Sudan University of Science & Technology
Collage of Postgraduate Studies
A Secure Network
Design Framework for Universities Environment
Implementation on SUST
network
تصميم إطار
شبكي آمن
للبيئة
الجامعية
تطبيق
على شبكة جامعة
السودان
للعلوم
والتكنولوجيا
This thesis is submitted as a partial
fulfillment toward degree of M.Sc.
in Information Technology
Prepared
By:
Almutaz Faisal Ali Mattar
Supervisor:
Dr. Yahia Abdalla M. Hamad
June 2009
مستخلص
شبكات
الحاسوب عبارة
عن وسائل
للمشاركة في
الموارد
والخدمات بين
مستخدميها.
لذا فمن
البديهي ان
يكون المقياس
الاساسى لمدى
فائدة
الشبكة، مواردها
ومدى توافرها.
من هنا اصبح
امن الشبكات
من اساسيات
بناء الشبكة.
حيث انه بدون
وجود طبقة
الامن عند
التصميم لا
يمكنه ضمان
توفر
واستمرارية
خدمات الشبكة.
الهدف من هذا
البحث هو خلق
اطار تصميم
اَمّن من اجل
شبكات الجامعات,
حيث يمكن
استخدامه،
والاعتماد
عليه كمقياس.
تعتمد منهجية
البحث على:
-
تحديد
مميزات شبكة
الجامعة.
-
ملائمة
مقايس
التصميم
الاَمن
العامة لشبكة الجامعة.
قد تم تجربة
الاطار المستخلص
على شبكة
جامعة
السودان
للعلوم
والتكنولوجيا،
وثبت امكانية
تطبيقه عمليا.
Abstract
Computer networks are means of sharing resources and service
between its users. The basic measure of how useful a network is its resources,
and their availability. Therefore, network security is a very critical task in
network construction, without an applied security, the availability of the network
cannot be granted.
The objective of this research is to create a secure
framework for the university network, which can be trusted and used as
standard, and guidelines for any farther network implementation. This is to be
done by:
-
Specifying university network unique
characteristics
-
Customize security standards to be
applicable for universities networks.
The generated framework has been applied to SUST network and
proof that it is customizable and applicable to universities networks.
Table of Contents
Chapter 1: INTRODUCTION
Chapter 2: OVERVIEW OF NETWORK SECURITY & SECURE
FRAMEWORK DESIGN STEPS
2-3 Classification of Network
Security Services
2-5-3-1 Access control based on an
operating system
2-5-3-2 Access control based on the network
2-6 Network Secure Framework Design
Steps
2-6-1 Identify network resources
2-6-2 Create Usage Policy Statements
2-6-3 Establish a Security Team Structure
Chapter 3: UNIVERSITY NETWORK CHARACTERISTICS AND RISK
ASSESSMENT
3-1 University Network
Characteristic
3-2 Common service risk analysis
Chapter 4: FRAMEWORK DESIGN
4-2-2-2 Implementation of a Firewall/ IDS/
IPS
4-2-2-3 Implementation of Authentication
System
4-2-2-4 Controlling Location of Information
and Data
4-2-2-5 Monitor and Filtering Internet
Access
4-2-2-6 Control of Wireless Implementation
4-2-2-8 Securing Hardware, Peripherals and
Other Equipment
4-2-2-9 Monitoring and Antivirus
Chapter 5: SUDAN UNIVERSITY OF SCIENCE &
TECHNOLOGY NETWORK CASE STUDY
5-3 Structure Review & Access
Policy
5-4 Network Segregation
Implementation
5-5 Firewalls and Proxies
Implementation
5-6 Authentication Implementation
5-7 Backup and Logging
Implementation
5-8 Wireless Connection
Implementation
Chapter 6: CONCLUSION AND RECOMMENDATIONS
Sample number 1: Auburn University Network Policy Coverage
Sample number 2: Network Monitoring Policy Trinity Collage
Sample number 3: UNIVERSITY OF CANBERRA NETWORK ACCESS POLICY
Tables and
Figures
Table 2.1: Common security threats on the
Internet [5]
Table 2.2: Network security services
[5]
Table 2.3: Encryption methods [5]
Figure 5.1/1: Old SUST network
Figure 5.1/2: New SUST Network
Table 5.1: SUST University Service and Risk
Assessment
Table 5.2: University Number of Users and
their Distribution
Figure 5.2: Current Campuses Interconnect
Figure 5.3: Main Campus Subnets
Figure 5.4: External Connections
Table 5.3: University Proxy Service
distribution
Table 5.4: Proxies Naming &
Distribution
Table 5.5: University Authentication
Service distribution
CHAPTER 1:
INTRODUCTION
1-1 Introduction
Computer networks are means of
sharing resources and services between their users. The basic measure of how
useful a network is its resources, and their availability.
But the availability of a network
cannot be granted without protection steps against so many threats that can
compromise that network and its functionality. So to grantee a network
availability formal step called security policy associated to that network and
describes how it’s accessed, its purpose, and usages, should be implemented.
1-2 Problem Statement
Universities networks are not an excluded
from this scenario, and with their complexity they simulate the real world
Internet - with its incremental and vary number of applications and systems and
the data associated with those applications. In addition to the nature of many
of those networks and distribution across cities, using whatever means of
communication like Internet, leased lines, wireless etc, plus the services
provided by those universities to their staff, students or the community makes
them very important and needed.
This together rise the question of
how trusted and secure the data available on, or traveling through those
networks, what the security measures provided on them, and what are the
security standards those network designed against so to be trusted by third
parties. And since there is no clear standard design methodology for such type
of networks, a design framework is needed.
1-3 Research Objectives
The research objective is to design a
secure university network framework that can be trusted and used as standard
measurement for any further implementation of such networks. To be used by
networks designers, security team members, decision makers and IT professionals
to easily point their network threats, categorize them and plan those network
security measures.
1-4 Scope
Research scope is to create a secure
university network design framework, which can be used as reference for any
further university network implementation by:
-
Identify university network
characteristic.
-
Conduct service risk analysis.
-
Modify the standard ISMS outlines to
be applicable on university network to create the framework.
-
Then apply the generated framework on
SUST WAN to proof that the framework is applicable.
1-5 Methodology
Research methodology is to review
technical and academic papers of security best practice technique, in addition
to ISO of Information Security Management System (ISMS) documentations.
Understand the standards guidelines of identifying network threats analysis and
security measures guide lines and prevention systems. Analyze university
network and specify its characteristics, so to create a design framework that
workable and can be applied.
1-6 Thesis Layout
The research consist of six chapters
the first which is this one is an introduction to the research and it’s contains,
goal, scope, methodology etc. chapter two offers general background of
networking and security, in addition to brief summary of the white papers and
ISMS documents best practice, in addition to security review. Chapter Three defines
university network characteristics, and conduct risk analysis of network
resources. Chapter four contains the framework design for university network.
