Campus Policy Number: 400-37
Policy Topic: Use of Network Devices
Policy Owner: Associate Vice Chancellor-Computing and Communications
Original Date: 09/25/2011
One of the major shared resources of the University of California (UC) Riverside is its data network. The ability of the campus to conduct business is dependent on reliable and stable access to the network and through the network to the Internet. University network and Internet connectivity can be jeopardized by computers/workstations, servers, and other network devices that are not adequately protected from attack.
Compromised or vulnerable network devices connected to the campus electronics communications network present potential harm to the network, to other devices on the network, to other networks and the devices attached to them, and to the overall standing of the UC Riverside information technology enterprise. Delays in responding to compromised devices could result in losses of data and productivity, other operational problems, legal consequences, and harm to the reputation of the University. Consequently, it is imperative that a set of minimum standards and practices are established, including a protocol that addresses any the identification and removal of any compromised network device in order to eliminate the risk it may pose.
This policy establishes that network devices, wired and wireless, connected to the University of California (UC) Riverside electronic communications network must meet campus security standards or seek exception authorization. Campus units may develop and implement more rigorous security standards. Computing applications hosting critical and/or sensitive university information are subject to more stringent security standards, as defined in UC Business and Finance Bulletin, IS-3.
UC Riverside encourages the use of its electronic communications network in support of education, research, and public service. However, this resource is limited and vulnerable to attack. UC Riverside therefore reserves the right to deny access to its electronic communications network by any network device that does not meet its standards for security.
This policy requires compliance with minimum security standards to help protect not only the individual network device, but other network devices connected to the electronic communications network. The policy is also intended to prevent exploitation of campus resources by unauthorized individuals.
The policy applies to all network devices connected to the campus electronic communications network or using a ucr.edu Internet Protocol (IP) address* to originate electronic communications. These network devices may include but are not limited to computers, printers, and other network appliances, as well as hardware connected to the campus network from behind firewalls or Network Address Translation (NAT) systems.
A. Computing and Communications (C&C) is responsible for operating the campus electronic communications network (wired and wireless) and to ensure a secure and positive network experience for the entire campus community. Additionally, C&C is responsible for:
· Providing direction, planning, and guidance about information security.
· Developing, implementing, maintaining, reviewing, and updating campus wide information security policies and procedures.
· Documenting and promulgating minimum security standards for network devices.
· Reviewing and approving/disapproving requested exceptions to minimum security standards.
· Working with the campus community to protect computers and the campus network infrastructure from electronic attack.
· When deemed necessary, blocking access to the University electronic communications network.
B. Each campus unit is responsible for verifying that network devices connected to the electronic communications network from the unit are supported by an administrator or designated user with the ability to maintain minimum security standards.
C. Each campus unit administrator or unit designated user is responsible for monitoring and maintaining unit adherence to the minimum standards for security as it relates to the use of network devices.
D. Each individual is responsible for using only network devices on the University electronic communications network that comply with the minimum standards set forth in this policy.
A. General Provisions
In order to provide an optimal network infrastructure to all faculty, staff, and students, the standards and practices outlined below will be followed:
· The University data network infrastructure (consisting of outside fiber and copper cable plant, building fiber and copper cable plant, electronics providing connectivity to internet2 and the commodity internet, campus core network electronics, building network electronics including wireless, and network monitoring and security devices) is planned, deployed, maintained, and managed on behalf of the Chancellor by C&C.
· The University internet domain name space (consisting of its IP space, DHCP service, static IP address, etc.) is planned, deployed, maintained and managed on behalf of the Chancellor by C&C.
· C&C, depending upon the size of the network in question, its impact on research and/or instruction, or for other compelling reasons, may engage in a partnership to manage and maintain specific campus building networks.
B. Specific Provisions
· Campus network users may not install switches, hubs, routers, wireless access points, or any other active or passive network device. The installation of the aforementioned electronics are generally performed directly by C&C; however, from time to time, may be done by other campus unit staff for compelling reasons including research and development demands, working in conjunction with C&C staff.
