I. Title

A. Name: Policy on the Operation of Private Remote Access Services Connecting to PennNet

B. Number: 20011008-remoteaccess

C. Author(s): M. Muth (Wharton), M. Wehrle (ISC Networking), K. McDonnell (Law)

D. Status: [ ] proposed [ ] under review [X] approved [ ] rejected [ ] obsolete

E. Date proposed: 2000-10-18

F. Date revised:

G. Date approved: 2001-10-08

H. Effective date: 2001-10-08

II. Authority and Responsibility

Information Systems and Computing's Information Security organization is the organization at the University of Pennsylvania that has responsibility for addressing network security matters on PennNet. This authority extends to the recommendation of good security practices and subsequent investigation of any unauthorized access to or misuse of PennNet.

III. Executive Summary

This policy specifies the requirements for operation of private remote access services connecting to PennNet, specifically modems and modem pools.

IV. Purpose

The purpose of this policy is to provide operational requirements that will ensure authenticated and authorized access to PennNet via remote access services like modems and modem pools. It will also ensure that any security investigations that involve access to these services can be carried out with the aid of uniform and sufficient logging information.

V. Definitions

Modem: Acronym for MOdulator DEModulator. A device that sends digital data signals over the analog PSTN (Public Switched Telephone Network). Permits users to access networks such as PennNet or the Internet, or access to hosts, from remote locations.

Modem pool: a group of modems that a user can dial into or out of from his/her computer. A modem pool can provide multiple user access to a network or a group of hosts.

Network access: access to a network of hosts

Host access: access to a single host, as would be provided by software such as a remote control application.

ISDN: Acronym for Integrated Services Digital Network. A means to provide higher speed network access over the PSTN.

VI. Risk of Non-compliance

If remote access services are not run according to these requirements, unauthorized and/or unauthenticated persons may gain access to PennNet and other University resources and information. If access is not logged according to these requirements, ISC Information Security may not be able to carry out investigations.

VII. Scope

This policy applies to devices such as dial-up modems that use PSTN lines, and ISDN lines, which can provide direct access to PennNet, or PennNet-attached computers in cases of a remote computing control applications.

VIII. Statement of policy

  1. In accordance with the Policy on Acceptable Use of Electronic Resources at http://www.upenn.edu/computing/policy/aup.html, making University computing resources available to individuals not affiliated with the University of Pennsylvania without approval of an authorized University official is prohibited.
  2. Remote access services must authenticate the user connecting to the service.
  3. The names used for authentication must be registered in the Penn authentication database.
  4. Any host involved in the authentication process must be in compliance with the Critical PennNet Host Security Policy.
  5. The following information must be logged for each connection:
    a. A unique key found in the Penn authentication database
    b. Login and logout times
    c. Modem or port logged into
    d. Associated PennNet IP address of the modem or host/port modem is plugged into
  6. Each remote access device used to provide network access must have its own PennNet hostname registered in accordance with the Policy on the use of PennNet IP address space at http://www.net.isc.upenn.edu/policy/approved/20000124-ipaddress.html.

IX. Recommendations and Best Practices

  1. Use of an Internet Service Provider (ISP) in place of operating a private modem pool is strongly recommended. Modem pool operating costs can be prohibitive.
  2. Use of the Campus Authentication System is highly recommended.
  3. An authorization step is recommended in order to limit use of the remote access services to intended users of the service.
  4. Logging or registration of originating phone number for each connection is recommended.

X. Compliance

 
A. Verification: Information Security will actively use security scanners annually to scan all critical systems. Note that ISC does not plan to actively police the network in an effort to discover non-compliant remote access services, but will act on those discovered during the normal course of events in operating and/or troubleshooting the network.

B. Notification: Notification shall be made to the LSP for the area. Whenever possible and practical, the administrator of the remote access service will also be notified.

C. Remedy: Remedy may be an immediate removal of the service from the network, depending on the severity of the operational impact and security risk to PennNet. Information Security will offer assistance to the systems administrator or LSP for the area in correcting security problems, after which the device may be re-connected to the network, and or normal service restored.

D. Financial Implications: Because the remote access device or host that connects this service to PennNet is considered a critical host, the department or unit owning the critical host shall bear the costs of ensuring compliance with this policy.

E. Responsibility: Responsibility for remedy lies with the system administrator and/or remote access service owner.

F. Time Frame: The actual time interval will depend on the severity of the security risk to PennNet. Non-compliant remote access services must either be remedied within thirty days of notification of the support person, or must be removed from PennNet.

G. Enforcement: Please see the Policy on Computer Disconnection from PennNet at http://www.upenn.edu/computing/policy/disconnect.html, and the Critical PennNet Host Security Policy at http://www.net.isc.upenn.edu/policy/approved/20000530-hostsecurity.html

H. Appeals: Please see the Appeals section of the Policy on Computer Disconnection from PennNet at http://www.upenn.edu/computing/policy/disconnect.html

XI. References