|
|
|
Network Access Control Policy
Please note that this policy has not yet been revised or converted to the new format.
1. Preamble
A key principle underpinning a high standard of IT Security is that access to computer network resources should be authorised on a ‘need to use’ basis. Historically, most computers connected to the University network have had full access to almost every other computer on the University network, and most staff computers have had full access to the Internet. The risk of compromise to Monash University computers can be reduced significantly without affecting normal use if the machines are segregated on the network according to their usage requirements.
2. Purpose
The purpose of the Network Access Control Policy is to define a set of computer connection classes, designed to minimise the exposure to Monash University from destruction, theft and loss of data (eg. confidentiality and privacy), disruption to business operations, and damage to the University’s image which may follow from unauthorised use of its electronic resources.
The Network Access Control Policy defines the roles of Servers, Internet Servers and Client Computers when connected to the University’s network and defines permissible communications flows between them
3. Policy Status
Approved UNITPOL
4. Responsible Officer
Executive Director, ITS.
5. Approving Body
UNITPOL
6. Definitions
| Servers |
Devices connected to the University network that provide services for others not necessarily in the same organisational unit. Servers only communicate within the University network. |
| Internet Servers |
Servers which also provide computing resources for users on the Internet. |
| Proxy Server |
A Server which accesses the Internet on behalf of client computers. |
| Client Computers |
Any computer which is connected to the University Network that is not a Server. This includes (but is not limited to) staff user workstations, student laboratory workstations, computers connected via the Wireless LANs, VPN, and dial-up modems. Client Computers cannot communicate directly with Client Computers in other groups, nor can they communicate directly with the Internet. Client Computers can communicate with the Internet via an Internet Proxy Server. Servers which only need to provide services to a particular group (eg. Printers) may also be classified as a client computer. |
| Class |
A set, collection, group, or configuration containing members regarded as having certain attributes or traits in common; a kind or category. |
| Group |
A Group might typically be "all staff in the same organisational unit", or alternatively "all student computers in the same Faculty". |
| Research Purposes |
This term is defined in this policy as the need to trial and/or experiment with Internet based technologies that are new, emerging protocols or experimental software which may place a significant burden or IT security risk on the production University network. |
| Service |
The kind of function that a Server provides. Eg. web services, file transfer services, print services, etc. |
| Addhost |
The University-Wide Host Registration Database System |
| MDS |
The Monash Directory Service – A collection of information about staff and students |
| ITS |
Monash University Information Technology Services Division |
| University |
Monash University |
7. Policy Scope
All users of equipment or devices connected to the University network must adhere to this policy.
8. Policy
- Most devices are Clients: The default configuration for any device connected to the University’s network is for client access.
- Client connectivity: Client Computers are permitted to communicate to any Server (other than some Restricted Servers, as per item 7 below) on the University network, and to other Client Computers in the same Group.
- Internet connectivity: Network security configuration programming stops inbound and outbound Internet communications to all computers registered as Client Computers. A proxy server provides Internet connectivity for all IP protocols. If a Client Computer requires direct outbound Internet connectivity, the Outbound Client Connections exemption form (Attachment A) must be completed and sent to the ITS Service Desk for processing.
- Peer-to-peer communications: Where it is technologically impracticable for peer-to-peer communication via Proxy Server, direct Client-Client and/or Client-Internet communications may be enabled, on an individual Service case-by-case basis. Application must be made to the Executive Director, ITS for approval of such exemptions.
- Server connectivity: Servers are unable to communicate with other Servers in other groups, unless those Servers are running supporting services, eg. MDS authentication. Servers are also unable to initiate outbound connections to client computers or the Internet.
- Internet Servers: In addition, Internet Servers are able to directly communicate with the Internet. Servers must be configured via a request to the ITS IT Security Section to allow or prohibit communications between the Server and the Internet.
- Restricted Servers: Servers may be configured via a request to ITS to prohibit communications between the Server and a specified Class of Client.
- Internet Connectivity For Research: The University’s network is a production service. All computers that require Internet connectivity for research purposes will be segregated from and unable to communicate to all Client and non-internet server computers on the network.
