OF RECORD
Policy
on Requirements for Authenticated Access at Public Jacks, Public
Kiosks, Wireless Networks, and Lab Computers on PennNet
Authority and Responsibility
Information
Systems and Computing's Networking & Tele- communications organization
is responsible for the operation of PennNet (Penn's data networks)
and therefore has the authority and responsibility to specify requirements
for any devices connecting to PennNet. This authority extends to
requirements for authentication in access to PennNet.
Information
Systems and Computing's Information Security organization is responsible
for establishing information security policies, guidelines and standards
and therefore has the authority and responsibility to specify security
requirements for access to PennNet. This authority extends to requirements
for authentication in access to PennNet.
Executive Summary
This
policy specifies authentication and accounting requirements for
certain user access to PennNet. Specifically, it addresses on-campus
access to PennNet from locations or devices that are not directly
associated with a specific individual Penn user. Primary examples
are access to PennNet from public jacks, public kiosk computers,
wireless networks, and lab computers. This policy is therefore addressed
to the local computing directors and computing support personnel
responsible for these areas and/or these network jacks. This policy
document also provides related "best practice" recommendations
on configuration decisions associated with authentication and accounting.
Purpose
The
purpose of this policy is to specify the minimum user authentication
and accounting requirements for access via public network jacks,
public kiosk computers, wireless networks, and lab computers attached
to PennNet.
Definitions
Public
-- For the purposes of this policy document, "public"
is defined to be those campus spaces that are not in private or
semi-private offices or suites with locking doors. All outdoor locations
in which PennNet is available are also considered "public"
campus locations for the purposes of this policy document.
Kiosk
--
For the purposes of this policy document, a "kiosk" computer
is a computer or similar user interface device that is available
in a public or common area and is intended for shared use by any
person in that common area. A "standalone kiosk" is one
that has no external connections to networks or telephone lines.
Risk of Non-compliance
Unauthenticated
access to PennNet may in some cases allow for inadvertent exposure
of University-confidential information and may contribute to violation
of University license agreements for limited access to software
or information. Unauthenticated access can lead to illegal anonymous
activity such as harassing and threatening e-mail messages.
Scope
This
policy applies to on-campus user access to PennNet from locations
or devices that are not directly associated with a specific individual
Penn user. Primary examples are access to PennNet from public jacks,
PennNet-connected public kiosk computers (standalone kiosks are
exempt), wireless networks, and lab computers. This policy is therefore
addressed to the local computing directors and computing support
personnel responsible for these areas and/or these network jacks.
Statement of Policy
1.
User authentication is not required for access to computers
that are generally for the use of one individual, and that are located
in locked, private offices. Authentication is also not required
in locked office suites if each computer requires some form of access
control (such as a password protected screen saver) to gain access.
2.
Access to PennNet in computer labs on campus must require user authentication.
3.
Access to PennNet from newly deployed, unrestricted kiosk computers
must require user authentication. Access to PennNet from unrestricted
kiosks deployed before the effective date of this policy must require
user authentication by September 1, 2002 (assuming thorough supporting
infrastructure committed to by January 15, 2002 for deployment by
March 15, 2002). Authentication is not required at restricted-access
kiosks which provide reasonable controls to ensure that users:
- Can not
change security-sensitive settings.
- Can not
alter the reboot process or the operating environment.
- Can not
use arbitrary remote applications or services.
- Can not
initiate connections to arbitrary networked resources.
- Can not
send electronic messages including, but not limited to, e-mail,
news group postings, and instant messages.
4.
Access to PennNet at network jacks in "public" campus
locations must require user authentication by September 1, 2002
(assuming thorough supporting infrastructure committed to by January
15, 2002 for deployment by March 15, 2002).
5.
Access to PennNet via wireless local area networks must require
user authentication by September 1, 2002 (assuming thorough supporting
infrastructure committed to by January 15, 2002 for deployment by
March 15, 2002).
6.
Records of access must be retained for at least six months. Logs
must include at least the identity of the user, IP address, and
the date and time of the connection.
7.
The user namespace used for authentication must be fully PennNames
compliant (Please see www.upenn.edu/computing/policy/).
Recommendations
and Best Practices
The
following related practices are strongly recommended by ISC:
- So
that time-stamped log entries are accurate, use of reliable time
synchronization protocols, such as Network Time Protocol (NTP),
is encouraged.
- Until
scalable user authentication for wireless networks is practical,
access to PennNet via wireless local area networks should be configured
to attempt to limit user access to authorized Penn users through
one of the available approaches. At the time of writing of this
policy document, some current approaches are limits by Media Access
Control (MAC) address, limits via Closed Group Service Sets, and
Service Set password protection. These approaches are supported
by the most popular access points, including, for example, Apple
Airport, Avaya WaveLan, Cisco Aironet, and many others.
- Computer
labs are encouraged to use the ISC authentication modules for
Windows NT and Windows 2000 whenever possible to enforce authentication.
Public kiosk computers connected to PennNet may also be able to
use the available ISC authentication modules for Windows NT and
Windows 2000. [Assuming that a MacOS X authentication module becomes
available during spring of 2001, this will be recommended as a
best practice as well].
- Public labs
should be staffed whenever practical, and require that users show
PennCards or use a PennCard card swipe to gain entry.
- Obtain
temporary network authentication credentials for short-term visitors
needing access to on-line Penn resources during their stay. It
is recommended that credentials be created with the minimal lifetime
sufficient to cover the need. The procedure, including sponsorship
requirements and fees, is described at www.isc-net.upenn.edu/policy/supporting/guestpas.html.
- Position
lab and public kiosk computers to be within view of security cameras
when possible.
Compliance
A.
Verification: ISC reserves the right to review the access
control implementation for computers, servers, and services that
provide user access to PennNet.
B.
Notification: Notification shall be made to the LSP for the
area.
C.
Remedy: Remedy will be the re-configuration of the computer,
server or service to require appropriate authentication and access
control as per this policy. ISC will offer consulting assistance
to the operator of the computer, server or service where possible
in order to bring the access control into compliance as quickly
as possible.
D.
Financial Implications: Costs associated with the implementation
of authenticated access control are the responsibility of the computer,
server or service operator.
Please
see the Policy on Troubleshooting Charges for Violations of PennNet
Policies at www.isc-net.upenn.edu/policy/trfees.html
for information on additional fees that may be assessed to cover
the costs incurred in troubleshooting related to violations of this
policy.
E.
Responsibility: Responsibility for remedy lies with the provider
of the computer, server or service.
F.
Time Frame: Non-compliant devices must be remedied within
two weeks of first notification from ISC Information Security, unless
a special waiver is granted.
G.
Enforcement: Please see the Policy on Computer Disconnection
from PennNet at www.upenn.edu/computing/policy/disconnect.html.
H.
Appeals: Please see the Appeals section of the Policy on
Computer Disconnection from PennNet at www.upenn.edu/computing/policy/disconnect.html.
References
Policy
on Computer Disconnection from PennNet at www.upenn.edu/computing/policy/disconnect.html.
PennNames
documentation at www.upenn.edu/computing/pennnnames/.
Network
Time Protocol (NTP) reference material.
--Information
Systems and Computing, Information Security
--Information
Systems and Computing,
Networking & Telecommunications
Almanac, Vol. 48, No. 12, November 13, 2001
|