ISO PS010 Network Service

Policies and Standards ISO PS010 Network Service [Previous]  [Next]  [Policy Home]

Policy Name: Network Service
Policy Number: IS PS0010
Effective Date: July 23, 2007
Review Date: January 29, 2013
Last Revision Date: January 29, 2013
Last Revision By: Kim Adams
Contact Name: Matthew H. Witten
Contact Email: ISOPolicy@louisville.edu
Approved By: Compliance Oversight Council
Version: 1.2

POLICY:

The University will provide the required infrastructure for enterprise-wide local area network services, (including wireless) and connections to the internet, internet-2 and other external networks to further the mission of the University.

The Information Technology division is responsible for the provision and management of enterprise-wide local area network services, including wireless networks. All connections to the network must be via university approved mechanisms. Only authorized Information Technology staff may install, manage or change the network infrastructure including but not limited to enterprise servers, routers, switches and telecommunications equipment as well as access to these devices.

Administrative Standards:

• Network Configuration Authority and Requirements
  (To help maintain the integrity, security, availability and necessary resources of the university network):
  • Information Technology provides all network address assignments.
  • Unauthorized university network installations or modifications will not receive IP addresses for computing devices on the unauthorized network. Such devices will be physically disconnected from the university network and the device's IP and/or MAC addresses will be blocked from university network access. Note: This includes wireless networks not connected to the university's enterprise network and/or private network devices operating within university facilities or university campuses.
  • All internal network devices including but not limited to routers, firewalls and access control servers, have unique passwords and other appropriate access control mechanisms.  Demilitarized zones (DMZs) will be utilized to secure the internal network from external channels.
  • All perimeter network devices within the university network are configured to meet hardening guidelines and to deny unnecessary services, connections and untrusted networks.
  • An inventory of all connections to external voice and data networks and direct connectivity to all non-university entities or untrusted networks is maintained.
  • Internal information system addresses, configurations, products and design information is restricted so that it is not accessible to unauthorized internal or external users.
  • Non-standard, business required modification to network perimeter devices is the responsibility of university IT and requires review and assessment of risk defining any alternative controls to implement.
    

• Connecting to University and affiliated computing resources from outside the University network
  All connections to these resources (servers, personal computing devices, networking equipment, etc.) must, except as noted, follow these standards:
  • Be via a secure and/or encrypted connection such as a VPN, secure HTTP, secure FTP, SSH, direct dial-in or other secure and/or encrypted method.
  • Pass through an university standard access control point (e.g., firewall, gateway, modem pool, etc.) that includes an approved user authentication.
    
  • Be configured so that a user account and password is required and be compliant with the policies and standards described in ISO PS007 User Accounts and Acceptable Use and ISO PS008 Passwords.
  • Be configured for remote connections to time out after a period of inactivity, suspend accounts until reset by a system administrator after a specified amount of consecutive failed log-on attempts and deactivate accounts if not used within a specified period.
    
  • If the connection is by a vendor or other third party (not faculty, staff or students) an Acceptable Use Agreement must be completed. The original completed Acceptable Use Agreement must be received by Security and Accounts Management before the connection is allowed. Note: The Acceptable Use Agreement documents the vendor or partner's agreement to abide by the IS PS007 User Accounts and Acceptable Use Policy and to maintain their systems and practices to at least the applicable university policies and standards.
  • Connection interface (a VPN, dial-in vendor service line or modem, for example) used for occasional connections should be disabled except during the periods when the connection capability is expected to be used and not left in auto answer mode.

  Exception: If the connection does not allow access to sensitive information then a properly configured and administered connection method is acceptable and no log-on is required. Example: A web site providing information intended for public availability could use standard http access.

• Network Use
  • Faculty, staff and administrators with university LAN accounts usually receive secure personal drive space accessed via the LAN for individual use (commonly called the "H" drive).
    
    The university enterprise network drives also include the "I" drive shared storage area. Space in this area is used by departments and for shared data and is allocated by academic or administrative unit. Account holders have read/write access to sub directories as appropriate.

• Monitoring/Altering Network Traffic
  • Users are expected to use end user applications such as network drive access, email and similar programs, as they are intended to be used on the university network. Scanning of the network, "packet sniffing", packet interception/copying/decryption and any other means of reading, altering, spoofing or otherwise monitoring and/or changing network communications is forbidden without specific approval in writing from both the Information Security Officer and Information Technology.
  • The University reserves the right to analyze network traffic at any time deemed necessary by either manual or automated means. For example, the University may specifically monitor network traffic if instructed by legal authorities or for the purpose of assessing system integrity, performance, management or possible policy violations.  Network audit logs may record the following:  packet origination, date/time, source and destination, path, protocol and port and/or other packet monitoring for suspicious activity.
  • The use of utility programs capable of overriding system and application controls is restricted to authorized technical support only.
    

• Guest/Temporary Network Use
  • Guest access to the wired network requires faculty, staff or administrator account sponsorship. See IS PS007 User Accounts and Acceptable Use for more details.
  • Limited guest access to the wireless network is available for visitors of the university and may be requested by faculty or staff. Guest access will expire after one week.

Technical Standards:

• General
  • All enterprise level authentication requirements external to an application must be configured to use the university's enterprise directory services. (Note: This also allows easier configuration of single sign-on abilities).
• Wireless
  • Full authenticated network access requires a secure wireless connection and client software that supports current university secure wireless standards (see http://louisville.edu/it/communications/wireless/ for more information).
  • A wireless adapter card that fully supports 802.1x is required to access the network
• Voice
  • The university's voice networking (Voice Over Internet Protocol - VOIP) provided by Information Technology is based on FCC standards and specifications. This consists of the telecommunications services, dial tones, telecommunications equipment, and specialized circuitry. All VOIP connections are maintained and provisioned by the IT Division.

All persons while conducting/performing work, teaching, research or study activity or otherwise using university resources. Scope/Applicability also includes all facilities, property, data and equipment owned, leased and/or maintained by the university or affiliates.

POLICY AUTHORITY / ENFORCEMENT:

The university's Information Security Officer (ISO) is responsible for the development, modification, publication and oversight of these policies and standards. The ISO works in conjunction with university leadership, Information Technology, Audit Services and others for development, monitoring and enforcement of these policies and standards.

POLICY REVIEW:

This policy will be reviewed annually to determine if the policy addresses university risk exposure and is in compliance with the applicable security regulations and university direction. In the event that significant regulatory changes occur, this policy will be reviewed and updated as needed per the policy management process.

COMPLIANCE:

Failure to comply with these policies and standards and/or any related information security and/or information technology policy, standard or procedure may result in disciplinary action up to and including termination of employment, services or relationship with the University and/or action in accordance with local ordinances, state or federal laws.

Version / Revision Date / Description

1.0 / July 23, 2007 / Original Publication

1.1 / August 19, 2011 / Link change in wireless section

1.2 / January 29, 2013 / Content Update

Approved July 23, 2007 by the Compliance Oversight Council
Shirley C Willihnganz, Executive Vice President and University Provost, Chair of the Compliance Oversight Council

[Next]