In that chapter we used all results from the previous chapter an accordingly
create the design policy. In chapter five we implemented the design outlined in
chapter four to SUST network as case study. Last chapter contains the conclusions
and recommendations. At the end we have list of references, and appendix
containing some International universities network and access policies.
CHAPTER 2:
OVERVIEW
OF NETWORK SECURITY
& SECURE FRAMEWORK DESIGN STEPS
2-1 Introduction
Security is a very complicated
subject and covers a very wide space of our today e-world, in which most of
daily tasks have take an electronic shape, and most of classified information
are now digitally stored.
Network security starts from the data
access device and ends at the data been accessed storage. Historically computer
and network security were tackled by well-trained and experienced users, but in
today world with the increasing number of day-to-day threats more people need
to understand the basics of security in a networked world.
This chapter will serve as a
background to successor chapters. In this one we will cover the network
security subject. How to protect confidential data, resources and reputation in
an open network environment has become a focus of attention.
2-2 Security Threats
Table 3-1 shows common security
threats on the Internet, a description and an example for it:
Table 2.1: Common security threats on the Internet [5]
|
Type |
Description |
Example |
|
Unauthorized use |
Resources are used by an unauthorized user. |
An intruder can guess a user name and password and
use resources illegally. |
|
Denial of Service (DoS) |
Force the server denies legal access request from
the legal user. |
An intruder sends a large number of data to the
server within a short time, so that the server cannot process the legal task
due to overload. |
|
Information theft |
Information get accessed or seen by unauthorized
user. |
An intruder intercepts significant data or
information on the network. |
|
Data juggle |
Server data to be Manipulate by an outsider |
An intruder intentionally destroys the consistency
of data. |
2-3 Classification of Network Security
Services
Network security services are a set
of security measures taken against the above security threats. They are shown
in Table 2-2.
Table 2.2: Network security services [5]
|
Type |
Description |
|
Availability |
Ensures information or services can
be accessed if required. |
|
Confidentiality |
Ensures that sensitive data or
information is not disclosed or exposed to an unauthorized entity. |
|
Integrality |
Ensures that data cannot be
modified or destroyed in an unauthorized mode. |
|
Verification |
Ensures the legality of an entity
ID. |
|
Authorization |
Specifies the access authority for
a user to control resources. |
2-4
Network Protectors
Those
are the elements used to defend the network from external or internal threats.
2-4-1 Firewalls
Firewalls
provide a certain level of protection and are, in general, a way of
implementing security policy at the network level [4]. A firewall is
any one of several mechanisms used to control and watch access to and from a
network for the purpose of protecting it. Firewall acts as a gateway through
which all traffic to and from the protected network and/or systems passes.
Firewalls help to place limitations on
the amount and type of communication that takes place between the protected
network and the others networks. The unique feature about firewall is that
their needs to be ways for some traffic with particular characteristics to pass through carefully
monitored doors. The difficult part is
establishing the criteria by which the packets are allowed or denied access
through the doors. There is no fixed terminology for the description of firewalls.
2-4-2 Proxy Servers
A
proxy server is way to concentrate application services through a single
machine that acts as a proxy server for a variety of protocols (Telnet, SMTP,
FTP, HTTP, etc.) [4]. The security benefits which can be derived
from using proxy servers. It is Possible to add access control lists to
protocols, requiring users or systems to provide some level of authentication
before access is granted. Smarter proxy servers, sometimes called Application
Layer Gateways (ALGs), can understand specific protocols and can be configured to
block only subsections of the protocol.
2-4-3 IDS/IPS
An
intrusion detection system (IDS) generally detects unwanted manipulations of
computer systems, mainly through the Internet. The manipulations may take the
form of attacks by crackers [3]. IDS system is used to detect
several types of malicious behaviors that can compromise the security and trust
of a computer system. IDS are composed of several components [3]:
-
Sensors which generate security
events,
-
A Console to monitor events and alerts
and control the sensors,
-
And a central Engine that records
events logged by the sensors in a database and uses a system of rules to
generate alerts from security events received.
There
are many types of IDS [3]:
1. A
network intrusion detection system.
2. A
protocol-based intrusion detection system.
3. An
application protocol-based intrusion detection system.
4. A
host-based intrusion detection system.
5. A
hybrid intrusion detection system combines two or more approaches.
Reactive
IDS, known as an intrusion prevention system (IPS), this type of IDS responds
to the suspicious activity not by sending alert only but also by resetting the
connection or by reprogramming the firewall to block network traffic from the
suspected malicious source. This can happen automatically or at the command of
an operator [3].
2-5 Network Security Service
2-5-1
Encryption
It is a process to translate a
readable message into an unreadable encrypted text [5]. It can:
·
Provide users with communication
security;
·
Become basis of many security
mechanisms.
For example, password mechanism
includes:
·
Authentication password design
·
Security communication protocol
design
·
Digital signature design
Encryption methods are of three
types. They are shown in Table 2-3.
Table 2.3: Encryption methods [5]
|
Type |
Remark |
Description |
|
Symmetric password mechanism |
It includes: Data Encryption Standard (DES) Triple
DES (3DES) |
Its security key of encryption and decryption is
identical. One pair of users shares one password to exchange message. |
|
Public key password mechanism |
It includes: Diffie-Hellman (DH) Rivest, Shamir, Adleman (RSA) |
It has two different security keys that separate encryption
from decryption. One is private that stored secretly; other is public that
can be distributed. |
|
Hash |
It includes: Message Digest 5 (MD5) Secure Hash
Algorithm (SHA) |
It is used to compress a variable message into an
invariable code and enable it to become a hash or message digest. |
2-5-2
Authentication
It is used to verify the legality of
the user ID before a user accesses the network or obtains services. It can be
either provided locally by each device on the network, or carried out through a
dedicated authentication server. The latter has better flexibility,
controllability and expandability. Now, in a hybrid network, Remote Access
Dial-In User Service (RADIUS), act as an open standard, is widely used for an
authentication service.
2-5-3
Access Control
It is an enhanced authorization
method. And generally, it is divided into two types:
2-5-3-1 Access control based on an operating system
In which the system authorizes a user
to access resources on a certain computer. Access control Policies can be set
based on user ID, groups or rules.
2-5-3-2 Access control based on the network
Where authorization to a legal user
to access the network is depend on user location – Subnet/ IP Address, the
mechanism is much more complex than the access control based on an operating
system. Usually, the access control component (such as firewall) is configured
on some intermediate points between a requester and his destination to achieve
access control by checking the source network characteristics against its
preconfigured ACL.
