Net policy
Regional Computing Center administrative directive dated 19 January 2005
As director of the Regional Computer Center, I hereby issue the following guidelines for the operation and use of Universität Hamburg’s communication infrastructure (hereinafter referred to as Universität Hamburg’s Net Policy, or Net Policy), as agreed by the Executive University Board on 16 December 2004, as an administrative directive.
Prof. Dr. Karl Kaiser
Directives for the operation and use of Universität Hamburg communication infrastructure
Preamble
University development is based on research, teaching, and shared administrative functions. These are increasingly reliant on secure and highly available communication structures. Therefore, the task of keeping digital information flows and global communication functional, secure, and fit for purpose is also increasingly important. This requires that organizational measures be found and the accompanying functional and technical infrastructure components be provided. The focus is thus on ensuring operation that is free from interruption and disruption, ensuring uniform and universal basic services, and introducing new, innovative services.
The basic rules formulated here for planning, expanding, and operating the communication infrastructure are required to ensure the least possible interruption to the operation of these essential services and to counteract the ever increasing number of potential threats to the system.
1 Scope
This Net Policy is binding for all users connected to the Universität Hamburg communication network and for all institutions, departments, and other facilities (hereinafter referred to as Institutions) indirectly connected. The Net Policy is automatically binding for Institutions that connect to the Universität Hamburg communication network in the future.
The Universität Hamburg communication network includes all passive and active components of the primary, secondary, and tertiary cable network, as well as network-based services (domain name systems, [DNS], dynamic host configuration protocol [DHCP], remote authentication dial-in user service [RADIUS], IP-routing and network management) to support and maintain IT communication and all interfaces that connect with other (external) communication networks.
2 RRZ duties
2.1 Planning and operating the communication network
The responsibility for the Universität Hamburg communication network, its external connections, and access points rests exclusively with the Regional Computing Center (RRZ) at Universität Hamburg. This responsibility includes the planning, expansion, maintenance, and operation of the communication network. This includes, in particular, the following tasks:
a. Operation of the communication network—for this purpose: administration of network resources and provision of network-based systems for electronic communication
- planning and coordination of expansion and maintenance
- support for institutions when using the communication network
- processing of security-relevant incidents in the Universität Hamburg communication network and coordination of defense mechanisms
- review of contractual obligations for providers and other contractual partners arising in connection with the communication network.
2.2 Priority of duties
As a rule, when using staff and financial resources, the following priorities apply:
- provision of the communication network and maintaining disruption- and interruption-free operation of the network
- planning and coordination of communication network expansion and maintenance aimed at providing a uniform service to as broad a public as possible
- planning and coordination of communication network expansion and maintenance aimed at expanding the existing basic network services
- special duties for Universität Hamburg and provision of services for third parties.
2.3 Specification of duties
The RRZ may specify the duties listed above more precisely by issuing additional rules and regulations.
2.4 Delegation of duties
The RRZ may delegate subtasks to Institutions only in consultation and upon application by the institutions to the head of the RRZ. The RRZ retains the right to issue directives in such cases. If the delegated duties are perceived as unreasonable and thus compromise the operation of the communication network, RRZ staff are entitled to informally withdraw the delegation at any time, until a clarification or a new decision is issued by the RRZ management.
2.5 Development of the Net Policy and interim provisions
Where required, the Senate Committee for Data Processing (Senatsausschuß für Datenverarbeitung, SenA-DV) may issue a revised Net Policy in consultation with the RRZ. In urgent cases, the RRZ may release interim provisions.
3 Communication network duties for connected Institutions
3.1 Recognition of the Net Policy
Use of the Universität Hamburg communication network constitutes recognition of the Net Policy. Specifically, this means that there is an obligation to act in accordance with the Net Policy and to refrain from preventing the implementation of the above-listed tasks.
3.2 Cooperation with the RRZ
The Institutions are obligated to cooperate with the RRZ for delegated duties. In particular, Institutions are required to actively assist in planning and maintenance work, to help remove disruptions, and to pursue security issues.
3.3 Performance of delegated duties
Institutions are responsible for executing the duties delegated to them by the RRZ. In addition, they must inform the RRZ immediately of any problems that arise, particularly when this involves a disruption of the network The RRZ will then assist with fulfilling the delegated duties, to the extent it is able, or undertake these duties itself. Delegation of these duties to third parties is only permissible with the RRZ’s approval.
Institutions to whom duties have been delegated are additionally obligated to implement the appropriate staffing, organizational, and technical measures required to support the staff assigned to fulfilling those duties.
3.4 Advising users
All Institutions connected to the Universität Hamburg communication network are obligated to inform their members (Institution members, students) and guests of the content of this Net Policy. It must be made clear to users:
- which measures must be used according to current technology to support the above-listed goals (in terms of supporting the fulfillment of the duties),
- which courses of action must be avoided in order to protect these goals, and
- that breaches of this Net Policy will result in a ban on using the Universität Hamburg communication network.
