Use of the Engineering Computer Data Network Infrastructure
Approved by Dean, Faculty of Engineering , July 31, 2002
1. Preamble.
Computers on the Faculty of Engineering network are accessible from anywhere throughout the world. Problems associated with the lack of security measures can affect computers and parties far outside the Faculty of Engineering and the University of Victoria. As such, the Faculty of Engineering has adopted the following policy:
Systems Administrators in the Faculty of Engineering are responsible for ensuring that all computers and/or networking devices meet current security standards.
The Faculty of Engineering has an implicit responsibility to the Internet community at large to ensure that its networked computers and/or networked devices are as secure as possible. The Faculty of Engineering cannot allow systems determined as insecure to be attached to the Faculty of Engineering network. These insecure systems can become gateways for hackers to all systems attached to the network. This policy is in no way an attempt to limit academic freedom in the choice or use of computing equipment and/or networking device, however circumstances may dictate that security has a higher priority. This policy is intended as a supplement to relevant UVic policies, such as 6030 and 6060.
2. Application of the Policy.
This policy applies to the use of:
the Faculty of Engineering data network infrastructure, regardless of the source of funding,
by:
all faculty, staff and other associated research personnel as well as students enrolled in programs or courses in the Faculty of Engineering at the University of Victoria.
2.1 Definition of Terms.
Without limiting the general definition of the terms below, they will be used throughout the remainder of this document:
- Data network infrastructure:
- 10/100 baseT and other copper interconnects,
- optical fibre interconnect,
- wireless networking devices,
- networking electronics hardware components and protocols.
- computers,
- network components,
- network monitoring devices.
2.1.3 Facilities:
- Faculty networked devices,
- Departmental networked devices,
- user networked devices.
3. Obtaining access to the Faculty of Engineering network.
There are two types of access available on the Faculty Network; user access to current Facilities and the connection of Networked Devices to the Faculty Network.
3.1 Obtaining user access to current Facilities.
User access and the use of current Facilities are privileges that are granted so that the user may perform University work and related activities. Ordinarily students are given access to the various Facilities as part of their registration in programs or courses. Others may apply through their respective Departments or the Faculty. User access will remain active as long as the user requires it for authorized use. Note that violation of the policy and/or guidelines within this document by a user may result in the suspension of the use of the Facilities pending investigation in accordance with UVic policy 6030.
3.2 Connecting computers and/or network devices to the Faculty of Engineering network.
In order to connect a Networked Device to the Faculty Network, the user must make a request to the Faculty via the designated Departmental Systems Administrator. No Networked Device may be connected to the Faculty Network unless the required authorization is given. If the request for a network connection is denied, the person making the request will be informed of the reason(s) for denial. A denial of authorization may be appealed to the appropriate Chair or Dean.
As part of the approval process an IP address will be assigned to the Networked Device and a physical network port will be activated for the unique ethernet address (a.k.a. MAC, NIC address) of this Networked Device. Network ports will be activated:
3.2.2 a unique IP address will be assigned to a Networked Device ; swapping IP addresses from one Networked Device to another by a user is not permitted,
3.2.3 if an unauthorized Networked Device is connected to the Faculty Network , the Faculty reserves the right to disconnect that Networked Device immediately.
3.2.4 if the proposed Networked Device is a wireless base station, the following additional conditions must be adhered to:
- access to the base station must be authenticated by security measures,
- encryption algorithms must use the current minimum standards for coding,
- if the base station allows multiple links, these additional connections shall be routed,
- a proposed base station installation can not interfere with the installed infrastructure, i.e. the proposed base station cannot occupy or interfere with a radio channel already in use
Note that unless required by necessity (e.g. there is one network port in a room that has more than one Networked Device) only one network port will be activated per Networked Device.
As part of allowing a Networked Device onto the Faculty Network, the owner/user of the Networked Device agrees to allow unconditional and unimpeded access to the Networked Device by the appropriate Faculty and/or Departmental System Administrators to ensure its correct and secure operation within the Faculty Network. For example, in the case of a UNIX Facility, the appropriate Faculty and/or Departmental System Administrator must have privileged access. Denial or non existence of this access will result in the removal of the Facility from the Faculty of Engineering network. This condition is essential to ensure that the Networked Device is as secure as possible and to monitor possible unauthorized activity on the Networked Device. The owner/user of the Networked Device will be notified promptly of any such privileged access.
4. Security on the Faculty of Engineering Network.
There are a number of elementary security precautions that must be taken to ensure compliance with current security standards. These precautions must be applied to every Networked Device on the Faculty Network, and include:
4.2. installation of all relevant vendor supplied security software patches on a regular basis,
4.3. periodically initiating security analysis and logging software against the current Networked Device to determine if any security risks or violations exist,
4.4. implementing access control so only authorized persons have physical and login access to the Networked Device ,
4.5. each unit with a Networked Device on the Faculty Network must identify a contact person for that Networked Device who has direct responsibility for its security.
The Faculty and/or Departmental Systems Administrator(s) in the Faculty of Engineering will assist with the points 4.2 and 4.3 as required. Implementing access control and delegating security responsibilities for each Networked Device in the Faculty of Engineering is the responsibility of the Dean or delegated person. Any Networked Device which does not meet current security standards as defined by the Faculty of Engineering will be removed from the Faculty Network until the system is brought up to the level to meet these standards. Furthermore, Faculty and/or Departmental System Administrators may remove any Networked Device from the Faculty Network at any time without warning if it is deemed necessary as a result of security breaches. In such cases the owner(s) and/or user(s) will be notified promptly.
5. Authorized use of the Engineering Facilities.
Authorized use shall only be for University purposes associated with the following:
5.2. instructional,
5.3. research including graduate theses,
5.4. community services in furtherance of or related to 5.1 - 5.3 above inclusive,
5.5 outside professional activity, provided that in the case of substantial use of the Facilities prior written authorization from the Chair or Dean is obtained.
Use of the Facilities and of the information stored on them for any purpose other than those identified above will be considered as unauthorized, whether or not the use resulted in indirect or direct personal gain.
6. Unauthorized Use of the Engineering Facilities.
Without limiting the generality of the above, the following are some examples of the unauthorized use of the Facilities:
6.2 attempting to circumvent security systems on any Facility . Examples of this include, but are not limited to:
- running password crackers,
- attempting to gain privileged access by any means,
- attempting to gain access to another user's account without explicit consent,
- attempting to impersonate another user,
6.4 interference with the operation of the Facilities . Examples of this include, but are not limited to:
- power cycling, rebooting, or turning off machines not administrated by the user,
- filling up the swap (/tmp) or other critical space on a Facility ,
- playing computer games,
- attempting to circumvent defined quotas,
6.6 transmitting commercial or personal advertisements, solicitations or promotions using the Facilities ,
6.7 unless authorized by the Dean, reading, obtaining copies of or modifying data files, programs or passwords belonging to other computer users without the permission of those other computer users,
6.8 breaching the terms and conditions of a software licensing agreement to which the University or the Faculty of Engineering is a party. (Terms and conditions of such software licensing agreements may be obtained from Computer Services or the office of the Dean of Engineering or other units responsible for such licenses ),
6.9 the use of unlicensed (so-called pirated) software,
6.10 providing an unauthorized service using the Facilities and/or data network , e.g. web-service, e-mail routing, gateway for other services etc.
6.11 the implementation of a local firewall or tcp/ip port blocking that prohibits legitimate system administrator access.