650-14 Network Gateway

 

Effective Date:           January 26, 2004

Office of Origin:         Information Technology Services (ITS)

 

I. Purpose

 

This policy prohibits network activities undertaken within a UCSF unit that may result in security risks or inappropriate use of the campus network and online resources. Examples of this type of activity include installation of modem pools, proxy servers or VPN gateways. This policy does not cover the installation of hubs, switches, and other network devices that extend the internal network without providing external access.

 

 

II. Definitions

 

Hub:  A common connection point for devices in a network.

 

IP (Internet Protocol):  The language that allows computers to communicate over the Internet, addressing the small data packets so that routers know where to send them.

 

NAT:  Network Address Translation:  an Internet standard that enables a local-area network (LAN) to use one set of IP addresses for internal traffic and a second set of addresses for external traffic.

 

Open Proxy:  A proxy server that does not require users to be identified or authorized to use the proxy, although it does make them appear to be authorized users of the network hosting the proxy server.

 

Proxy server:  Also called a "proxy" or "application level gateway," it is an application that breaks the connection between sender and receiver. All input is forwarded out a different port, closing a straight path between two networks and preventing a cracker from obtaining internal addresses and details of a private network.

 

Switch:  A network device that selects a path or circuit for sending a unit of data to its next destination. A switch also may include the function of the router, a device or program that can determine the route specifying to which adjacent network point the data should be sent.

 

VPN:  Virtual Private Networking.  A means by which certain authorized individuals (such as remote employees) have secure access to an organization's intranet by means of an extranet (a part of the internal network that is accessible via the Internet). A VPN is a secure, private tunnel between two or more devices across a public network such as the internet.

 

 

III. Policy

 

Campus units shall not install devices that allow access to the campus network if those devices compromise network security or otherwise allow inappropriate use of UCSF network resources. Campus units may install the following or similar devices to meet departmental operational requirements only after providing indicated basic registration information to Information Technology Services (ITS):

 

1. Proxy Servers other than Open Proxy Servers – Proxy servers must not be deployed to circumvent UCSF network and systems security policies. Campus departments implementing proxy servers must describe their purpose and constituency to ITS and provide a contact phone number.

 

2. Circuit-switched Remote Access Gateways – Dial-up access to university systems for purposes such as system maintenance and monitoring must be password-protected with call-back, and must not be deployed to circumvent UCSF network and systems security policies. Campus departments implementing dial-up gateways must describe their purpose and constituency to ITS and provide a contact phone number.

 

3. Other Gateways (NAT, T-1, etc.) – Gateways must not be deployed to circumvent UCSF network and systems security policies. Campus departments implementing network gateways must describe their purpose and constituency to ITS and provide a contact phone number.

 

4. Unsecured Wireless Access Points – Any access device on the campus network must be appropriately installed and configured to prevent unauthorized use of the campus network or computing resources.

 

5. When the campus establishes policies for network border security through the IT Governance process, all entry points to the campus network must comply with those policies through implementation of firewalls or other access control methodologies.

 

Open proxy servers are not allowed on campus. ITS will regularly monitor the campus for open proxies and notify the appropriate administrator if one is found.

 

 

IV. Responsibility

 

Contact Office of Origin (see above) with any questions.

 

 

 V. Related Policies

 

• Health Insurance Portability and Accountability ACT [HIPAA] (http://www.ucsf.edu/hipaa/)
• UC Electronic Communications Policy (http://www.ucsf.edu/its/policy/uc_comp.html)
• UC IS-3 Bulletin (http://isecurity.ucsf.edu/ucop_is3.html)

 

VI. References

 

• Information Technology Services Procedures
• Request for Comments on Network Gateway Policy
• UCSF Information Technology Services Website