Skip to content | Change text size
 

Network Access Control Policy

Please note that this policy has not yet been revised or converted to the new format.

1.  Preamble

A key principle underpinning a high standard of IT Security is that access to computer network resources should be authorised on a ‘need to use’ basis. Historically, most computers connected to the University network have had full access to almost every other computer on the University network, and most staff computers have had full access to the Internet. The risk of compromise to Monash University computers can be reduced significantly without affecting normal use if the machines are segregated on the network according to their usage requirements.

2.  Purpose

The purpose of the Network Access Control Policy is to define a set of computer connection classes, designed to minimise the exposure to Monash University from destruction, theft and loss of data (eg. confidentiality and privacy), disruption to business operations, and damage to the University’s image which may follow from unauthorised use of its electronic resources.

The Network Access Control Policy defines the roles of Servers, Internet Servers and Client Computers when connected to the University’s network and defines permissible communications flows between them

3.  Policy Status

Approved UNITPOL

4.  Responsible Officer

Executive Director, ITS.

5.  Approving Body

UNITPOL

6.  Definitions

Servers Devices connected to the University network that provide services for others not necessarily in the same organisational unit. Servers only communicate within the University network.
Internet Servers Servers which also provide computing resources for users on the Internet.
Proxy Server A Server which accesses the Internet on behalf of client computers.
Client Computers Any computer which is connected to the University Network that is not a Server. This includes (but is not limited to) staff user workstations, student laboratory workstations, computers connected via the Wireless LANs, VPN, and dial-up modems. Client Computers cannot communicate directly with Client Computers in other groups, nor can they communicate directly with the Internet. Client Computers can communicate with the Internet via an Internet Proxy Server. Servers which only need to provide services to a particular group (eg. Printers) may also be classified as a client computer.
Class A set, collection, group, or configuration containing members regarded as having certain attributes or traits in common; a kind or category.
Group A Group might typically be "all staff in the same organisational unit", or alternatively "all student computers in the same Faculty".
Research Purposes This term is defined in this policy as the need to trial and/or experiment with Internet based technologies that are new, emerging protocols or experimental software which may place a significant burden or IT security risk on the production University network.
Service The kind of function that a Server provides. Eg. web services, file transfer services, print services, etc.
Addhost The University-Wide Host Registration Database System
MDS The Monash Directory Service – A collection of information about staff and students
ITS Monash University Information Technology Services Division
University Monash University


7.  Policy Scope

All users of equipment or devices connected to the University network must adhere to this policy.

8.  Policy

  1. Most devices are Clients: The default configuration for any device connected to the University’s network is for client access.
  2. Client connectivity: Client Computers are permitted to communicate to any Server (other than some Restricted Servers, as per item 7 below) on the University network, and to other Client Computers in the same Group.
  3. Internet connectivity: Network security configuration programming stops inbound and outbound Internet communications to all computers registered as Client Computers. A proxy server provides Internet connectivity for all IP protocols. If a Client Computer requires direct outbound Internet connectivity, the Outbound Client Connections exemption form (Attachment A) must be completed and sent to the ITS Service Desk for processing.
  4. Peer-to-peer communications: Where it is technologically impracticable for peer-to-peer communication via Proxy Server, direct Client-Client and/or Client-Internet communications may be enabled, on an individual Service case-by-case basis. Application must be made to the Executive Director, ITS for approval of such exemptions.
  5. Server connectivity: Servers are unable to communicate with other Servers in other groups, unless those Servers are running supporting services, eg. MDS authentication. Servers are also unable to initiate outbound connections to client computers or the Internet.
  6. Internet Servers: In addition, Internet Servers are able to directly communicate with the Internet. Servers must be configured via a request to the ITS IT Security Section to allow or prohibit communications between the Server and the Internet.
  7. Restricted Servers: Servers may be configured via a request to ITS to prohibit communications between the Server and a specified Class of Client.
  8. Internet Connectivity For Research: The University’s network is a production service. All computers that require Internet connectivity for research purposes will be segregated from and unable to communicate to all Client and non-internet server computers on the network.
  9. Communication flows: All communication flows described above and others that relate to additional network Classes are documented at section 9 of this policy.
  10. Registration: All Servers must be registered as such in the Addhost database. Only the requested Service(s) that the Server provides (as per its Addhost registration) will be accessible through the University firewall systems.
  11. Audit: The ITS IT Security Section may conduct security assessments on registered Servers at any time, and may disconnect any Servers if IT security requirements are not met as per the University’s IT Security Policy.
  12. Data backup: All machines that are registered as servers must have their data backed up. Refer to Data Centre Management for suggested control objectives for backing up a Server. 9.  Communication Flows