· Campus network users may routinely attach personal workstations, printers, or file, print, or applications servers to UCR’s network. C&C’s standard is one MAC address to each data switch port. Attaching devices other than those listed above should only be done in consultation with C&C.
· Campus network users may not connect any device that presents itself as multiple, concurrent IP addresses, such as servers. This includes, but is not limited to, routers, switches, hubs, and wireless access points. Users that choose to use both IPv4 and IPv6 will present one of each type of address.
· Campus network users that require additional network ports, wireless coverage, or network services of any kind should submit a Communications Services Work Order Request (https://comm.ucr.edu/comm).
· Campus network electronics that are not acquired, installed, and managed by C&C create a significant security risk to the campus and also create potential sources of operational interruption. Therefore, if C&C (through normal network monitoring and management) discovers non-compliant network electronics connected to the University electronic communications network, the following actions will be initiated:
o C&C will contact the campus network user alerting him/her to the discovery of the non-compliant network electronics.
o C&C will inform the campus network user of the policy relating to the deployment of non-compliant network electronics.
o C&C will collaborate with the campus network user to develop a plan to migrate the network electronics to the supported electronic platform.
Note: Remediation effort may involve departmental expenditure to support network electronic acquisitions and inside network cable costs.
· Unless approved by C&C, campus network users may not contract with a non-University entity to install network electronics.
· UC Riverside will only route Ethernet IPv4 and IPv6 packets.
· C&C manages the University IP space via Dynamic Host Configuration Protocol (DHCP) with fixed addresses (MAC address to IP mapping) assigned as necessary for such things as file servers and printers. For more information about this service, campus units are encouraged to contact the C&C Director of Communications.
· C&C attempts to satisfy requests for special network topologies that are required for specific research or instructional initiatives. For more information about the creation of a specialized network, campus units are encouraged to contact the C&C Director of Communications.
C. Network Device Issues
Unsanctioned access points and routers are a security risk for the campus community and adversely affect the performance of the entire campus electronic communications network. Wired issues include uncontrolled physical port access and unpredictable traffic concentration via unauthorized switching or routing hardware. Wireless issues include radio frequency interference causing an unpredictable wireless network environment.
Below are the some of the common issues C&C has specifically observed on the University electronic communications network as a result of unauthorized network devices:
· Denied access to standard campus devices as a result of unauthorized wireless access-points and routers being misconfigured with same RF channel as a campus managed AP.
· A duplicated SSID with a campus managed AP as a result of unsanctioned wireless access-points and routers being misconfigured with the same SSID as a campus managed AP. In particular, this presents a grave security risk to individuals assuming that they are connecting to an official campus AP.
· Poor network performance caused by broadcast storms and network loops as a result of unauthorized wireless access-points and routers being misconfigured.
· An invalid IP address provided to an unsuspecting authorized wireless user as a result of unsanctioned wireless access-points and routers configured to provide an invalid IP address to other wireless users.
· Unauthorized access to other local and campus wide resources due to unauthorized wireless access-points and routers bypassing the normal wireless authorization and allowing access to local and campus wide resources.
As result of the impact that these issues have on the campus electronic communications network at large, C&C will take the following actions when an unsanctioned access-point or router is discovered on the University network:
· C&C will contact the campus network user alerting him/her to the discovery of the non-compliant network electronics.
· C&C will inform the campus network user of policy relating to the deployment of non-compliant network electronics.
· C&C will collaborate with the campus network user to develop a plan to migrate the network electronics to the supported electronic platform.
Note: Remediation efforts may involve departmental expenditure to support network electronic acquisitions and inside network cable costs.
Per the University of California Electronic Communication Policy, C&C will immediately disconnect and disable any unsanctioned network devices (wired or wireless) when the networking environment is being compromised by an unauthorized networking device that has been installed. Additional information regarding C&C network policies can be found at http://www.cnc.ucr.edu/security/policies.html.
V. Frequently Asked Questions
Direct any general questions about this UCR Campus Policy 400-37, Use of Network Devices, to the Office of the Associate Vice Chancellor, Computing and Communications, at (951) 827-7000 or via email at UCRpolicy@ucr.edu.
To provide comment regarding this policy, send an email to UCRpolicy@ucr.edu.