I. Title

A. Name: Policy on Requirements for Authenticated Access at Public Jacks, Kiosks, Wireless Networks, and Lab Computers on PennNet

B. Number: 20010910-netauth

C. Author(s): J.Bauer (SEAS, ISC Networking), D.Kassabian (ISC Networking), D.Millar (ISC Information Security), M.Robinson (Wharton Computing)

D. Status:

[ ] proposed [ ] under review [X] approved [ ] rejected [ ] obsolete

E. Date proposed: 2000-09-20

F. Date revised: 2004-01-12

G. Date approved: 2001-09-10, 2004-01-12

H. Effective date: 2004-01-12


II. Authority and Responsibility

Information Systems and Computing is responsible for the operation of Penn's data networks (PennNet) as well as the establishment of information security policies, guidelines, and standards. It therefore has the authority and responsibility to specify requirements for access to PennNet. This authority extends to requirements for authentication in access to PennNet.

III. Executive Summary

This policy specifies authentication and accounting requirements for certain user access to PennNet. Specifically, it addresses access to PennNet from locations or devices that are not directly associated with a specific individual Penn user. Primary examples are access to PennNet from public network jacks, kiosk computers, wireless networks, and lab computers. This policy is therefore addressed to the local computing directors and computing support personnel responsible for these areas and/or these network jacks. This policy document also provides related "best practice" recommendations on configuration decisions associated with authentication and accounting.

IV. Purpose

The purpose of this policy is to specify the minimum user authentication and accounting requirements for access via public network jacks, kiosk computers, wireless networks, and lab computers attached to PennNet.

These requirements will help provide accountability for the actions of potentially unknown users while on Penn's network.

V. Definitions

Public - For the purposes of this policy document, "public" is defined to be those campus spaces that are not in private or semi-private offices or suites with locking doors. All outdoor locations in which PennNet is available are also considered "public" campus locations for the purposes of this policy document.

Public Network Jack - For the purposes of this policy document, a "public network jack" is defined as an unsupervised network jack in a public area with the intention of providing walk-up network service to the individuals in that public area.

Kiosk - For the purposes of this policy document, a "kiosk" computer is a limited function computer or similar user interface device that is connected to PennNet, available in a public or common area and is intended for shared use by any person in that common area.

VI. Risk of Non-compliance

Unauthenticated access to PennNet may in some cases allow for inadvertent exposure of University-confidential information and may contribute to violation of University license agreements for limited access to software or information. Unauthenticated access can lead to illegal anonymous activity such as harassing and threatening e-mail messages.

VII. Scope

This policy applies to user access to PennNet from locations or devices that are not directly associated with a specific individual Penn user. Primary examples are access to PennNet from public network jacks, wireless networks, lab computers, and PennNet-connected kiosk computers. Standalone kiosks which do not connect to PennNet or can only connect to authenticated network services are exempt.

This policy is therefore addressed to the local computing directors and computing support personnel responsible for these areas and/or these network jacks.

VIII. Statement of policy

  1. Access to PennNet in computer labs on campus must require user authentication.
  2. Access to PennNet from kiosk computers must require user authentication. Access to PennNet from kiosks deployed before the effective date of this policy must require user authentication by September 1, 2004.
  3. Access to PennNet at public network jacks must require user authentication by September 1, 2004 (assuming thorough supporting infrastructure committed to by January 15, 2004 for deployment by March 15, 2004).
  4. Access to PennNet via wireless local area networks must require user authentication. Existing wireless LANs using MAC address authentication (as allowed in previous versions of this policy) must be converted to use user authentication by September 1, 2004 (assuming thorough supporting infrastructure committed to by January 15, 2004 for deployment by March 15, 2004).
  5. Records of access must be retained for at least 60 days. Logs must include at least the identity of the user, IP address, and the date and time of the connection.
  6. The user namespace used for authentication must be fully PennNames compliant (please see the PennNames documentation at http://www.upenn.edu/computing/pennnames/).

IX. Recommendations and Best Practices

The following related practices are strongly recommended by ISC:

  1. So that time-stamped log entries are accurate, use of reliable time synchronization protocols, such as Network Time Protocol (NTP), is encouraged.
  2. Computer labs are encouraged to use the ISC authentication modules for supported Windows operating system versions whenever possible to enforce authentication. Kiosk computers connected to PennNet may also be able to use the available ISC authentication modules for supported Windows operating system versions. Assuming that a MacOS X authentication module becomes available during spring of 2004, this will be recommended as a best practice as well.
  3. Public labs should be staffed whenever practical, and require that users show PennCards or use a PennCard card swipe to gain entry.
  4. Obtain temporary network authentication credentials for short-term visitors needing access to online Penn resources during their stay. It is recommended that credentials be created with the minimal lifetime sufficient to cover the need. The procedure, including sponsorship requirements and fees, is described on the PennKey web site at http://www.upenn.edu/computing/pennkey/.
  5. Position lab and kiosk computers to be within view of security cameras when possible.

X. Compliance

A. Verification: ISC reserves the right to review the access control implementation for computers, servers, and services that provide user access to PennNet.

B. Notification: Notification shall be made to the LSP for the area.

C. Remedy: Remedy will be the re-configuration of the computer, server or service to require appropriate authentication and access control as per this policy. ISC will offer consulting assistance to the operator of the computer, server or service where possible in order to bring the access control into compliance as quickly as possible.

D. Financial Implications: Costs associated with the implementation of authenticated access control are the responsibility of the department, individual, school, or center providing the service.

Please see the Policy on Troubleshooting Charges for Violations of PennNet Policies at http://www.isc-net.upenn.edu/policy/approved/20020827-troubleshooting.html for information on additional fees that may be assessed to cover the costs incurred in troubleshooting related to violations of this policy.

E. Responsibility: Responsibility for remedy lies with the provider of the computer, server or service.

F. Time Frame: Non-compliant devices must be remedied within two weeks of first notification from ISC Information Security, unless a special waiver is granted.

G. Enforcement: Please see the Policy on Computer Disconnection from PennNet at http://www.upenn.edu/computing/policy/disconnect.html

H. Appeals: Please see the Appeals section of thePolicy on Computer Disconnection from PennNet at http://www.upenn.edu/computing/policy/disconnect.html

XI. References