     

    Service Access Controls Inbound Access Controls Outbound
    Client Class – Students Can contact machines within same class and group

    No other inbound access permitted

    No direct Internet access

    All Internet access via proxy server

    Can contact machines within the same class and group

    Can contact Server classes

    Can contact research class (when requested)

    Client Class - Staff Can contact machines within same class and group

    No other inbound access permitted except VPN

    No direct Internet access

    All Internet access via proxy server

    Can contact machines within the same class and group

    Can contact Server and research classes

    Client Class - Staff

    (Outbound proxy exempted service)

    Can contact machines within same class and group

    No other inbound access permitted except VPN

    Direct Internet access (outbound only)

    Can contact machines within the same class and group

    Can contact Server classes

    Server Class - Internet Servers Can contact machines within same class and group

    Direct Internet access only on the particular TCP/UDP ports that are required – e.g. Port 80 for a web server)

    Can be contacted by all Student and Staff classes

    No direct Internet access unless required (eg. Mirroring Ftp Servers, Search Engines, etc)

    Can contact machines within the same class and group

    Cannot contact any Client classes

    Cannot contact machines in other Server class groups with the exception of ITS Server class (for MDS services, email, etc)

    Server Class – Non Internet Servers As above, with no Internet access As above, with no Internet access
    VPN users (ie. Once authenticated to VPN) Can contact machines within same class (but will be blocked by Firewall software included with VPN clients)

    No other inbound access permitted

    No direct Internet access

    Can contact Client classes

    (Staff logins via digital certificate only)

    All Internet access via WWW proxy server

    Can contact Server classes

    Network Management Class No inbound access permitted with the exception of dual homed management server No outbound access permitted with the exception of dual homed management server
    Wireless class (before VPN authentication) No inbound access permitted Outbound access only permitted to VPN server
    Faculty/Divisional Research class Full Internet Access and Monash Internet Server access, inbound access from Client Class allowed – no other Monash access Full Internet Access and Monash Internet Server access only – no other Monash access
    Server Class – Restricted Servers (e.g. SAP/Callista) No student access

    No Server class access aside from backup machine and integrated applications (e.g. portal, MDS machines, CRUX)

    See Server class

    Extra filtering may apply upon application of the service owner

    No student access

    No Server class access aside from backup machine

    See Server class

    Extra filtering may apply upon application of the service owner


    10. Procedures

    1. Outbound Internet connections exemption.
    2. Addhost registration procedures (doc 63kb).

    11. Amendment History

    Policy Information

    Title of Policy

    Monash University Network Access Control Policy

    Policy Reference

    UNITPOL 03/03

    Author

    Christian Wilson ITS Security Manager

    Central Registry File No.

    RMO2003/0438

    Approval Process

    Authorising Body

    ITS Directors’ Group

    UNITPOL

      Meeting No. N/A Meeting No. 01/03
      Meeting Date N/A Meeting Date 6 March 2003
      Agenda Item N/A Agenda Item 4.3

    Policy effective on

    6 March 2003

         

    Policy expires on

    6 June 2007

         

    Policy next reviewed on

    6 March 2006

         

    Related ITS regulations

     

    Comments