Infrastructure
Version 1.1 13, Sept. 2004
Most devices connected to the University network are personal computers or workstations used by one person. Users of such systems must take reasonable steps to protect them against virus infections and similar exploitation by outsiders, as outlined in NSIT’s Getting Started booklet and the Connectivity Package documentation. They are bound by the University’s Eligibility and Acceptable Use Policy (the EAUP, online at <http://nsit.uchicago.edu/eaup>). The EAUP provides, in general, that only regular members of the University community may use the University network, and that their use must be consistent with the University’s core purposes and status.
In some cases, departments or individuals connect computing or networking equipment more sophisticated than personal computers to the University network. Such installations are also subject to the EAUP, and to certain additional specific rules and procedures NSIT enforces to implement the EAUP. This document outlines rules and procedures pertaining to such installations as well as single-user computing. It is subject to change as technologies evolve. Individuals or departments contemplating use of the University network for servers, services, or networking applications beyond simple single-user computing should consult with NSIT to ensure that these applications are consistent with University policy.
Network Infrastructure
The extension of the campus network by departments and individuals is prohibited except as specified in this document.Departments or individuals may extend the network by the placement of a hub or switch in the immediate proximity of a campus network jack. No more than 5 unique devices may be attached to the switch or hub. An example of an allowed configuration would be two computers and printer connected via a 4-port switch within 8 feet of the wall jack. The University network may not be extended to non-University owned or affiliated facilities.
Warning: in the event of a security or network problem NSIT may turn off service at the network jack thereby denying service to all devices connected beyond it.We therefore recommend connecting servers directly to the network jack without an intervening switch or hub.
Wireless transmitters may be used to extend the network within the limitations specified in the Wireless Connectivity section of this document.
Any extension to the University network by routers, switches or bridges or similar devices via telecommunications equipment must be approved by NSIT, e.g. placement of a router to connect to a remote service or a terminal server to allow dial-in services.
These restrictions allow NSIT to better manage and secure the network improving reliability and availability.
Departmental Servers & Network Services
A server is any device whose principal or substantial role is to respond to queries or communications from other computers or from remote users. There are two restrictions on servers, beyond the general provisions of the EAUP.
First, servers cannot enable users otherwise ineligible for University network access to reach points on the University network other than the server itself. For servers that involve accounts for individuals, this means that only eligible university users may have unrestricted accounts (for example, shell accounts on Unix machines). Accounts for ineligible users (for example, colleagues from other institutions being given access to documents on an ftp server, or to collaboration tools) therefore must not permit broader access to the University network. Mail servers and similar machines that permit users to communicate in ways that imply they are associated with the University may not grant access to users ineligible for University network accounts, the exception being that mailing lists and similar services may include non-University users. For servers that do not involve individual accounts (for example, Web servers), the material and services available to users must be licensed appropriately and explicitly for use outside the University.
Second, servers that perform a substantial volume of authentications (such as email or ftp servers, and many Web-based applications) must prevent transmission of passwords in the clear over the data network. Various mechanisms exist to achieve this. For example, most NSIT-provided central web servers use SSL to avoid clear-text password exchanges, and other NSIT services use Secure Socket Layer (SSL) Web interactions to encrypt password and other transactions. Similarly, the widely used Secure Shell (ssh) protocol for remote logins provides a reasonable level of protection and so do various other mechanisms including advanced versions the Wireless Encryption Protocol (WEP). In some cases more sophisticated approaches, such as Virtual Private Networks (VPNs), are necessary. None of these mechanisms is perfect, in that all have vulnerabilities, and all impose some inconvenience on users and server operators. However, for high-volume servers some degree of secure authentication is required if they are to operate on the University network.
"Public" Network Jacks
Most campus network jacks are "permanently" connected to a particular device. However, some are available for more temporary use in classrooms, library reading rooms, meeting rooms, and similar locations. For the most part, only regular members of the University community have access to these “public�? jacks, and this creates no policy problem. Sometimes, however, visitors to the campus use "public" jacks. In these cases, whoever permits a visitor or other usually ineligible user to connect to the University network assumes full responsibility for that visitor’s use of the network (and, by assuming that responsibility, makes the visitor a "special" user under the EAUP). The clear responsibility of anyone who permits visitors to use the University network is to verify the identities of those users, or to have mechanisms for identifying them quickly and unambiguously should this become necessary for network-security, intellectual-property, or other reasons. Conversely, no department may make "public" jacks available in a way that permits strangers to use them without identifying themselves. Placing such jacks inside a physical security perimeter (for example, inside a restricted-access library or an office or meeting room not generally available to the public) satisfies this criterion. So does configuring a more accessible jack so that a user needs non-public information to use it (for example, by not providing DHCP service, or by requiring a password or encryption key).