2-6
Network
Secure Framework Design Steps
2-6-1 Identify network resources
To protect a network with policy or
any other ways, first we have to identify what is need to be protect, and from
what. In this part of the research I list the valuable university network’s
resources – Hardware or software, network services and data. And identify what
risking them.
2-6-2 Create Usage Policy Statements
Usage policy statements outline
users’ roles and responsibilities with regard to security are recommended. We
can start with a general policy that covers all network systems and data within
the organization. This policy should provide the general users community with:
-
Understanding of the security policy.
-
The security policy purpose.
-
Guidelines to how to improve user’s
security practices.
-
Finally definitions user’s security
responsibilities.
If the organization has identified
specific actions that could result in punitive or disciplinary actions against
an employee, these actions and how to avoid them should be clearly articulated
in this document.
The next step is to create a partner
acceptable use statement to provide partners with an understanding of the
information that is available to them, the expected disposition of that
information, as well as the conduct of the employees of the organization. The
policy should clearly explain any specific acts that have been identified as
security attacks and the punitive actions that will be taken should a security
attack be detected.
Then to create an administrator
acceptable use statement to:
- Explains the procedures
for user account administration.
- Explains policy
enforcement, and privilege review.
If the organization has specific
policies concerning user passwords or subsequent handling of data, clearly
present those policies as well.
Finally check the policy against the
partner acceptable use and the user acceptable use policy statements to ensure
uniformity, and to be sure that administrator requirements listed in the
acceptable use policy are reflected in training plans and performance
evaluations.
2-6-3 Establish a Security Team Structure
Create a cross-functional security
team led by a Security Manager with participants from each of the
organization’s operational areas. The representatives on the team should be
aware of the security policy and the technical aspects of security design and
implementation. Often, this requires additional training for the team members.
The security team has three areas of responsibilities:
-
Policy development.
-
Security practice.
-
Security response.
CHAPTER
3:
UNIVERSITY NETWORK CHARACTERISTICS AND RISK ASSESSMENT
3-1
University Network Characteristic
University network specified by:
-
Variant of running application,
-
Many network services
-
Different type of users and groups.
-
And it’s complicated relational
structure between the different collages, departments and administration units.
University’s applications can vary from:
-
Financial systems,
-
Human resource databases and
management systems,
-
To academic application.
Regarding the services, universities
normally provides the following services on their networks:
-
Naming service
-
Electronic mailing service
-
Authentication service
-
Internet sharing service
-
Web publishing service – internal and
external
-
File service
-
E-learning
-
On demand service, like researchers
specific need of special configuration or hardware or even access rights.
3-2 Common service risk analysis
Risk analysis is the process of
identifying the network resource and threats associated to those services, and
ranking them according to their importance – to network operation and business
continuity [12].
Risk analysis identifies the risks to
the network, network resources, and data. This doesn't mean to identify every
possible entry point to the network, nor every possible means of attack. The
intent of a risk analysis is to identify portions of the network, assign a
threat level to each portion, and apply an appropriate level of security[12].
So in this process we will assign each network resource one of the following
three risk levels:
Low Risk: Systems or data that if
compromised would not disrupt the business or cause legal or financial
ramifications. The targeted system or data can be easily restored and does not
permit further access of other systems.
Medium Risk: Systems or data that if
compromised would cause a moderate disruption in the business, minor legal or
financial ramifications, or provide further access to other systems. The
targeted system or data requires a moderate effort to restore or the
restoration process is disruptive to the system.
High Risk: Systems or data that if
compromised would cause an extreme disruption in the business, cause major legal
or financial ramifications, or threaten the health and safety of a person. The
targeted system or data requires significant effort to restore or the
restoration process is disruptive to the business or other systems.
Once risk levels are assigned, then it's
necessary to identify the types of users of that system. The five most common
types of users are:
1. Administrators: Internal users
responsible for network resources.
2. Privileged: Internal users with a
need for greater access.
3. Users: Internal users with general
access.
4. Partners: External users with a
need to access some resources.
5. Others: External users or
customers.
3-2-1
DNS
Name-to-address resolution is
critical to the secure operation of any network. An attacker who can control or
impersonate a DNS server can re-route traffic to subvert security protections.
For example, routine traffic can be
diverted to a compromised system to be monitored; or, users can be tricked into
providing authentication secrets. The process of altering DNS replays is called
DNS poisoning. The risks associated with DNS are:
·
Cache Poisoning
·
Client Flooding
·
DNS Dynamic Update Vulnerabilities
·
Information Leakage
·
Compromise of DNS server’s
authoritative data
3-2-2
Mail Server
Electronic mail systems are a source
for intruder break-ins because email protocols are among the oldest and most
widely deployed services. Also, by its
very nature, an email server requires access to the outside world and full
access to system files; most email servers accept input from any source.
Since email is delivered to all
users, and is usually private, the mail-processing agent typically requires system (root) privileges
to deliver the mail. That mean taking control of mail server you have access to
the whole system files.
These are some risks
associated with using e-mail:
Flooding (a type of
denial of service attack) occurs when a system becomes overloaded with multiple
e-mail messages.
Spamming (junk e-mail)
is another type of attack common to e-mail. With increasing numbers of
businesses providing e-commerce over the Internet, we have seen an explosion of
unwanted or unrequested for business related e-mail. This is the junk mail that
is being sent to a wide distribution list of e-mail users, filling the e-mail
box of each user.
Confidentiality is a risk associated with sending e-mail
to another person through the Internet.
3-2-3
Authentication Servers
Password and cipher key servers
generally protect their information. However, even a one-way encrypted password
can be determined by a dictionary attack. It is therefore necessary to ensure
that these servers are not accessible by hosts, which do not plan to use them
for the service, and even those hosts should only be able to access only the
authentication service. The risk associated with AAA
service is:
-
Brute force attack
-
Dictionary attack
3-2-4
Proxy Servers
A proxy server adds more security
enhancements. It allows sites to concentrate services through a specific host
so to allow monitoring, hiding of internal structure, etc.
The type of protection required for a
proxy server depends greatly on the proxy protocol in use and the services
being proxy. The general rule is limiting access only to those hosts that need
the services, and limiting access by those hosts to only those services. The
risk associated with proxies is:
-
Denial of Service Attacks
3-2-5
World Wide Web (WWW)
The Web is concentrate information
services. Most WWW servers accept some type of direction and action from the
persons accessing their services. The most common example is taking a request
from a remote user and passing the provided information to a program running on
the server to process the request, but some of these programs are not written
with security in mind and can create security holes. If a Web server is
available to the Internet community, it is especially important that
confidential information not be co-located on the same host as that
server. In fact, it is recommended that
the server have a dedicated host that is not "trusted" by other
internal hosts. The risk associated with web service
is:
-
Denial of Service Attacks
3-2-6
FTP
Both FTP and TFTP allows users to
receive and send electronic files in a point-to-point manner. However, FTP
requires authentication while TFTP requires none. For this reason, TFTP should
be avoided as much as possible. Improperly configured FTP servers can allow
intruders to copy replace and delete files at will, anywhere on a host, so it
is very important to configure this service correctly. Access to encrypted
passwords and proprietary data, and the introduction of Trojan horses are just
a few of the potential security holes that can occur when the service is
configured incorrectly. FTP servers should reside on their own host. The risk associated with FTP is:
-
Denial of Service Attacks
-
Compromise of FTP data
3-2-7
Fileserver (NFS)
The Network File Service allows hosts
to share common disks. NFS is historically was used by diskless hosts who
depend on a server disk for all of their storage needs. Unfortunately, NFS has no built-in security.
