Click for Philadelphia, Pennsylvania Forecast
HOME ISSUE CALENDAR BETWEEN ISSUES ARCHIVE DEADLINES CONTACT US
 
 

 

OF RECORD


Policy on Requirements for Authenticated Access at Public Jacks, Public Kiosks, Wireless Networks, and Lab Computers on PennNet

Authority and Responsibility

Information Systems and Computing's Networking & Tele- communications organization is responsible for the operation of PennNet (Penn's data networks) and therefore has the authority and responsibility to specify requirements for any devices connecting to PennNet. This authority extends to requirements for authentication in access to PennNet.

Information Systems and Computing's Information Security organization is responsible for establishing information security policies, guidelines and standards and therefore has the authority and responsibility to specify security requirements for access to PennNet. This authority extends to requirements for authentication in access to PennNet.

Executive Summary

This policy specifies authentication and accounting requirements for certain user access to PennNet. Specifically, it addresses on-campus access to PennNet from locations or devices that are not directly associated with a specific individual Penn user. Primary examples are access to PennNet from public jacks, public kiosk computers, wireless networks, and lab computers. This policy is therefore addressed to the local computing directors and computing support personnel responsible for these areas and/or these network jacks. This policy document also provides related "best practice" recommendations on configuration decisions associated with authentication and accounting.

Purpose

The purpose of this policy is to specify the minimum user authentication and accounting requirements for access via public network jacks, public kiosk computers, wireless networks, and lab computers attached to PennNet.

Definitions

Public -- For the purposes of this policy document, "public" is defined to be those campus spaces that are not in private or semi-private offices or suites with locking doors. All outdoor locations in which PennNet is available are also considered "public" campus locations for the purposes of this policy document.

Kiosk -- For the purposes of this policy document, a "kiosk" computer is a computer or similar user interface device that is available in a public or common area and is intended for shared use by any person in that common area. A "standalone kiosk" is one that has no external connections to networks or telephone lines.

Risk of Non-compliance

Unauthenticated access to PennNet may in some cases allow for inadvertent exposure of University-confidential information and may contribute to violation of University license agreements for limited access to software or information. Unauthenticated access can lead to illegal anonymous activity such as harassing and threatening e-mail messages.

Scope

This policy applies to on-campus user access to PennNet from locations or devices that are not directly associated with a specific individual Penn user. Primary examples are access to PennNet from public jacks, PennNet-connected public kiosk computers (standalone kiosks are exempt), wireless networks, and lab computers. This policy is therefore addressed to the local computing directors and computing support personnel responsible for these areas and/or these network jacks.

Statement of Policy

1. User authentication is not required for access to computers that are generally for the use of one individual, and that are located in locked, private offices. Authentication is also not required in locked office suites if each computer requires some form of access control (such as a password protected screen saver) to gain access.

2. Access to PennNet in computer labs on campus must require user authentication.

3. Access to PennNet from newly deployed, unrestricted kiosk computers must require user authentication. Access to PennNet from unrestricted kiosks deployed before the effective date of this policy must require user authentication by September 1, 2002 (assuming thorough supporting infrastructure committed to by January 15, 2002 for deployment by March 15, 2002). Authentication is not required at restricted-access kiosks which provide reasonable controls to ensure that users:

  • Can not change security-sensitive settings.
  • Can not alter the reboot process or the operating environment.
  • Can not use arbitrary remote applications or services.
  • Can not initiate connections to arbitrary networked resources.
  • Can not send electronic messages including, but not limited to, e-mail, news group postings, and instant messages.

4. Access to PennNet at network jacks in "public" campus locations must require user authentication by September 1, 2002 (assuming thorough supporting infrastructure committed to by January 15, 2002 for deployment by March 15, 2002).

5. Access to PennNet via wireless local area networks must require user authentication by September 1, 2002 (assuming thorough supporting infrastructure committed to by January 15, 2002 for deployment by March 15, 2002).

6. Records of access must be retained for at least six months. Logs must include at least the identity of the user, IP address, and the date and time of the connection.

7. The user namespace used for authentication must be fully PennNames compliant (Please see www.upenn.edu/computing/policy/).

