Campus Network Connectivity Policy

I.    Preamble

This administrative procedure is an extension of University of Alaska Board of Regents (BOR) policy and Information Resources regulation (R02.07).  “User” as used in this procedure is defined in BOR documents.  “UAA/IT” as used in this procedure refers to Information Resources Personnel directed by the Chief Information Officer or under the specific direction of a community campus director at a community campus in coordination with the Chief Information Officer.  Italicized terms are defined in the glossary in Section VI of this procedure.  The scope of this procedure includes all UAA-operated facilities, including community campus and extension offices.

II.    Purpose
  1. To guarantee a high-availability, secure and productive network and computing infrastructure serving faculty, staff, students and patrons.
  2. To improve the ability of UAA/IT to monitor and manage campus internetworks from end to end.
  3. To establish guidelines for creation of network extensions within campus internetworks.
  4. To define the limited role and guidelines for creation and operation of private networks within campus internetworks.
  5. To define actions that will be taken by UAA/IT when exceptions to this procedure are identified.
III.    Background
  1. Campus internetworks are considered information resources according to R02.07.
  2. Recent increases in purchase, configuration and attachment of wireless access hubs and other network devices to campus internetworks by users in order to create network extensions and private networks has created significant management and security problems that potentially compromise Section II.1 and Section II.2 above.
  3. Creation of private networks by users with the intention of creating networks-within-networks has compromised the integrity of campus internetwork designs; blurred standard demarcation points and has created organizational and operational confusion.
  4. Unnecessary complexity associated with Section III.2 and Section III.3 above has made it increasingly difficult to ensure adequate computer/network security as well as ensuring the efficient and cost-effective operation of UAA’s campus internetworks.
IV.    Procedure
  1. Computer, printer, and network equipment referred to in this section is classified as user equipment as defined in Section X.
  2. Any computer connected to a campus internetwork directly or indirectly though a network extension or private network must comply with the following:
    1. Use either UAA/IT-provided DHCP or a valid UAA/IT-assigned static IP address for network identification;
    2. Use UAA/IT-provided DNS services;
    3. Ensure that client antivirus software is fully operational and running at all times when such software is available; standard client antivirus software approved by UAA/IT will be used for computers/operating systems specified in an approved manner.
  3. All network-attached printers and peripherals will use either UAA/IT-provided DHCP or a valid UAA/IT-assigned static IP address for network identification.
  4. Users will not operate separate DHCP or DNS services unless approved by UAA/IT prior to connection to a campus internetwork.
  5. All network devices connected to a campus internetwork must comply with the following:
    1. Network devices must be approved by UAA/IT prior to purchase;
    2. Network device setup and configuration must be approved by UAA/IT prior to connection to a campus internetwork;
    3. Network devices must be configured to permit UAA/IT surveillance access for monitoring.
  6. The management demarcation point for network extensions that are managed by users will be a campus internetwork switch port connected to the network device that creates the network extension.
  7. The management demarcation point for network extensions that are managed by UAA/IT will be any port within the network extension.
  8. Under extraordinary circumstances a user may require creation of a private network within a campus internetwork.  UAA/IT will create such private networks on private virtual local area networks (VLANs) within a campus internetwork.  Proposals for creation of all private networks outlining business and security needs will be approved by the Chief Information Officer prior to procurement and installation.
  9. No external networks will be permitted within UAA-operated facilities.
V.    Enforcement
  1. UAA/IT personnel will conduct monitoring and surveillance activities of all network ports within campus internetworks, including network devices which create network extensions or private networks.
  2. Exceptions to the procedures outlined in Section IV that are noted during routine surveillance or due diligence associated with implementation of this procedure will be immediately investigated by UAA/IT.
  3. UAA/IT will disconnect non-conforming user equipment from a campus internetwork at a demarcation point defined as either the campus internetwork port or the demarcation point defined in Section IV.6 or Section IV.7 above until compliance with this procedure is achieved.
  4. During routine monitoring and surveillance activities, if UAA/IT determines that user equipment connected to a campus internetwork has been compromised by an unauthorized person or is unexpectedly and adversely impacting a campus internetwork, every attempt will be made to immediately contact the owner of the equipment and request immediate resolution of the noted problem.
  5. If, after one (1) hour from problem identification by UAA/IT the user cannot be contacted or the noted problem is not resolved, UAA/IT will disconnect the user equipment from the campus internetwork at the demarcation point specified in Section IV.6 or Section IV.7 above.
  6. Users whose user equipment has been disconnected from a campus internetwork will provide UAA/IT with proof of resolution of problem(s) noted in Section V.4 above prior to re-connection.
X.    Glossary
  1. Campus Internetwork.  The physical and logical infrastructure that carries voice, video and/or data within a campus location up to and including connections to external networks or providers.  A network includes switches, routers, firewalls, store and forward devices, software used to manage the network, and all cabling and connecting equipment up to but not including user equipment.
  2. Computer.  Any user-owned and operated computer serving as either a user workstation or a server.  This includes all forms of personal computers (e.g., desktop, laptop, notebook) as well as server-class computers without exception.
  3. External Network.  Creating within a UAA-operated facility a physically separated network which is connected to a commercial or non-commercial service provider that is not specifically a part of an approved University of Alaska network.  For example, users who install commercial cable modem or DSL modem Internet access services within UAA-operated facilities are creating external networks under this procedure.
  4. Network Extension.  Connection of a network device (e.g., hub, switch, router) to a campus internetwork for the purpose of providing connectivity to multiple computers or network attached peripherals.  Examples include wireless access hubs and switches used to support a laboratory environment within a single geographic facility.
  5. Network Device.  Equipment that is used to create a network extension or a private network.
  6. Private Network.  Creation of a virtual local area network (VLAN) within a campus network for the purpose of specifically aggregating a defined set of campus network ports.  Private networks will only be created under extraordinary circumstances related to security of information resources.
  7. User Equipment.  A user-owned and operated device which is directly connected to a campus internetwork.  User equipment includes but is not limited to computers, printers, network-attached peripherals and network devices used to extend network services to two or more user-owned devices from a single port of a campus internetwork.

 

 
Release 02.07.1c, dated 12/15/04