It is therefore necessary that the NFS server be accessible only by those
internal hosts that are using it for service.
Now day fileservers are using
built-in or network authentication for their shared resources, to control
different level of access. The risk associated with
NFS is:
-
Data manipulation.
3-2-8 University Application
University applications are the
service used to manage and administrate daily university activity, like human
resource, students or finance systems. Those systems are used by management and
administration staff, and are ranked from critical to tolerated systems.
Access to such systems should be well
controlled through authentication and firewalls. The risk associated with proxies is:
-
Denial of Service Attacks
-
Data theft
-
Information leakage
Table 3.1: University Risk
analysis
|
Description |
Level – Affects - Probability |
Justification |
Type of users |
|
|
Internal DNS |
Serve internal domain
requests |
High – network - Low |
Affect all system connections and mapping |
Administrators for configuration,
others to use |
|
Active Directory |
Authentication service |
High –business & network
- Low |
Affect the total
security |
Administrators for
configuration, others to use |
|
Proxy |
Internet access |
Medium – network - High |
Affect all internet
connections |
Administrators for
configuration, others to use as tranCPES |
|
External DNS |
To serve internet
requests |
High – business - Low |
Affect all external
service availability |
Administrators for
configuration, others to use |
|
Web Server |
|
Low – business - High |
Affect only home page
availability |
Administrators for
configuration, others to use |
|
Mail Server |
- |
Medium/ High – business
- High |
Affect Confidentiality |
Administrators for
configuration, others to use and mail tranCPES |
|
NFS |
Internal file sharing
service |
Medium – business - Low |
Internal file security
and availability |
Administrators for
configuration, others to use |
|
University Applications
servers |
Finance systems, Human
resource systems, students systems etc. |
High/ Medium – business
- Medium |
Depend on the type of
service and it’s important to work it affect business continuity |
Administrators for
configuration, others to use |
|
Core Switches |
|
High – network – very
low |
Backbone switches affect
all network |
Administrators for device configuration
(support staff only); All others for use as a transport |
|
Routers |
|
High – network – very low |
Distribution network
affect all network |
Administrators for device configuration
(support staff only); All others for use as a transport |
|
Firewalls |
|
High – network – Very
low |
External/ internal direct
affect to network security |
Administrators for device configuration
(support staff only); All others for use as a transport |
|
Distribution Switches |
|
Medium – network – very
low |
Closet switches affect portion of the
network |
Administrators for device configuration
(support staff only); All others for use as a transport |
CHAPTER
4:
FRAMEWORK
DESIGN
4-1 General
Policy Guidelines
As mentioned earlier the goal is to protect the information/data going
through, stored in or provided by the network. So to implement a secure design
we have to depend on well define security policy approved by top management,
especially on network access control list (ACL) implementation part.
In ACL design we will create university network policies, which will be specification
for one of the following general security policies:
1. Network
Policy –
Policies that identify issues and control the use and operation of the physical
university network.
2. Acceptable
Use policy
- To identify whose eligible to use University electronic communications
services and facilities when and for what purposes.
3. Privacy
and Confidentiality policy - To balance electronic communications privacy protections -
comparable to those traditionally afforded to paper mail and telephone
communications.
4. Security
policy -
To define the environment and conditions required to constrain Allowable Use.
5. Archiving
and Retention policy - To provide the framework for ensuring continued access to
stored electronic data consistent with other areas of the Policy.
4-2 Framework Design
4-2-1
Framework Policies
For this framework we will assume the
following rules are approved:
1- Network
primary goal is to support university academic activities.
2- Core
service is provided to all university network users.
3- Use of
the network system is granted only to university staff and students, according
to their college or departments, unless otherwise clearly approved.
4- Management
users have read access to all university resource, unless clearly revoked.
5- Finance
resource only accessed by finance and management staff members.
6- Access
to university resource is not allowed from the Internet. Except for web
services and external mailing.
7- University
data should be protected against theft, manipulation and corruption.
8- Shared
network data should be access only by authorized network user.
9- Top
management provided with external dialup access to some of the network
resources.
10- Student access is limited to academic
resource, and service specifically provided by their department.
11- All
Internet traffic in and out should be monitored and filtered.
12- Core
service must be secured against network threats.
13- Installation,
removing, configuration or modifying of IT equipment is done by university
technical staff only.
14- Continues
backup plan should be maintained for critical systems.
Appendix 1, 2 and 3 contains
different academic entities policies.
4-2-2
Design Rules
Based on university network characteristics and the resource risk
analysis results in addition to the proposed policies, the following framework
guidelines are extracted.
4-2-2-1 Network Segregation
Scalable network design should be followed. In addition to basic core,
distribution, and access design, segregation – “SUBNETING”, should be
implemented on the distribution and access network levels. So as to ease and
add more control to data access/restriction based on the network/subnet, in
addition to improve the network throughput. Segregation can be done according
to job related, or user related, even a mix of the tow scenarios job and users.
Segregated network improve the overall network performance by creating many
small broadcast domain instate of a big one.
This will help enforcing policy number (4, 5, 9 and 11)
4-2-2-2 Implementation of a Firewall/ IDS/ IPS
Firewall is needed to be implemented at network entrance point – gateway,
to control the in/out traffic using predefined rules that compatible with the
network goals, and also monitoring of this traffic. In case of segregated
networks firewalls can be implemented internally as well to control intranet traffic
between the different subnets. IP filter firewalls can control the traffic
according to source, destination, and or/and service requested. Some high level
firewall can force time restriction access policy.
IPS systems can be used as an alert system, for the network security
breach. IPS must be also implemented at network entrance, and important internal
networks and resources.
This will help enforcing policy number (5, 6, 7, 10, 11 and 12)
4-2-2-3 Implementation of Authentication System
An AAA (Authentication, Authorization, and Accounting) system that
manages user’s access to resources should be implemented at the core network,
and may break down to subnet levels. This system will control who can access
what, when and for how long or much. And keep log of that. The goal is to
identify the user by authentication, insure user has access to the requested
resource, and enforce the level of access.