4 Breaches of the Net Policy
4.1 RRZ measures
In remedying disruptions and implementing valid regulations, the RRZ may exclude individual systems, users, groups, or Institutions from using the communication network. The RRZ must inform the affected parties (in some cases, indirectly); in severe cases, written notice will be sent to the Institution.
4.2 Measures for delegated duties
Institutions to whom the RRZ has delegated duties are responsible for implementing appropriate measures to ensure its members neither prevent the Institution from fulfilling its duties nor otherwise violate the goals of this Net Policy. RRZ management must be informed of any breaches.
4.3 Cooperation with law enforcement agencies
Within the framework of statutory provisions, the RRZ will coordinate cooperation with law enforcement authorities in consultation with the Universität Hamburg legal department. Institutions working directly on an incident must inform the RRZ.
4.4 Appeals
Complaints involving differences of opinion on the objectives, priorities, or duties in this Net Policy as well as the measures resulting from it may by submitted to the RRZ management. The RRZ management or the Senate Committee for Data Processing will make the decision on any complaints or special regulations.
If Universität Hamburg institutions or closely associated institutions not yet connected to the communication network are refused connection for failure to recognize this Net Policy, they may also lodge a complaint with the RRZ management or the Senate Committee for Data Processing.
Unresolved differences of opinion will be decided by the chief information officer of Universität Hamburg.
Implementation rules for the Universität Hamburg Net Policy
Introduction
Pursuant to number 2.3 Net Policy dated 19 January 2005, the following provides the first specific details for implementing the directive. This directive has been divided into 4 parts:
Human resources
It is assumed that IT operations will be implemented as distributed systems at Universität Hamburg. The RRZ carries the primary responsibility for transferring subtasks to institutions. Institutions must assign appropriately qualified staff to perform these subtasks. This is the only way to ensure the high requirements for secure IT infrastructure are met. The following applies for those individuals, hereinafter referred to as Administrators:
1. The names of Administrators should be provided to the RRZ by the institutions (official contact persons).
2. They must be assigned to areas of IT responsibility in the institutions (i.e., the operating systems, IP addresses, device classes, services they are responsible for).
3. Administrators must have the necessary knowledge and qualifications; ongoing continued education is required.
4. There is an obligation to participate in information exchange in the assigned area (work meetings, mailing lists, etc. will be coordinated by the RRZ).
End-point security
The goal is to ensure secure devices are operating in the Universität Hamburg network. This is why end devices should only be administered by Administrators qualified to do so (see above), and not by the end-user.
1. The following procedure and minimal requirements apply to stationary end devices:
-
Operating systems: Only operating systems with official (security) patches issued by the respective manufacturers should be used. Operating systems should be regularly updated with these patches.
-
Virus protection: A current virus scanner with automated updates activated must be used at all times; the RRZ currently offers a university-wide campus license for the Sophos virus scanner.
-
Personal firewall: End devices should be protected by personal firewall software that allows only services and connections explicitly approved by the Administrator to be used. A minimal set of filter rules will be set by the RRZ to prevent operating disruptions due to personal firewall software. In particular, computers connected to the network must respond to ICMP echo requests. Use of the firewall functions integrated into the operating system is recommended.
-
IP registration In principle, only devices whose IP and MAC addresses are registered by the RRZ or representatives authorized by the RRZ may access the network.
-
Computers found to have disruptions in network operation or other issues will be blocked and must be examined and repaired by the Administrators before being released for use in the Universität Hamburg network.
2. The process outlined above also applies to mobile end devices.
3. Outside this process, the operation of private notebooks in the Universität Hamburg network is only permitted for use in the network when:
-
the user has agreed to follow all IT operation rules issued by the Administrators, particularly when IT operational security may be impaired by the private device
-
the rules for private notebooks in the Universität Hamburg network also apply.
4. Procurement of nonstandard end devices and software that pose security concerns require agreement from the RRZ.
Network components
The following rules apply for network operations:
1. As a rule, only network components from the RRZ or from a representative authorized by the RRZ may be integrated into the Universität Hamburg network.
2. In particular, no active network components may be used by unauthorized individuals to dial into the Universität Hamburg network (e.g., WLAN access points, modem and ISDN devices, or VPN devices).
3. Security components (NAT, firewall, VPN, etc) will be provided and, on application, operated by the RRZ where necessary. In exceptional circumstances, and upon submission of a reasoned application, specific components may be operated by an Administrator pursuant to the rules issued by and in consultation with the RRZ.
4. Prior consultation and coordination with the RRZ is strongly recommended should network components be procured by authorized Administrators—the aim is to create the most cost-effective (framework agreements) and reliable IT infrastructure possible for Universität Hamburg.
Services
Access to Universität Hamburg IT resources may be granted only by the RRZ or institutions authorized by the RRZ.
- In particular, the operation of net-based services (DNS, DHCP, Radius) is only permitted by Administrators after approval by the RRZ.
- Centralized solutions should be sought to the greatest extent possible for essential communication services (www, email, FTP, etc.).
This application process ensures that no operational disruptions arise from uncoordinated operating models and that responsibility is clear in the event of faulty operation.