College of Engineering > Computing Resourses > Security Policy for Network Connected Devices

Preamble

The University of Wisconsin – Madison campus has established a policy with regard to connecting electronic devices to the university network. To conform to this university policy, this document defines the Network Security Policy for connecting devices to the College of Engineering network segment of the university network.

Goals

• To protect the College of Engineering network and its computing resources from exploit or compromise by persons or software, whether internal or external to the College.
• To protect the College of Engineering intellectual property from unauthorized access, alteration, theft, or deletion. Intellectual property includes research data and data that are protected by local, state or federal laws or regulations as well as information that is protected by copyright, license agreements or non-disclosure agreements.
• To provide network service that allows secure transmission of data with the expectation that the data will not be altered or tampered with en route to a college-controlled resource.
• To provide reliable network services to all customers of the College of Engineering network with a minimum of unplanned outages, including those outages caused by other customers.
• To maintain complete records of all equipment on the college network. This will facilitate prompt notification to customers of potential security deficiencies with their systems and notification to customers of planned network interruption arising from system upgrades or containment of security breaches.

Principles

• The College of Engineering Network Security Policy will not be less restrictive than the policy set for the university’s network.
• The College of Engineering will make every reasonable effort to protect the college and university networks from compromise or exploitation.
• The College of Engineering reserves the right to suspend access to the network to preserve the integrity of the network.

Policy

• Every device connected to the College of Engineering network must meet UW-Madison campus requirements.
• Every device connected to the College of Engineering network must be registered with Computer-Aided Engineering (CAE), with accurate and up-to-date information. At a minimum, this information must contain the names and contact information for the following people along with the hardware address of the device: the primary user of the device, the technical support person, and the faculty member responsible for a course or the principal investigator or the office manager. Devices that connect to the College of Engineering wireless network are not required to register but must be authenticated to the College of Engineering wireless firewall by a method supported by CAE.
• Every wireless access point to be deployed or connected to the network requires consultation of the responsible party with Computer-Aided Engineering to discuss interference and other risks associated with deployment.
• Every device connected to the College of Engineering network must use DHCP to obtain the IP address assigned by the college. Exceptions will be made for those devices that are incapable of using DHCP and must have its assigned IP address statically configured.
• Every proposed service to be offered over the network on an individual basis (e.g., web server, email server, ftp server, etc.) requires a thorough search for an existing service, already being provided and maintained elsewhere in the college, amenable to the one proposed. Where reasonable, users will be expected to use existing resources.

College contribution

• The College of Engineering will provide firewall functionality at the border between the college and the rest of the University and Internet. The default firewall configuration will protect the college from all inbound connections. Exceptions (open ports) will be reviewed, controlled, and documented by a college committee (See Appendix A).
• The College of Engineering will provide consultation and help in deploying firewalls for groups that wish to further enhance group security.
• The College of Engineering will monitor the network for anomalous activity and investigate such activity as needed.
• The College of Engineering will research new security threats as they arise and communicate such threats to the College. Threats will be classified by the danger they pose. Examples of classifications are, in order of increasing severity:
  • Possible denial of service to a single computer (end user)
  • Possible compromise of a single computer where the attack cannot propagate past that computer
  • Possible access to sensitive data
  • Possible compromise of multiple systems, or the possibility that attacks on other computers may be mounted from a compromised computer
• The College of Engineering will compose ‘Best Practice’ guides for the College, regarding ‘safe’ computer usage, etc. and update these guidelines on a regular basis to account for changes in technology or policy.
• The College of Engineering will provide security resources locally for computers in the College of Engineering. Examples include managed antivirus servers and mechanisms for automating patch retrieval and installation.
• The College of Engineering will perform scans of the network for devices that are not sufficiently protected against current threats. UW guidelines also permit DoIT to scan network devices.
• When a vulnerable device is identified, the users registered with CAE for that device will be notified. Depending on the perceived severity of the vulnerability, some grace period will be specified during which the vulnerability must be removed. If it is not fixed before the end of the grace period, the device itself may be preemptively disconnected from the network to prevent a problem.
• As network security situations warrant, users of potentially vulnerable computers may receive further notifications advising of an increased level of threat and a corresponding shortening of the grace period.
• Any person who re-connects a device that has been disconnected from the network to obviate a threat, without assuring the identified vulnerabilities have been removed, may be subject to additional action.

Appendix A – Firewall exceptions

A firewall and its enforcement of network “rules” can unexpectedly impede the business of the College of Engineering. Thus, the following policy establishes requirements and guidelines before exceptions are established through a firewall protecting individual or groups of devices:

1. A professional information technology staff person must administer the device(s).
2. Security and anti-virus must meet campus requirements (for details see www.doit.wisc.edu/security/policies/electronic_devices.asp).
3. A device will be disconnected from the network if a security incident occurs and the port(s) granted the exception will be closed until the device again complies with items 1 and 2.

Exception requests

Any exceptions requested for a given interface must be thoroughly researched by the department making the request for both the necessity of the exception as well as the possible security risks associated with making the exception. Where possible, similar services at the department, college, or university level should be used. If there is no alternative, a request may be submitted to the Security Administrator at Computer-Aided Engineering.

Requests for exceptions to firewall rules should include the following information:

1. The specific need for the exception and the port(s) to be opened.
2. The Internet name and address of the devices(s) for the exception.
3. Security measures in force on the system including password policy, auditing policy, antivirus software (if any), and any additional security related software and/or settings of the machine.
4. A statement to the effect that the owner of the device(s) “understands that the device(s) will be disconnected from the network and the port(s) granted the exception will be closed if: a security incident occurs with that device, contact information for the technology staff person responsible for the device is not kept current, or security patches are not being applied in a timely manner.”

If your request is not granted, you may appeal to the CAE Executive Committee.

Questions about this college security policy or any other security issue in the college should be directed to security@engr.wisc.edu

Approved by: Dean Paul Percy, May 2004