This will help enforcing policy number (3, 4, 5,7,8,9 and 10)
4-2-2-4 Controlling Location of Information and Data
Access to information and/or systems that hold this information must be
restricted to specific user/s according to his/their role, and the risk level
of these information/systems. A physical protection should be implemented using
doors and locks even access cards or codes to restrict direct access to core
network elements and high-risk level servers. Because of that no system
password can stop a direct physical access or damage this may seem to be very
important this will help enforcing policy number (7, 8, 12 and 13)
4-2-2-5 Monitor and Filtering Internet Access
Internet access should be monitored and filtered - as part of university
general access policy, through a firewall or proxy. In addition to a clear rule
that specifies the purpose of Internet service use to staff, student, and third
parties if any. In appropriate Internet usage may cause the university more
than what expected. Not only seen threats like spywares, phishing, malwares and
peer to peer applications, but also the risk of being lawsuits, for using the
university network, to conduct illegal activities. So it’s a bidirectional
protection also the target is the university itself, beside waste of working
hours in unproductive and some time harm activity. This will help enforcing
policy number (11)
4-2-2-6 Control of Wireless Implementation
Implementation of ad hoc wireless service should be limited to Internet
and other public services as long as it’s monitored. Ad hoc wireless users
should not be granted any type of access to the university application/s.
Wireless access to university resources should be through a secure
implementation, reviewed and approved, and as limited as needed. Encryption of
wireless transmission should be enforced all over the network. This will help
enforcing policy number (11 and 13)
4-2-2-7 Backup
A backup mechanism should be implementing as precaution procedure, in
case of total or partial lose of university data /information. All university
important data in addition to network elements configuration and the authentication
system setting should be backed up, and kept in a safe location till when it
needed. Backup system should be continues job 24X7 and close monitored. This
will help enforcing policy number (14)
4-2-2-8 Securing Hardware, Peripherals and Other Equipment
A physical security measure should be applied to network hardware and
peripherals. Here we highlight against environment security precautions. For
example network wires should be secured against direct access, backup storage
media should be well protected against theft and disasters. Wireless external
antennas should be protected against lighting. This will help enforcing policy
number (13)
4-2-2-9 Monitoring and Antivirus
Logging server that keep the log of all important network events – high
and medium risk level network elements should be implemented and close
monitored for any suspicious activates.
Monitoring system should be connected or include an alert mechanism so
to notify security concerned people incase or security breach. In addition to
good antivirus software for prevent data corruption. This will help enforcing
policy number (7)
4-2-2-10 Documentation
Documentation with the network element specification and configuration,
in addition to network layout should available for reference on troubleshooting
and other day-to-day activity.
CHAPTER 5:
SUDAN UNIVERSITY OF SCIENCE &
TECHNOLOGY NETWORK CASE STUDY
5-1
Introduction
This chapter describes the
implementation of the design framework on Sudan University of Science and
Technology (SUST) WAN as an example to what can be done using the generated
framework.
SUST University consist of ten
locations/ campuses across Khartoum west, Khartoum north, east Khartoum, and
south Khartoum cities, with distance between locations that vary from 500m to
18Km, and locations capacity vary from hundreds to thousands of users.
Also some campuses consist of one
collage others are compound of many. But all SUST management and Administration
departments are located in one campus called Main campus in Khartoum west. We
will assume that the policies introduced earlier, are approved, and will be
used on the design.
5-2 SUST Network Description
SUST network was collection of
campuses networks with no connectivity between any of them. Four campuses have
Internet connectivity, other campuses have only their internal LAN services to
share - see Fig. (5.1-1).
According to design rules SUST
network is redesigned using a subneted hieratical schema, with two types of
connections between its campuses. Wireless backbone connections that
centralized on the Main campus, and a planned leased lines redundancy backbone
connection to be centralized on the Southern campus. Servers and core service
planned to be distributed between the two campuses as redundancy – see Fig. (5.1-2).
Currently all Internet connections
are located in Main campus, from where Internet access is distributed to whole
university network. There is additional external connection to High education
backbone network that proposed to connect all universities in Sudan for
resources sharing. Table (5.1) lists the network’s services and applications
systems that SUST provides to its users, their assigned risk level based on
importance work/ network functionality or both, and who can access them. Table
(5.2) lists university locations, number of users, and number of computer on
labs in addition to number of departments on each.
Figure 5.1/1: Old SUST network
Figure 5.1/2: New SUST Network
Table 5.1: SUST University Service and Risk Assessment
|
System |
Description |
Risk Level |
Type of users |
|
Internal DNS |
Serve sust.edu requests |
High – network |
Administrators for configuration, others to use |
|
Active Directory |
Authentication service |
High – Business & network |
Administrators for configuration, others to use |
|
Proxy |
Internet access |
Medium – network |
Administrators for configuration, others to use as
tranCPES |
|
External DNS |
To serve Web sustech.edu requests |
High – Business |
Administrators for configuration, others to use |
|
Web Server |
SUST web page |
Low – Business |
Administrators for configuration, others to use |
|
Mail Server |
SUST mailing system |
Medium – Business |
Administrators for configuration, others to use and
mail tranCPES |
|
SMS Server |
Mobile short messages |
Low – Business |
Administrators for configuration, others to use |
|
Document Flow Management System |
Management system |
High – Business & network |
Administrators for configuration, management and
admin to use |
|
Library web system |
Library administration |
Medium – Business |
Administrators and support staff for configuration,
others to use |
|
Result web system |
Student result page |
High – Business |
Administrators and support staff for configuration,
others to use |
|
NFS |
File sharing service |
Medium – Business |
Administrators for configuration, others to use |
|
Student Registration system |
Registration and ID system |
High – work |
Administrators and support staff for configuration,
management and admin to use |
|
Staff payroll system |
Payroll system |
High – Business |
Administrators and support staff for configuration,
management and admin and staff to use |
|
Human Resource system |
SUST employee tracking system |
High – Business |
Administrators and support staff for configuration,
management and admin to use |
Table 5.2: University Number of Users and their Distribution
|
No |
Campus Name |
Location |
#Employee PCs |
#Lab PCs |
#Dept. & Collages |
Total # PC |
Comments |
|
1 |
Main |
West KRT |
652 |
609 |
20+ |
1261 |
Management compound |
|
2 |
Southern |
South KRT |
154 |
543 |
3 |
697 |
Second biggest campus |
|
3 |
Technology |
West KRT |
103 |
250 |
3 |
353 |
|
|
4 |
Agriculture |
North KRT |
45 |
89 |
1 |
134 |
|
|
5 |
Koko |
North KRT |
35 |
87 |
1 |
122 |
|
|
6 |
Forestry |
KRT South |
17 |
20 |
1 |
37 |
|
|
7 |
X-Ray |
KRT |
19 |
|
1 |
19 |
|
|
8 |
Texture |
KRT North |
13 |
46 |
1 |
59 |
|
|
9 |
Music & Drama |
KRT South |
14 |
16 |
1 |
30 |
|
|
10 |
Magbool |
KRT North |
21 |
45 |
1 |
66 |
|
|
|
Totals |
|
1073 |
1705 |
|
2778 |
|
5-3 Structure Review & Access Policy
The following networks access rules
are used to create the security configuration for external routers, firewalls,
proxies and internal routers as well. Normally management should approve those
polices before implemented.