Wireless Connectivity
NSIT is developing a strategic plan for the deployment of wireless networking.Pending completion and implementation of this plan, NSIT does not wish to halt the deployment of wireless equipment by departments or individuals.However, there are serious concerns about current versions of this technology, principally its security, reliability and suitability for a complex network such as the University’s.
As the preceding section indicated, NSIT must maintain the security of the University network by requiring that only eligible members of the University have unrestricted access to it.
Departments and individuals must take appropriate steps to secure any wireless network whose signal might be accessible to ineligible users.
As general guidelines, small installations serving fewer than ten users should require their wireless clients to know the name of the local wireless network (SSID) and a WEP key. The wireless access point should disallow the use of the “ANY�? feature.> The individual or department deploying must choose SSID and WEP keys which are not obvious and to treat them as “shared secrets�?, that is, not allow them to become known to anyone besides the small set of users. Note: there are serious security flaws in the original WEP specification. We recommend that equipment using the WEP Plus specification be used. Larger installations of up to 50 users must require registration of the allowed Ethernet hardware addresses, also known as the media access (MAC) address. A feature is available on many wireless access points whereby a list of authorized ethernet MAC addresses can be specified by an administrator. For installations of greater than 50 users NSIT requires per-user per-access authentication, i.e. the user must authenticate when associating with a wireless access point using the University CNetID and CNet password. NSIT has developed a firewall mechanism which allows wireless users to authenticate using a web page at the time they associate with the access point. This method requires that the access points be placed on a special network segment which is connected to the firewall. NSIT will work with departments to implement this methodology. NSIT feels that this technology will allow for a common initial deployment across campus; however we feel that this approach will not scale to allow full campus deployment. Contact our networking group at noc@uchicago.edu for further information. NSIT currently believes that implementation of the 802.1x authentication standard by all the major vendors will be the method that we will use for a full campus implementation. However, the 802.1x standard is not likely to be adapted by the majority of vendors until the 2002-2003 timeframe. NSIT strongly encourages departments and individuals to buy wireless access points that have the potential capability to do 802.1x authentication.
As is the case for any device attached to the University data network, all wireless access points must be registered with NSIT.Please notify NSIT prior to any installation at noc@uchicago.edu, providing the name and contact information for any support personnel, the jack location, the authentication methodology used and the frequency/channel to be used by the access point.This information will allow NSIT to better troubleshoot and support the campus network. NSIT strongly encourages departments and individuals to buy wireless access points that have the potential capability to do 802.1x authentication. At this time NSIT believes that the 802.1x standard will become the common method of authentication for wireless access points in the next two years. The type of wireless Ethernet card is less important; it is generally wise to use cards from well-established vendors who are likely to upgrade them as enhancements become necessary, e.g. Cisco and Lucent/Agere.
Installers of wireless equipment should be aware that 802.11b wireless equipment uses an unlicensed frequency band.This means that other devices that use the same frequencies may interfere with 802.11b wireless communications. Examples of such devices are cordless telephones, microwave ovens, devices using Bluetooth technology, and amateur radio transmissions.
NSIT reserves the right to deploy wireless networking equipment at a later date, possibly requiring the removal or modification of previously installed departmental or individual user equipment. Any wireless or other networking equipment operated by an individual or department is subject to removal from the network should it cause network problems.
NSIT prohibits the use of any device to extend the campus network beyond the immediate proximity of a campus network jack; therefore, installing a wireless bridge to allow network traffic between a University building and a private dwelling in Hyde Park is likewise prohibited.
NSIT does not consider wireless networking to be a replacement for an extensively wired campus such as ours, in large part because growing bandwidth demand of many campus applications will exceed the growth in wireless bandwidth.Therefore, wireless technology should be seen as an adjunct to the University’s wired physical plant. Moreover, wireless access point technology currently is a “shared bandwidth�? environment, which means that the more users, the smaller the bandwidth available to each.