- Communication flows: All communication flows described above and others that relate to additional network Classes are documented at section 9 of this policy.
- Registration: All Servers must be registered as such in the Addhost database. Only the requested Service(s) that the Server provides (as per its Addhost registration) will be accessible through the University firewall systems.
- Audit: The ITS IT Security Section may conduct security assessments on registered Servers at any time, and may disconnect any Servers if IT security requirements are not met as per the University’s IT Security Policy.
- Data backup: All machines that are registered as servers must have their data backed up. Refer to Data Centre Management for suggested control objectives for backing up a Server. 9. Communication Flows
| Service |
Access Controls Inbound |
Access Controls Outbound |
| Client Class – Students |
Can contact machines within same class and group
No other inbound access permitted
|
No direct Internet access
All Internet access via proxy server
Can contact machines within the same class and group
Can contact Server classes
Can contact research class (when requested)
|
| Client Class - Staff |
Can contact machines within same class and group
No other inbound access permitted except VPN
|
No direct Internet access
All Internet access via proxy server
Can contact machines within the same class and group
Can contact Server and research classes
|
| Client Class - Staff
(Outbound proxy exempted service)
|
Can contact machines within same class and group
No other inbound access permitted except VPN
|
Direct Internet access (outbound only)
Can contact machines within the same class and group
Can contact Server classes
|
| Server Class - Internet Servers |
Can contact machines within same class and group
Direct Internet access only on the particular TCP/UDP ports that are required – e.g. Port 80 for a web server)
Can be contacted by all Student and Staff classes
|
No direct Internet access unless required (eg. Mirroring Ftp Servers, Search Engines, etc)
Can contact machines within the same class and group
Cannot contact any Client classes
Cannot contact machines in other Server class groups with the exception of ITS Server class (for MDS services, email, etc)
|
| Server Class – Non Internet Servers |
As above, with no Internet access |
As above, with no Internet access |
| VPN users (ie. Once authenticated to VPN) |
Can contact machines within same class (but will be blocked by Firewall software included with VPN clients)
No other inbound access permitted
|
No direct Internet access
Can contact Client classes
(Staff logins via digital certificate only)
All Internet access via WWW proxy server
Can contact Server classes
|
| Network Management Class |
No inbound access permitted with the exception of dual homed management server |
No outbound access permitted with the exception of dual homed management server |
| Wireless class (before VPN authentication) |
No inbound access permitted |
Outbound access only permitted to VPN server |
| Faculty/Divisional Research class |
Full Internet Access and Monash Internet Server access, inbound access from Client Class allowed – no other Monash access |
Full Internet Access and Monash Internet Server access only – no other Monash access |
| Server Class – Restricted Servers (e.g. SAP/Callista) |
No student access
No Server class access aside from backup machine and integrated applications (e.g. portal, MDS machines, CRUX)
See Server class
Extra filtering may apply upon application of the service owner
|
No student access
No Server class access aside from backup machine
See Server class
Extra filtering may apply upon application of the service owner
|
10. Procedures
- Outbound Internet connections exemption.
- Addhost registration procedures (doc 63kb).
11. Amendment History
|
Policy Information
|
|
Title of Policy
|
Monash University Network Access Control Policy |
|
Policy Reference
|
UNITPOL 03/03 |
|
Author
|
Christian Wilson ITS Security Manager
|
|
Central Registry File No.
|
RMO2003/0438 |
|
Approval Process
|
|
Authorising Body
|
ITS Directors’ Group
|
UNITPOL
|
| |
Meeting No. |
N/A |
Meeting No. |
01/03 |
| |
Meeting Date |
N/A |
Meeting Date |
6 March 2003 |
| |
Agenda Item |
N/A |
Agenda Item |
4.3 |
|
Policy effective on
|
6 March 2003
|
|
|
|
|
Policy expires on
|
6 June 2007
|
|
|
|
|
Policy next reviewed on
|
6 March 2006
|
|
|
|
|
Related ITS regulations
|
|
|
Comments
|
|
|
