Date Approved: May 12, 2010
Effective Date: May 12, 2010
Responsible Official: Chief Information Security Officer
Responsible Office: [U]Tech Information Security Office
Revision History: Version 1.1; dated May 20, 2011
Related legislation and University policies:
Review Period: 5 Years
Date of Last Review: May 20, 2011
Related to: Faculty, Staff, Students, Alumni, affiliate account holders
Purpose
The purpose of this policy is to establish standards for management of network access and communications.
Scope
This policy applies to all information technology systems that are connected to and use the CWRU network infrastructure. Cloud-based services are outside the scope of this policy.
Cancellation
Not applicable.
Policy Statement
General
All networks and communications technologies owned and managed by CWRU are considered to be private in nature, and access is granted for the exclusive use of CWRU faculty, staff, students, and affiliates in accordance with the CWRU Acceptable Use of Information Technology Policy (AUP). The privilege of use of all CWRU networks requires adherence by all CWRU users to a minimal set of standards to assure efficient and effective management of network resources. The doctrine employed by CWRU IT Services is to assure the fulfillment of the mission of the University through access to and availability of CWRU networks, which are deemed a critical resource.
General policy of approved protocols and usage thresholds will be determined and implemented by CWRU IT Services, through the Technical Infrastructure Services group. The implementation of standards shall be the responsibility of all IT systems owners and administrators.
CWRU network users shall not provision network-based services for non-CWRU third parties.
Access Requirements
All networks on the CWRU campus are installed and maintained by CWRU IT Services. To assure the integrity and availability of network services, no other network communications (with the exception of commercial cellular telephony networks) shall be permitted on University facilities. No networking equipment (routers, managed switches, DHCP servers, DNS servers, WINS servers, VPN servers, remote access dial-in servers/RADIUS, wireless access points, hardware firewalls) shall be permitted without a written exception from Case IT Services (Technical Infrastructure Services).
All devices connected to CWRU networks shall be registered with CWRU IT Services when initially attached to the network. This applies to printers, computing systems, laboratory equipment, and communications devices that use TCP/IP network protocols. The registrant must be a current faculty, staff, student, or affiliate account user with a valid and active NetworkID. Information on how to register a network device can be found at the Network Registration documentation at the CWRU Help Desk. Unregistered devices are subject to disconnection from the CWRU Network, without notice, whether or not they are disrupting network service.
Currently devices connected to the CaseGuest wireless network are unregistered. As wireless registration services become available, all university-purchased or owned hosts shall be registered in a similar manner to wired network registration. CWRU users accessing the CWRU IT resources via wireless networking may assure the privacy of the network communications by using the CWRU VPN software.
No device or program that has the potential to disrupt network service to others is permitted on the CWRU Network without prior arrangement with IT Services.
Protocol Standards
The management of network protocols shall be performed by information systems administrators and network administrators to assure the efficiency, availability, and security of the common resources, in accordance with the governing CWRU Acceptable Use Policy.
Simple Mail Transfer Protocol (SMTP):
- All email protocol traffic shall utilize the centralized mail gateways (smtp.case.edu). Inbound mail traffic with destination addresses for servers other than those operated by IT Services shall utilize an DNS MX record to relay that traffic through the centralized mail gateways. All outbound traffic shall utilize the SMTP gateway.
- The use SSL or TLS based communication standards for email client to email server communication is preferred such that the authentication session is the protected transaction.
Domain Name Services Protocol (DNS):
- All hosts on CWRU networks shall utilize the CWRU DNS systems. All hosts connected to CWRU networks receive a cwru.edu or case.edu domain name extension. No host connected to CWRU networks shall be addressable by any DNS name other than that provided by CWRU.
- No host with a case.edu or cwru.edu domain name (and an IP address within the CWRU network spaces) will use an IP address outside the University's registered name space without a written exemption from CWRU IT Services (Technical Infrastructure Services).
- cwru.edu and case.edu versions of every hostname must be the same.
Dynamic Host Configuration Protocol (DHCP):
- All hosts on CWRU networks shall either obtain and use a static IP address (see Network Tools for setup) or use the CWRU DHCP service to obtain an assigned IP address. Users shall not use a self-assigned IP address, or operate a DHCP server. The use of bootstrap (BOOTP) shall be governed in the same manner as DCHP.
Banned Protocols:
- IT Services keeps a listing of banned protocols which have shown to interfere with the architecture and management of the CWRU network environment.
Definitions
MX record- An MX record or Mail exchanger record is a type of resource record in the Domain Name System (DNS) specifying how Internet e-mail should be routed. MX records point to the servers that should receive an e-mail, and their priority relative to each other.
SSL- secure sockets layer, an encryption method for communication between the mail client and mail server.
TLS- transport layer security, an encryption method for communication between a mail client and a mail server, or between mail servers.
TCP/IP- transmission control protocol and internet protocol, which define how communications are currently implemented in the CWRU network infrastructure.
IP address- internet protocol address, an essential networking element which permits traffic to be routed to a specific host.
Cloud services- software and/or systems that are hosted in off-campus data centers that rely on network communications to permit access for users in the CWRU network environment. An example is CWRU Google Applications.
Responsibility
IT Services is responsible for enforcement of network access standards, and maintaining the list of banned protocols.
Departmental IT staff are responsible for the implementation and adherence to network protocol standards.
Policy Review Cycle
This policy will be reviewed every two years on the anniversary of the policy effective date, at a minimum. The policy may be reviewed on a more frequent basis depending on changes of risk exposure.