· Access
of Internet is granted for all SUST network users.
· Internet
access shouldn’t be used for any illegal activity.
· No
access from Internet to internal network.
· Only
the following internet access services are approved through proxies:
o DNS
o
WEB/ FTP
o
MAIL
· Student
network access to Internet is fully monitored through the proxy.
· Management
network has a full access to the entire university network.
· Admin
network has restricted access to Management networks as well as finance
network, while it has full access to collage networks.
· Finance
network has full access to collage networks, while has restricted access to
management and admin networks.
· Student’s
networks have no access to management, admin or finance network.
· Only
authenticated users should have access to the network resources.
5-4 Network Segregation Implementation
SUST network is segregated into 21 subnets,
based on location, department, collage, number of users, or a combination of
that.
The network is physically segregated
using routers that share the same distribution network backbone with core
servers, and logically using VLANs. Small campuses are put into one subnet
bigger ones those share more than one college or departments are divided into
many. Each subnet that has students as network users is divided logically into
two. The ACL that control accesses between those subnets are built based on the
access policy mentioned earlier.
Fig (5.2) shows remote campuses subnets
connections, and Fig (5.3) shows Main campus segregation.
5-5
Firewalls and Proxies Implementation
SUST network external access is
granted through three Firewall and two proxies, that to:
-
Implement the needed protection for
internal network against global access.
-
As well as to control internal to
external access network traffic.
-
Enforce the network access rules.
-
Monitor and filter internet requests.
Fig (5.4) shows SUST internet
connection. Firewall01 and Firewall02 as first line of defense
are implemented on Sudanet and Canar Internet connections. Third firewall Firewall03
is planned on High EDU networks connection with its own access rules for
example which service can be accessed from other
Figure 5.2: Current Campuses Interconnect
Figure 5.3: Main Campus Subnets
Universities like shared libraries or
internet connection. Firewall01 and Firewall02 control the in-out
network traffics allow only the type of traffics and access mentioned earlier on
the Access Policy to pass through, and only from the designated proxies.
Figure 5.4: External Connections
SUSTENW has two proxies, Proxy01
that connected to the Internet through Firewall01, and Proxy02,
which connected to Internet through Firewall02, planned as extra high level
filtering devices and bandwidth controllers from where all Internet access is
distributed to the network.
Other layer of proxies is planned on
some of big or remote campuses - see table (5.3), for traffics optimization on the
network backbone connections. As well as enforce the special access control for
sum subnets. Those proxies are either connected to Proxy01 or Proxy02
depending on the number of user. Table (5.4) shows proxies traffics
distribution.
Table 5.3: University Proxy Service distribution
|
No. |
Campus Name |
Number of Users |
Number of Proxies |
|
1 |
Main |
1261 |
5 |
|
2 |
Southern |
697 |
2 |
|
3 |
Technology |
353 |
1 |
|
4 |
Agriculture |
134 |
Use Main |
|
5 |
Koko |
122 |
Use Main |
|
6 |
Forestry |
37 |
Use Main |
|
7 |
X-Ray |
19 |
Use Main |
|
8 |
Texture |
59 |
Use Main |
|
9 |
Music & Drama |
30 |
Use Main |
|
10 |
Magbool |
66 |
Use Main |
Table 5.4: Proxies Naming & Distribution
|
No. |
Proxy Name |
Location |
Subnet to serve |
|
1 |
Sust-Proxy-130 |
Main |
CCSIT |
|
2 |
Sust-Proxy-110 |
Main |
CBS Finance |
|
3 |
Sust-Proxy-100 |
Main |
SAA Co Laser Datacenter |
|
4 |
Sust-Proxy-120 |
Main |
ART Science |
|
5 |
Sust-Proxy-10 |
Technology |
Technology |
|
6 |
Sust-Proxy-90 |
Southern |
Engineering |
|
7 |
Sust-Proxy-95 |
Southern |
Petrol CPES |
|
8 |
Sust-Proxy-60 |
Main |
Agriculture Magbool Texture Koko Forestry X-ray Music & Drama |
5-6 Authentication Implementation
As mentioned in network description
section, SUST has many services and applications that categorized as medium to
high security risk level, provided to its users and needed to be protected
against unauthorized access and/or inappropriate use. For this purpose an
authentication service is applied across the network using Microsoft® windows
active directory.
The main controllers are centralized
in the Main campus, but many sub-domains are distributed across others
university locations.
A domain controller SUSTDC01
and a backup one SUSTDC02 are implemented for a domain named sust.edu.
Other sub domains are planned for biggest collages and department for ease of
management and flexibility. Server distribution is done according to department
or based on locations. Table (5.5) shows the planned number of domain
controller per campus.
The network is divided into sub
domains as follow:
Table 5.5: University Authentication Service distribution
|
Campus Name |
Sub Domain Names |
|
|
1 |
Main |
CCSIT CBS ADMIN MAIN LIB |
|
2 |
Southern |
Engineering Petroleum CPES |
|
3 |
Technology |
Technology |
|
4 |
Agriculture |
Agriculture |
|
5 |
Koko |
Koko |
|
6 |
Forestry |
Forestry |
|
7 |
X-Ray |
X-Ray |
|
8 |
Texture |
Texture |
|
9 |
Music & Drama |
Music & Drama |
|
10 |
Magbool |
Magbool |
5-7
Backup and Logging Implementation
A backup server planned to be
implemented for the entire university core services. But as start a backup of
Active directory and fileserver, in addition to network element configuration
is running on scheduled time for the network.
Logging server will be implemented as
well to centralize network element following up and as security measure.
5-8 Wireless Connection Implementation
Wireless network connectivity service
planned to be provided to SUST mobile users – staff, students or visitors,
across campuses. The service is proposed to maintain flexible access to other
services as Internet, or file sharing for example. But also maintain different level of access
to other resources as well.
To secure this service, an encryption
security system is planned using WEP encryption to secure the connection, in
addition to Radius authentication across the active directory to identify the
user and assign access rights accordingly for other than core service access.
Core services are planned to be accessed using guest account with read only
access.
