Differences

This shows you the differences between two versions of the page.

--- computing:policies:network_connection [2009/10/08 23:27] – allan
+++ computing:policies:network_connection [2021/01/11 09:35] (current) – cse-sull0153
@@ Line 1: / Line 1: @@
-====== Network Security Policy ======
+====== PAN Network Security Policy ======
-Draft - September 2009
 =====  Required for all network-connected devices =====
+  - All systems connected to the PAN network must be running an operating system which is still supported by its vendor for security updates.
-  - All systems connected to the School network((The School network encompasses all network jacks within Tate Lab. All subnets used by groups within the School are considered to be part of the School network)) must be running an operating system which is still supported by its vendor for security updates.
+    * For example, (at the time of writing) the minimum acceptable version of Windows is Windows 10. Windows 95, 98, ME, NT, 2000, 7, and XP are not acceptable, and cannot be connected to our network.
-    * For example, the minimum acceptable version of Windows is XP with SP2. Windows 95, 98, ME, NT and 2000 are not acceptable, and cannot be connected to our network.
+    * Apple generally provide support for two concurrent OS releases, __for example__ when 10.6 is available then 10.5 is also supported but 10.4 becomes unsupported and so unacceptable by this policy.
-    * Apple generally provide support for two concurrent OS releases, for example when 10.6 is available then 10.5 is also supported but 10.4 becomes unsupported and so unacceptable by this policy.
     * The same overall requirement applies to Unix, Linux, and other systems such as embedded data acquisition devices.
   - Only one device may be connected to any physical network port. No hubs, switches, wireless access points or routing devices may be connected, directly or indirectly, without prior discussion with and agreement from School computing staff.
-  - Non-departmentally-managed systems may not inhabit the same network subnet as departmentally-managed systems.
+  - Non-departmentally-managed systems (User Managed Hosts - UMH) may not inhabit the same network subnet as departmentally-managed systems.
+  - **Data Security**
-==== Data security ====
+    - For any Windows or Macintosh computers which you connect to the School network:
+      - You **must** install and run antivirus software.
-  - For any Windows or Macintosh computers which you connect to the School network:
+      - You **must** install firewall software and configure it to prevent unrestricted connections.
-    - You must install the Bigfix software agent on any Windows or Macintosh computers which you connect to the School network. Please see our [[computing:policies:bigfix:home|Bigfix information page]] for more details.
+    - Strong passwords must be used for all accounts.
-    - You must install antivirus software on any general-purpose Windows or Macintosh computers which you connect to the School network.
+    - All systems are subject to regular network security evaluation. Systems which are found to be non-compliant will be removed from the network if not corrected.
-    - You must install and enable firewall software on any general-purpose Windows or Macintosh computers which you connect to the School network.
+  - Only university/grant owned equipment may be connected. ((exceptions may be granted in exceptional cases))
-  - Strong passwords must be used for all accounts.
+    * Personal laptops are not eligible for wired network connections. The University does provide wireless networks, which they may use.
-  - All systems are subject to regular network security evaluation. Systems which are found to be non-compliant will be removed from the network if not corrected.
-Some more information about available options for antivirus and firewall software can be found here: [[computing:software:antivirus]]
-==== Exception mechanism ====
+===== Exception mechanism =====
-If you cannot meet the above criteria, or do not wish to install the Bigfix client or antivirus software, your computer will be placed on a separate protected network segment. You must also declare that the computer will not be used to store or process any University private data. It may not be registered for a static ip address and will be given limited access to the following departmental resources:
+If you cannot meet the above criteria, or do not wish to install the required antivirus software, your computer must be placed on a separate protected network segment. For example, you may have a lab data acquisition or control system, where a software update and reboot may be unacceptable. You must declare that such a system will not be used to store or process any University private data. By default, it may not receive incoming network connections, and will be given limited access to the following School resources:
-  * Department web sites, mail services, and secure shell.
+  * Network connections are only allowed to/from University networks.
-  * Printing, either via the School's file/print server, CUPS, or port 9100 ("jetdirect").
+  * Printing
+We are able to set up specific protected networks for research groups, which can have custom access controls, for example, to connect to lab data acquisition and control systems

User Tools

Differences

Page Tools