Recommendations and Best Practices

The following related practices are strongly recommended by ISC:

  1. So that time-stamped log entries are accurate, use of reliable time synchronization protocols, such as Network Time Protocol (NTP), is encouraged.
  2. Until scalable user authentication for wireless networks is practical, access to PennNet via wireless local area networks should be configured to attempt to limit user access to authorized Penn users through one of the available approaches. At the time of writing of this policy document, some current approaches are limits by Media Access Control (MAC) address, limits via Closed Group Service Sets, and Service Set password protection. These approaches are supported by the most popular access points, including, for example, Apple Airport, Avaya WaveLan, Cisco Aironet, and many others.
  3. Computer labs are encouraged to use the ISC authentication modules for Windows NT and Windows 2000 whenever possible to enforce authentication. Public kiosk computers connected to PennNet may also be able to use the available ISC authentication modules for Windows NT and Windows 2000. [Assuming that a MacOS X authentication module becomes available during spring of 2001, this will be recommended as a best practice as well].
  4. Public labs should be staffed whenever practical, and require that users show PennCards or use a PennCard card swipe to gain entry.
  5. Obtain temporary network authentication credentials for short-term visitors needing access to on-line Penn resources during their stay. It is recommended that credentials be created with the minimal lifetime sufficient to cover the need. The procedure, including sponsorship requirements and fees, is described at www.isc-net.upenn.edu/policy/supporting/guestpas.html.
  6. Position lab and public kiosk computers to be within view of security cameras when possible.

Compliance

A. Verification: ISC reserves the right to review the access control implementation for computers, servers, and services that provide user access to PennNet.

B. Notification: Notification shall be made to the LSP for the area.

C. Remedy: Remedy will be the re-configuration of the computer, server or service to require appropriate authentication and access control as per this policy. ISC will offer consulting assistance to the operator of the computer, server or service where possible in order to bring the access control into compliance as quickly as possible.

D. Financial Implications: Costs associated with the implementation of authenticated access control are the responsibility of the computer, server or service operator.

Please see the Policy on Troubleshooting Charges for Violations of PennNet Policies at www.isc-net.upenn.edu/policy/trfees.html for information on additional fees that may be assessed to cover the costs incurred in troubleshooting related to violations of this policy.

E. Responsibility: Responsibility for remedy lies with the provider of the computer, server or service.

F. Time Frame: Non-compliant devices must be remedied within two weeks of first notification from ISC Information Security, unless a special waiver is granted.

G. Enforcement: Please see the Policy on Computer Disconnection from PennNet at www.upenn.edu/computing/policy/disconnect.html.

H. Appeals: Please see the Appeals section of the Policy on Computer Disconnection from PennNet at www.upenn.edu/computing/policy/disconnect.html.

References

Policy on Computer Disconnection from PennNet at www.upenn.edu/computing/policy/disconnect.html.

PennNames documentation at www.upenn.edu/computing/pennnnames/.

Network Time Protocol (NTP) reference material.

--Information Systems and Computing, Information Security

--Information Systems and Computing,
Networking & Telecommunications


Almanac, Vol. 48, No. 12, November 13, 2001

ISSUE HIGHLIGHTS:

Tuesday,
November 13, 2001
Volume 48 Number 12
www.upenn.edu/almanac/

A 25-year-old CIS doctoral student in SEAS disappeared on November 2.
Three professors named to Goldstone Endowed Term Chairs for Philosophy, Politics and Economics.
Lindback Award nominations are due November 30.
Community Involvement Recognition Award nominations are due on December 7.
The University community is invited to speak at the University Council's Open Forum; topics must be submitted to the Office of the Secretary by November 27.

The State of the University: an update on the strategic planning process.

The State of the University: a proposal to create Penn Medicine.

Fluent in Spanish? A resident director for an academic program in Seville is sought for next year
OF RECORD: Policy on Deployment, Operation and Registration Requirements for Wireless Access Points on PennNet.

OF RECORD: Policy on Requirements for Authenticated Access at Public Jacks, Public Kiosks, Wireless Networks and Lab Computers on PennNet.

Thanksgiving Break: Special checks/safety and security tips
125 Years of Women at Penn Celebration: portraits and pavers preserve accomplishments of generations of women.