5-9
Summary
SUST network is redesign based on the
proposed framework. For external security, three firewalls and two proxies are
implemented. For internal router and switches with ACLs. The domain sustech.edu
and its two domain controller as well as CCSIT sub-domain is implemented other
planed sub-domain will be followed. Three of the eight proxies are implemented.
5-10
Results
-
Implementation of the proposed
framework adds more security and management to SUST network as well as more
control over its resources.
-
The network is now protected and
monitored against external and internal threads.
-
Segregation of the network gives more
control over the network and basically helps on traffic control and shaping.
-
The hierarchical design makes it
easier to expand the network to accommodate any additional subnets.
-
Network resources are more
controllable and well protected, through firewalls and ACLs.
-
Internet access is monitored and
guided. Direct access is reduced by more than 20% after the proxies’
implementation (See Proxy internet access figure below).
CHAPTER
6:
CONCLUSION AND RECOMMENDATIONS
6-1
Conclusions
Framework is proved to be applicable
and adjustable according to need.
-
Implementation of the proposed
framework will add more security and management to university network as well
as more control over its resources through segregation, authentication and
monitoring.
-
The network will be protected against
external and internal threads, through the implemented firewalls.
-
The hierarchical design will make it
easier to expand the network to accommodate any additional locations or
departments.
-
Network resources and data will be more
protected.
-
Internet access will be controlled
and monitored and guided.
-
External bandwidth will be reserved
by using of cache servers.
6-2 Recommendations
The main recommendation is to make
sure that you have an approved security policy before implementing the framework
so that you know exactly what is needed to be done.
References:
1. The New Lexicon Webster's Encyclopedic Dictionary of the
English Language. New York: Lexicon.
2. Matt
Curtin - Introduction to Network Security –
3. http://en.wikipedia.org/wiki
4. RFC
2196 Site Security Handbook
5. H3C
SecPath F1800-A Firewall Operation Manual
6. http://compsec101.antibozo.net/papers/dnssec/dnssec.html
7.
http://csrc.nist.gov/publications
8. LANDesk
December 2007 - White Paper: Developing an IT Management Strategy for Success
9. ISO_27001_notes
10. ISO_27002_notes
11. PROXIM
wireless security - White paper
12. Cisco
Network Security Policy: Best Practices - White Paper Document ID: 13601.
13. Secuware
Extending Enterprise Security Beyond The Perimeter - White paper.
Appendix
Sample number 1: Auburn University Network Policy Coverage
Issued by: The
Office of the Executive Director, OIT (Outlines)
Chapter
1: Introduction
Chapter 2: User Accounts
Section 2.1 Eligible Users
Section 2.2 Sponsored Guest Accounts
Section 2.3 Appropriate Use
Section 2.4 Inactive Accounts
Section 2.5 Restricted Accounts
Section 2.6 Sharing Accounts
Section 2.7 Determining Account Misuse
Section 3.1 Selecting a Password
Section 3.2 Changing Your Password
Section 3.3 Sharing and Protecting Data
Section 3.4 Use of .rhosts Files
Chapter
4: Rights and Responsibilities of Users
Section 4.1 Use of Licensed Software
Section 4.2 Use of CPU Cycles on Host Computers
Section 4.3 Use of Sun Storage Resources
Section 4.4 Use of Printing Resources
Section 4.5 Use of Archiving Resources
Section 4.6 Use of Remote Computing Resources
4.7 Use of Electronic Mail
4.8 Use of the World-Wide Web
4.9 Use of Directory Services
4.11 Use of FTP
4.12 Appropriate Use of Copyrighted Material
4.13 Use of Streamed Media
Chapter
5: Abuse of Computing Resources
Section 5.1 Theft and Vandalism
Section 5.2 Worms and Viruses
Section 5.3 Use of .rhosts Files
Section 5.4 Transferring Files
Section 5.5 Games
Section 5.6 Disruptive Behavior
Section 5.7 Unauthorized Use of Computing Resources
Section 5.8 Breaking Into Accounts
Section 5.10 Misuse of Accounts
Section 5.11 Unauthorized Access of User Files
Section 5.12 Unauthorized Modification of Files
Section 5.13 Unauthorized Broadcast Messages
Section 5.14 Use of Computing Resources For Monetary
Gain
Section 5.15 Licensing and Copyright Infringement
Section 5.16 Disrupting or Degrading Service
Section 5.17 CPU Usage
Section 5.18 Exceeding Disk Quotas
Section 5.19 Misuse of Electronic Mail
Section 5.20 Misuse of Web Resources
Section 5.21 Violation of Remote Site Policies
Section 5.22 Installing Software on OIT Lab Machines
Chapter 6:
System Administrators' Responsibilities
Section 6.1 Privacy
Section 6.2 Liability
Section 6.3 Investigation of Policy Violations
Chapter 7:
Enforcement
Section 7.1 Temporary Restriction
Section 7.2 Permanent Restriction
Section 7.3 Severe Abuse
Chapter 8:
Reporting Problems
Section 8.1 Physical Security
Section 8.2 Theft and Vandalism
Section 8.3 Electronic Security
Section 8.4 Notification of Remote System
Administrators
Section 8.5 Inoperative and malfunctioning Equipment
Section 8.6 Software Problems
Section 8.7 Recovery of Deleted Files
Sample number 2: Network Monitoring Policy Trinity Collage
All TCDN/CUDN users must be aware of the following.
1) Files kept
on public machines are not regarded as private.
2) The
TCDN/CUDN is regularly monitored to record and/or analyze data relating to the
transmission of information on the TCDN/CUDN for the purpose of investigating
problems. This data may also be recorded for the purposes of accounting and/or
statistical analysis, whether for the production of historical reports or for
load prediction relating to the network.
3) The
Trinity Computer Office has the right to perform regular monitoring, scanning,
and probing to detect problems and to take remedial action as a result. The
criteria for taking remedial action will be based on any one or more of the
following:
The result of regular monitoring of the volume of network
traffic, and other factors that may have an impact on network performance and
reliability. There is a 3 Gb daily bandwidth limit for each user.
As requested by
the University Computing Service or the Trinity College Junior Bursar.
Receiving a complaint from an individual or organization.
The result of
scanning the Trinity file servers for viruses.
The result of scanning the Trinity file servers for
software that may pose a security risk to the network and/or other network
users.
The result of "friendly probes" which may
reveal security vulnerabilities
4) Action(s) taken as a result of monitoring, scanning, and
probing could be any one or more of the following:
Gaining physical
access to the equipment.
Disabling the
network connection associated with the equipment.
Disabling the user's Trinity account and making the
user's home directory files accessible to the Computer Officers only.
Notifying the user of a problem and requesting certain
actions to be taken within a stated period of time.
Further analysis of the source of network traffic to
determine the nature of the suspected problem (e.g. high volume of network
traffic being caused by file sharing programs and associated copyright
infringement).
