of 82D10A00 where 82D10A00 is the hexadecimal representation of 130.209.10.0, excluding of course the dots. Novell administrators are strongly advised to adhere to this scheme even though the IPX routing service does not police it.

Appletalk addressing

Appletalk Zones and addresses are seeded from the main campus routers; therefore no direct user configurations are required. However to maintain the integrity of the information seeded by the campus routers, no other devices should be configured to seed network information.

Name Space

The University primary Domain Name space is registered via the following sources:

  • UKERNA - gla.ac.uk and glasgow.ac.uk
  • Internic      - glasgow.edu  

In addition a variety of domains have been registered in the (.com), (.co.uk), (.net.uk), (.biz) and (.info) domains to accommodate various PR, business and collaborative ventures. The University of Glasgow top-level domains and the majority of sub-domains are managed entirely via the University's central Domain Name Servers (DNS). For historical reasons a very small number of sub-domains have been delegated to faculties/departments and local DNS servers manage these.

The University of Glasgow Domain Name System (DNS) is crucial for most service delivery tasks, including access to and from the global Internet. Locally this policy identifies the requirement for all IP systems to be registered with the DNS server(s) authoritative for the appropriate domain. Details of which Domains would be appropriate for specific users, IP addresses or sub-nets may be obtained from GUCS, Nominated representatives or local system administrators. Nominated representatives, system administrators and end users are asked to ensure that up-to-date and meaningful associations are maintained between allocated IP addresses and Domain Names.

Faculties, departments or other groupings wishing to register and use a Domain out-with existing University of Glasgow top-level domains must discuss their requirements with GUCS. Any such domains that indicate a commercial or non-academic activity may require a suitable license to operate on SuperJANET, Please note UKERNA will only grant a license if the activity satisfies their acceptable use and connection policies.

What services can be run

The services that can be run on systems connected to the University's campus network will be dependant on the following:

  • Systems classification i.e., workstation or server
  • Importance of service to the users of that service
  • Bespoke, specialised systems

Workstations

A workstation is defined as a personal system, or open access cluster system that is designed to support a single user at any point in time. However certain server applications provide virtual workstation functionality i.e., interactive terminal sessions or virtual desktop sessions. Workstations are intended to support the client software necessary to provide users with access to their 'work' related information technology resources. Workstations must not be configured with software that provides server functionality to users on or off the campus network or any tools that may compromise the workstation, other networked systems or the credentials of any users. In particular the following services must not be configured:

  • FTP/tftp server
  • Telnet server
  • SMTP server
  • WWW server
  • Remote access services
  • Routing services
  • BootP and or DHCP services
  • Proxy arp services
  • Third party or public domain P2P services
  • Native P2P file sharing services
  • Native P2P print sharing services
  • Network management/SNMP services
  • Network scanning/sniffing tools
  • Session monitoring, spy or keyboard logging tools
  • MUD services  

It is recognised that there may be a legitimate reason for configuring some of the above services i.e.,

  • FTP server to provide a temporary way of transferring files between workstations
  • P2P file and print sharing within a small collaborative workgroup  

In such circumstances users must discuss their requirements with their local IT support staff or GUCS to assess and address the security implications; in particular users must:

  • Limit the scope of service provision
  • Protect access to legitimate P2P resources via per session user names and strong passwords, strong directory/file passwords and stopping others from enumerating any share or user details from the workstations concerned

The integrity of the workstation operating system and applications must be maintained by ensuring that it remains free from unnecessary software, virus or other infections. To achieve this IT support staff and users must ensure that workstations are configured and maintained as follows:

  • Workstations must operate with an up to date version of the University's approved anti virus software configured with the latest virus definition files
  • Workstations must be maintained to the latest operating system and applications patch levels

Servers

Servers are defined as systems that are configured, operated and supported to provide groups of users with access to specific information technology resources. Because servers typically support many users it is important to ensure maximum service availability and integrity: special consideration should therefore be given to the following:

  • Environmental conditions - Air conditioning, UPS
  • Systems administration -Operating system and application service, support and maintenance
  • Systems security - Location, operating system and service Protection
  • Performance - Bandwidth requirements and affect on other sub-net users  

Servers must be configured to provide only those services necessary for their primary purpose; in particular Servers should not be configured to provide any of the following:

  • Routing Services
  • Routing advertisements, e.g. RIP, OSPF
  • Proxy arp services
  • BootP/DHCP services unless approved by GUCS
  • Remote access services unless approved by GUCS
  • Dual role Server/workstation  

The University's requirements for approved server configuration, operation and support are specified in the University's Bastion Host Policy.

