A. Name: Policy on the Operation of Private Remote Access Services Connecting to PennNet
B. Number: 20011008-remoteaccess
C. Author(s): M. Muth (Wharton), M. Wehrle (ISC Networking), K. McDonnell (Law)
D. Status: [ ] proposed [ ] under review [X] approved [ ] rejected [ ] obsolete
E. Date proposed: 2000-10-18
F. Date revised:
G. Date approved: 2001-10-08
H. Effective date: 2001-10-08
II. Authority and Responsibility
Information Systems and Computing's Information Security organization is the organization at the University of Pennsylvania that has responsibility for addressing network security matters on PennNet. This authority extends to the recommendation of good security practices and subsequent investigation of any unauthorized access to or misuse of PennNet.
III. Executive Summary
This policy specifies the requirements for operation of private remote access services connecting to PennNet, specifically modems and modem pools.
The purpose of this policy is to provide operational requirements that will ensure authenticated and authorized access to PennNet via remote access services like modems and modem pools. It will also ensure that any security investigations that involve access to these services can be carried out with the aid of uniform and sufficient logging information.
Modem: Acronym for MOdulator DEModulator. A device that sends digital data signals over the analog PSTN (Public Switched Telephone Network). Permits users to access networks such as PennNet or the Internet, or access to hosts, from remote locations.
Modem pool: a group of modems that a user can dial into or out of from his/her computer. A modem pool can provide multiple user access to a network or a group of hosts.
Network access: access to a network of hosts
Host access: access to a single host, as would be provided by software such as a remote control application.
ISDN: Acronym for Integrated Services Digital Network. A means to provide higher speed network access over the PSTN.
VI. Risk of Non-compliance
If remote access services are not run according to these requirements, unauthorized and/or unauthenticated persons may gain access to PennNet and other University resources and information. If access is not logged according to these requirements, ISC Information Security may not be able to carry out investigations.
This policy applies to devices such as dial-up modems that use PSTN lines, and ISDN lines, which can provide direct access to PennNet, or PennNet-attached computers in cases of a remote computing control applications.
VIII. Statement of policy
IX. Recommendations and Best Practices
B. Notification: Notification shall be made to the LSP for the area. Whenever possible and practical, the administrator of the remote access service will also be notified.
C. Remedy: Remedy may be an immediate removal of the service from the network, depending on the severity of the operational impact and security risk to PennNet. Information Security will offer assistance to the systems administrator or LSP for the area in correcting security problems, after which the device may be re-connected to the network, and or normal service restored.
D. Financial Implications: Because the remote access device or host that connects this service to PennNet is considered a critical host, the department or unit owning the critical host shall bear the costs of ensuring compliance with this policy.
E. Responsibility: Responsibility for remedy lies with the system administrator and/or remote access service owner.
F. Time Frame: The actual time interval will depend on the severity of the security risk to PennNet. Non-compliant remote access services must either be remedied within thirty days of notification of the support person, or must be removed from PennNet.
G. Enforcement: Please see the Policy on Computer Disconnection from PennNet at http://www.upenn.edu/computing/policy/disconnect.html, and the Critical PennNet Host Security Policy at http://www.net.isc.upenn.edu/policy/approved/20000530-hostsecurity.html
H. Appeals: Please see the Appeals section of the Policy on Computer Disconnection from PennNet at http://www.upenn.edu/computing/policy/disconnect.html