Deleting,
removing, and cleaning of files on the Trinity file
Server.
5) The Trinity Computer Officers are held responsible for the
following:
Respecting the
privacy and security of any information not intended for public dissemination
that becomes known to them by any means, deliberate or accidental.
Ensuring that
information gathered only includes what is necessary for the purposes stated.
Accessing users'
files and examining network traffic only if necessary in pursuit of their role
as System Administrators. They must endeavor to avoid explicitly examining the
contents of users' files without proper authorization.
Ensuring that
information is only held for as long as it is necessary for the purposes stated.
Upholding strict
confidentiality of personal information that they may come across while
performing their duties (e.g. restoring files from back-up tape, providing user
requested - hands-on support, etc.).
If it is necessary
for the Computer Officers to inspect the contents of a user's files, the user's
permission should be sought. Should such access be necessary without seeking
the user's permission, the appropriate authority (Junior Bursar, Chairman of
the Computer Committee or a delegated representative) must approve it. If it
has not been possible to obtain prior permission, any access will be reported
to the user and the appropriate authority as soon as possible.
The content of
files held on an UCS system (includes email messages) will not be viewed by the
Trinity Computer Officers without explicit permission from an appropriate
authority of the UCS.
Limiting network monitoring to as an inherit part of the effective
operation of the network (security and performance), for the purpose of
detecting unauthorized use of the network, and for the purpose of detecting
crime (e.g. copyright infringement). Therefore, network monitoring will not be
user specific unless there is specific evidence to do so.
6) If a user believes that the
Trinity Computing Department is behaving unreasonably in the exercise of the
rights listed in this document, they may report this to the Chairman of the
Computer Committee or the Junior Bursar.
Sample number 3: UNIVERSITY OF CANBERRA NETWORK ACCESS POLICY
The
University is committed to the use of networks for administration, teaching,
learning and research with access to the campus network and the Internet
available to staff and students locally on the campus and via remote access
subject to the conditions in this policy. The types of usage required include
electronic mail, special interest list server groups, newsgroups, database
access, World Wide Web, FTP and future technologies.
The
University provides all staff and students with the opportunity to access the
campus network conditional upon formal registration. While the University endeavors
to provide the University community with network access, it cannot afford an
open-ended commitment to cover rapidly escalating and uncontrolled costs.
The
University's conditions of access to the Internet and the access which it can
and cannot provide to other groups are defined by the AARNet Policy of the
Australian Vice-Chancellors' Committee (AVCC) and the A.C.T. Regional Network Organization
Agreement.
The
University's Network Access Policy is based on the following principles:
The
University's Intranet and Internet infrastructure provides support for better
research, teaching, learning and community links;
The
infrastructure is provided as a corporate service;
The
principles embodied in the University's Information Policy supports the
proposition that all staff and students of the University should have
reasonable access to the Internet; and
Cost
savings can be achieved by encouraging use of the Intranet and Internet to
replace some traditional more costly forms of communication, such as facsimile,
video, and print.
The
Network Access Policy is also based on the following:
It
is not practical to limit or control traffic generated outside regional
networks by users of the Internet without incurring substantial costs, which
would probably exceed the existing and forecast costs to the University for
access to the Internet;
There
may be limitations to the University's ability to identify usage of the
Internet by individuals, or the type of their usage, without incurring
substantial costs, which would probably exceed the existing and forecast costs
to the University for access to the Internet;
While
it is possible to filter out all images (a substantial cost in traffic) and
restrict traffic to text only, this would also eliminate much legitimate use of
the Internet by staff and students; and
In
the event that a fee needs to be charged as a partial contribution to the cost
of providing the service, any charge-for-use levied on students should be a
component of an existing fee or charge to ensure that it is economical to
collect and distribute.
Within
the context of growth in Internet charges and growth in demand for Internet
access there is a need to foster discriminating and efficient use of networks
by the University community through the following set of principles.
The
University participates in national and regional strategies designed to promote
the cost effective use of the Internet by minimizing or avoiding long-distance
Internet charges for example, through the development of caches and mirrors for
the storage of commonly accessed information.
All
Internet client software on campus is configured to request information via a
caching proxy server. Such use of a local cache reduces unnecessary duplication
in retrieval of information leading to a reduction in Internet charges.
Priority
is given to the establishment and support of databases, newsgroups and other
information services which support the University's endeavors to achieve its
mission to educate professionals in a professional manner.
Staff
and students understand that there are conditions of use and costs associated
with using the Internet service provided by the University:
4.1
Conditions of Use
The
Internet service is provided for staff and students in undertaking their duties
and studies related to the operations and mission of the University. Staff and
students need to remember that use of the University's Internet and Intranet
facilities and services is a privilege and not a right. They should be aware
also that use of the Internet by the University is governed by a number of laws
including copyright, defamation, misrepresentation, Fair Trading legislation
and the Trade Practices Act, Telecommunications Regulations, Privacy Act,
various criminal laws regarding fraud and obscenity, as well as a number of
private codes regarding "netiquette" and the AVCC Policy on Allowed
Access to the Internet. The University will take appropriate action upon
becoming aware of any illegal use of the University's services and facilities.
4.2
Costs of Network Access
The
Internet is in no sense a free good. In the University of Canberra, as in other
universities, the costs of Internet access have become a serious element in the
University's expenditure. Each time staff and students search the Internet via
the University, the University is billed for all the information found on the
basis of gigabytes of information received. The Internet service provided by
the University should be used by staff and students in a responsible manner
with the knowledge that it is not a free good and that unlimited access would
be prohibitively expensive.
The
University provides on-campus and limited remote network access for staff
subject to their agreement to abide by the University's caching strategy and to
limit their use of the network to business related to the University's mission.
Subject
to further information on the cost of Internet access, the University provides
limited on-campus network access for students on authorized computers in
University facilities to access information on the Internet.
The
University facilitates dial-in access from off-campus computers by University
of Canberra staff and students. This service should be provided on a commercial
basis either by the University or through an external service provider. The
service must be a cost-effective method of access for students and achieved in
a way which guarantees access to the information services currently available.
The University may agree to provide free dial-in access through the University
for identified individuals with special needs (eg system administrators or some
students with disabilities.).
The
University provides limited on-campus high-speed network access to the Internet
for students in the University's student residences.
The
University endeavors to allocate an adequate recurrent budget for network
access to meet the forecast needs of staff and students identified in this
policy.
Owing
to the volatile nature of the Internet, technical developments and increasing
usage, the Network Access Policy should be reviewed and evaluated periodically.
(Endorsed
by Information and Communication Services Committee Meeting 97/4, 26 May 1997,
and by the Vice-Chancellor's Advisory Committee Meeting 97/10, 17 June 1997)