Remote Access Services

Remote access services provide methods of accessing the University's campus network resources that may bypass normal boundary security measures. It is therefore essential that remote access services are established, administered and supported in a way that does not compromise the integrity of the University's security environment.

Secure remote access services are provided via the centrally managed Virtual Private Network (VPN) servers and the Dial-in facility. In exceptional circumstances Faculties, Departments or other groups may have a legitimate need to provide and operate their own private remote access service. All requirements relating to private remote access services must be discussed and agreed with GUCS who will stipulate the security, support and administration overheads associated with such a service (ref: Bastion Host Policy). As a condition of agreement GUCS requires that all private remote access services be registered with them and that the registration provides the following information:

  • Service details
  • Type of service - Dial in, VPN etc
  • Hardware, software and location
  • Services provided - Full LAN access, restricted LAN access etc.
  • IP address space used
  • System administrators - Contact details
  • No of simultaneous users
  • User registration procedure
  • User authentication procedure
  • Security policy

Bespoke, specialised systems

Care must be exercised when connecting bespoke systems to the campus network, as in many cases they will be based on common operating systems running base services that may pose a risk to the integrity of the system and other connected systems. If risks and solutions have not been identified at the outset then advice from GUCS should be sought before requesting connections.

What services can be accessed

Workstation users can only access services for which they have a legitimate need and have obtained the proper authentication and authorisation credentials. Knowingly accessing or attempting to access a service without authorisation will be regarded as an act of gross misconduct. The services available to users of the flexible access network will be restricted to those currently available to authorised remote access users. All users of the University's Information Technology Infrastructure must comply with this and all relevant University policies.

What security measures should be implemented

This section summarises the University's security requirements that apply to Workstations, Users and Network Servers

Workstations

Workstations must not be configured with software that provides server functionality to users on or off the campus network or any tools that may compromise the workstation, other networked systems or the credentials of any users.

Open access workstations must be configured such that they revert to a consistent and useable state on system reset or user logout. They must preserve the integrity of any previous user sessions and require a successful user authentication dialog before access to other resources is permitted NB. Common Student Computing Environment (CSCE) workstations meet these requirements.

All workstations must be configured to enforce acceptable levels of security including authenticated user access before access to other resources is permitted. The University's Standard Staff Desktop and Common Student Computing Environments implement this requirement by design. Other workstation environments must as a minimum implement the following procedures:

  • User sessions must be authenticated and users accounts must be associated with strong passwords 
  • Local Administrator/Root accounts must be restricted to systems administrator use
  • All Guest accounts must be removed or their use restricted
  • Proactive systems security measures i.e.,
  • Workstations must be kept up to date with respect to operating system and applications patch levels
  • Workstations must be protected by an up to date version of the University's recommended anti virus software operating with the latest virus definition files
  • Data integrity - File systems and data integrity must be maintained by implementing network file storage or local system backup and restore procedures  

Particular attention must be given to portable computers that are also used as workstations on the campus network; i.e. where staff or other users are allowed to connect their personal or University provided portable computer to a network connection point other than a flexible access connection point. Since there is a high risk that a portable computer used in this way would have been connected to another external network then procedures must be adopted to ensure that the portable computer is free from virus or other infections before it is connected to the University's campus network. As a minimum the following procedures must be implemented:

