II-3 Case Network Management Policy
Last Revision Date: May 20, 2011
Approval Date: May 12, 2010
Approval Authority: Case Information Security Officer
The purpose of this policy is to establish standards for management of network access and communications.
This policy applies to all information technology systems that are connected to and use the Case network infrastructure. Cloud-based services are outside the scope of this policy.
All networks and communications technologies owned and managed by Case are considered to be private in nature, and access is granted for the exclusive use of Case faculty, staff, students, and affiliates in accordance with the Case Acceptable Use of Information Technology Policy (AUP). The privilege of use of all Case networks requires adherence by all Case users to a minimal set of standards to assure efficient and effective management of network resources. The doctrine employed by Case IT Services is to assure the fulfillment of the mission of the University through access to and availability of Case networks, which are deemed a critical resource.
General policy of approved protocols and usage thresholds will be determined and implemented by Case IT Services, through the Technical Infrastructure Services group. The implementation of standards shall be the responsibility of all IT systems owners and administrators.
Case network users shall not provision network-based services for non-Case third parties.
All networks on the Case campus are installed and maintained by Case IT Services. To assure the integrity and availability of network services, no other network communications (with the exception of commercial cellular telephony networks) shall be permitted on University facilities. No networking equipment (routers, managed switches, DHCP servers, DNS servers, WINS servers, VPN servers, remote access dial-in servers/RADIUS, wireless access points, hardware firewalls) shall be permitted without a written exception from Case IT Services (Technical Infrastructure Services).
All devices connected to Case networks shall be registered with Case IT Services when initially attached to the network. This applies to printers, computing systems, laboratory equipment, and communications devices that use TCP/IP network protocols. The registrant must be a current faculty, staff, student, or affiliate account user with a valid and active NetworkID. Information on how to register a network device can be found at the Network Registration documentation at the Case Help Desk. Unregistered devices are subject to disconnection from the Case Network, without notice, whether or not they are disrupting network service.
Currently devices connected to the CaseGuest wireless network are unregistered. As wireless registration services become available, all university-purchased or owned hosts shall be registered in a similar manner to wired network registration. Case users accessing the Case IT resources via wireless networking may assure the privacy of the network communications by using the Case VPN software.
No device or program that has the potential to disrupt network service to others is permitted on the Case Network without prior arrangement with IT Services.
The management of network protocols shall be performed by information systems administrators and network administrators to assure the efficiency, availability, and security of the common resources, in accordance with the governing Case Acceptable Use Policy.
Simple Mail Transfer Protocol (SMTP):
- All email protocol traffic shall utilize the centralized mail gateways (smtp.case.edu). Inbound mail traffic with destination addresses for servers other than those operated by IT Services shall utilize an DNS MX record to relay that traffic through the centralized mail gateways. All outbound traffic shall utilize the SMTP gateway.
- The use SSL or TLS based communication standards for email client to email server communication is preferred such that the authentication session is the protected transaction.
Domain Name Services Protocol (DNS):
- All hosts on Case networks shall utilize the Case DNS systems. All hosts connected to Case networks receive a cwru.edu or case.edu domain name extension. No host connected to Case networks shall be addressable by any DNS name other than that provided by Case.
- No host with a case.edu or cwru.edu domain name (and an IP address within the Case network spaces) will use an IP address outside the University's registered name space without a written exemption from Case IT Services (Technical Infrastructure Services).
- cwru.edu and case.edu versions of every hostname must be the same.
Dynamic Host Configuration Protocol (DHCP):
- All hosts on Case networks shall either obtain and use a static IP address (see Network Tools for setup) or use the Case DHCP service to obtain an assigned IP address. Users shall not use a self-assigned IP address, or operate a DHCP server. The use of bootstrap (BOOTP) shall be governed in the same manner as DCHP.
- IT Services keeps a listing of banned protocols which have shown to interfere with the architecture and management of the Case network environment.
MX record- An MX record or Mail exchanger record is a type of resource record in the Domain Name System (DNS) specifying how Internet e-mail should be routed. MX records point to the servers that should receive an e-mail, and their priority relative to each other.
SSL- secure sockets layer, an encryption method for communication between the mail client and mail server.
TLS- transport layer security, an encryption method for communication between a mail client and a mail server, or between mail servers.
TCP/IP- transmission control protocol and internet protocol, which define how communications are currently implemented in the Case network infrastructure.
IP address- internet protocol address, an essential networking element which permits traffic to be routed to a specific host.
Cloud services- software and/or systems that are hosted in off-campus data centers that rely on network communications to permit access for users in the Case network environment. An example is Case Google Applications.
IT Services is responsible for enforcement of network access standards, and maintaining the list of banned protocols.
Departmental IT staff are responsible for the implementation and adherence to network protocol standards.
Policy Review Cycle
This policy will be reviewed every two years on the anniversary of the policy effective date, at a minimum. The policy may be reviewed on a more frequent basis depending on changes of risk exposure.