  • IT support staff must make users aware of the risks involved in connecting their portable computer to the Internet via different providers (ISPs) either from home, other institutions or commercial facilities (hotels etc).
  • IT support staff and users must implement and maintain proactive security measures for portable computers i.e.,
    • Users must authenticate before access to Information Technology resources is permitted
    • Portable computers must be kept up to date with respect to operating system and applications patch levels
    • Portable computers must have an up to date version of the University's recommended anti virus software installed and operating with the latest virus definition files
    • Portable computers exposed to always on networks e.g. broadband networks or other institutions networks, must have a University approved personal firewall shim installed and kept up to date with recommended security policies.
  • IT support staff and users should consult GUCS for further details on:
    • Anti virus software
    • Personal firewalls
    • Current systems security recommendations
  • IT support staff and users must ensure that all copyrighted software installed on portable computers is properly licensed
  • Authorised personnel must be able to audit a portable computer to ensure compliance with this policy

All workstations should be configured to comply with this and other relevant Information security policies with particular emphasis on authenticated access, operating system and application patch management and University approved anti virus software. The anti virus software must be kept up to date and operational; disabling anti virus software will be considered a breach of this policy.

Users

Users, other than flexible access users, may only use workstations for the purposes they were legitimately configured for. It will be a breach of this policy for anyone to alter a workstations configuration or purpose without authorisation.

Workstation users may only access services for which they have a legitimate need and have obtained the proper authentication and authorisation credentials.

Users must note that all system authentication credentials assigned to them are for their own personal use. Authentication credentials must not be shared or disclosed to any third party other than authorised system support personnel. It will be a breach of this policy for any user to misuse their or other users authentication credentials. If any such misuse results in a user knowingly elevating their system privileges above those that they have been authorised to use then this will be considered an act of gross misconduct.

Servers

Servers must be configured to provide only those services necessary for their primary purpose.

Servers must comply with this policy and the University's policy on approved Server configuration, operation and support as specified in the University's

What measures will be taken to monitor compliance

GUCS will adopt a range of measures to monitor compliance with this policy including

  • System inspection. As a condition of connection to the University's campus network; System owners must agree that GUCS, UGCirt or other authorised personnel may inspect their systems on request and at any reasonable times
  • Network management systems, tracking network connection point, mac address and IP address bindings
  • Network management systems, tracking active Ethernet hub and switch ports for number of mac address associations
  • Active scanning for vulnerabilities
  • Audit System logs on the centrally supported servers, Routers and IDS systems
  • Liase with national CERT teams and local incident response team

References

This policy is based on information gathered from a variety of sources including:

  • Local procedures and experience
  • Consultation with interested parties
  • Other Organisations and Institutions connection policies

The following Organisations and Institutions have provided reference material and deserve acknowledgement:

University of Utah Network Connection Acceptable Use Policy
http://www.netcom.utah.edu/info/network_policy.html
http://www.it.utah.edu/network%20connection%20policy%20111501.html

Montana Tech Connection Policy
http://www.mtech.edu/NetServe/layout.htm.
http://www.mtech.edu/netserve/Security_Policies/master%20document.htm

University of Texas at Dallas Campus Network Connection Policy
http://www.utdallas.edu/ir/policies/networkconnection.html

The Suburban Library System
http://www.sls.lib.il.us/infotech/dil/AUPs/SLS_AUP.html

Eastern Connecticut State University Residence Hall VAX Network Connection Policy
http://www.easternct.edu/depts/dc/docs/resnet/resnet-policy.html

The Manchester Metropolitan University Policies
http://www.isu.mmu.ac.uk/general/strategy-policies/policies/network-genl0007.shtml

University of Ulster Network Connection Policy
http://www.ulst.ac.uk/isd/infra/uucert/network.pdf

University of Bath Computing Services Host Connection Policy
http://www.bath.ac.uk/bucs/policies/hostconnection.htm

JANET Connection Policy
http://www.ja.net/documents/connection_policy.pdf

The Open University
Policy for Attaching Equipment to & Operating Equipment on the University's Network
http://www.open.ac.uk/university-documents/Policy_attach_equipment.html