University of Glasgow Universal Network Access Policy

Draft (rev 1.2) for comment (12^th Dec 2003)

 

Purpose

The University makes extensive use of networked Information Technology resources to support its teaching, research and administration functions and provides a variety of services for staff and students, accessible over a comprehensive data communications infrastructure. It is certain that Information Technology will have a crucial and increasing role to play in the day-to-day activities of staff and students; it is therefore important that staff and students have access to their work related Information Technology resources whenever and wherever they need them. The purpose of this Policy is to ensure that the University provides, maintains and develops the infrastructure necessary to enable authorised Universal access to its Information Technology resources.

Scope

This Policy covers access to Information Technology resources delivered from the main Gilmorehill campus and all remote sites and campuses. It covers user access from ‘on campus’ and remote locations including home working. This Policy defines the infrastructure and support strategies necessary to ensure that network services, applications and access technologies provide the most appropriate, efficient and secure environment for authorised users.

Policy

The University recognises that continual investment in network infrastructure will be required to help maintain its competitiveness and realise the benefits of advances in Information Technology.  The University’s network infrastructure consists of the following elements:

 

• Campus backbone fibre optic cabling infrastructure
• Remote sites interconnect
• University buildings cabling infrastructure
• Campus backbone and remote sites routing services
• University buildings Local Area Networks (LANs) routing and switching services
• Flexible access facilities
• Remote access facilities
• ClydeNET and SuperJANET access services
• Support

 

Considering each element the University’s policy will be as follows, NB. Actual investments will depend on the University’s financial position and other commitments.

Campus backbone fibre optic cabling infrastructure

The University’s Policy is to ensure that it’s campus backbone fibre optic cabling infrastructure is maintained and developed to support the data communications requirements for current and future Information Technology service delivery.

 

During the early1990’s the University implemented a limited fibre optic cabling infrastructure serving 27 buildings within the Gilmorehill campus. Initially the system was used to implement a 10Mbs bridged Ethernet backbone, whereas today it supports a trunked Gigabit Ethernet backbone and is capable of supporting 10Gigabit Ethernet and beyond. It would therefore be fair to say that the choice of technology in terms of fibre core diameter, multimode and single mode provision and number of fibres per cable has stood the test of time. Over the years the fibre optic cabling infrastructure has expanded to serve all University buildings within the main campus and Garscube estate. The University will continue to develop its strategic fibre optic cabling infrastructure by connecting new buildings as they come on stream and enhancing resilience to existing buildings where appropriate. Although cable choice, construction and fibre operating parameters have changed, the Policy of installing both 50micron multimode fibre and 9micron single mode fibre cables per link will continue.

Remote sites interconnect

The University’s Policy is to ensure that University staff and students located at remote sites are not disadvantaged in terms of the Information Technology resources and service levels provided for them.

 

Remote sites present many problems with respect to network provisioning and support. It is not uncommon for users at remote sites to feel left out of mainstream developments because of poor connectivity with the main site. Providing interconnects at bandwidths comparable with those available on the main campus would not be affordable using traditional ‘tariff services’ from the Public Telecommunications Operators (PTOs). This would generally lead to low bandwidth provisioning and associated reductions in the service levels that could be offered and supported. However as a result of an OJEC tendering procedure for ClydeNET ‘open fibre’ circuits, the University has established a close working relationship with THUS PLC (formerly Scottish Telecomm), enabling the University to rent ‘open fibre’ circuits for all of its major sites located within the city boundary. The sites involved are as follows:

 

• Garscube estate
• Royal Infirmary
• Dental Hospital
• Southern General Hospital
• Gartnavel Hospitals
• Victoria Infirmary
• Yorkhill hospital
• St Andrews Building

 

The availability of ‘open fibre’ circuits allows the University’s Computing Service to deliver high bandwidth services to remote sites on a par with the services delivered to buildings located on the main Gilmorehill campus. The Computing Service has established long term rental agreements with THUS for all ‘open fibre’ circuits and will periodically market test these agreements to ensure best value.

University buildings cabling infrastructure

The University’s Policy is to ensure that data communications services are regarded as essential building utilities similar to water, gas and electricity.

 

The University has adopted ‘industry standard’ Premises Distribution Schemes (PDS) as the data communications wiring standard for all University buildings; to date approximately 18,000 (PDS) network connection points are available over the entire campus. Each connection point is presented as an RJ45 connector mounted within a suitable faceplate and containment system. The data transmission media used is industry standard unshielded twisted pair (UTP) cable providing four pairs of wires per connection point. The UTP cables run radialy from each connection point to specialized termination panels located within secure wiring closets that also house campus network and building LAN active components. The Computing Service has established working practises and procedures with Estates and Building to ensure that all building refurbishments and new builds incorporate extensive PDS provisions. PDS network connection points will provide the primary means by which end user systems connect to Local Area Networks (LANs) and hence the University’s campus network.

Campus backbone and remote sites routing services

The University’s Policy is to ensure that it’s campus backbone network provides high performance, scaleable, secure and robust routing services between building LANs and local, national and international resources.

 

The campus backbone routing services are implemented via a number of core routers configured in a ring topology. The links between core routers consist of trunked gigabit Ethernet circuits; links to other buildings and departments are provided at 10Mbs, 100Mbs and 1Gbs as appropriate. Routing services are supported at wire rate for IP and IPX protocols and at considerably less than wire rate for AppleTalk protocols. High-speed routing services are provided for remote sites via open fibre circuits or leased (SDH) circuits. The University recognises that the replacement cycle for the core campus routers should be based on user and network application requirements, technological advances and available budgets. Under normal circumstances the replacement cycle is expected to be four years. Backbone replacement and upgrade programmes will address the following:

 

• Routing performance in terms of packets per second
• Trunk link upgrades to 10Gbs and beyond
• Access link upgrades to 100Mbs, 1Gbs, 10Gbs and beyond
• Quality of service provisions ensuring service performance and operational guarantees
• Service resilience
• Enhancements to overall management and network security provisions

 

The University intends to provide an IP only routing service when it is practical to do so. Work is underway to upgrade Novell server and client protocol support to native IP. AppleTalk backbone routing support is targeted for withdrawal by mid 2006. Microsoft server and client protocol support will only be routed in IP context.

Local Area Networks (LANs) routing and switching services

The University’s Policy is to ensure that Local Area Networks (LANs) are maintained and developed within all University buildings in order to provide the core technology and access ports necessary to deliver high quality network services and applications to end users; these services will be delivered via local servers, where appropriate, and servers located on other LANs or networks connected via the campus routing services.

 

The University has implemented the IEEE 802.3 Ethernet standards as the technology of choice for the University’s campus backbone and building LANs. Current LAN deployments provide network connections via 10Mbs contention based hubs or 10/100Mbs Ethernet switches; LANs typically connect to the campus backbone routing service via dedicated 10/100/1000Mbs router ports. By their nature contention based 10Mbs hubs provide relatively low useable bandwidth and allow all network traffic to be presented to network ports belonging to the same collision domain. By contrast 10/100Mbs Ethernet switches provide dedicated bandwidth for each port and ensure that only broadcast traffic and unicast traffic intended for a port is forwarded to it. The University recognises that it needs to address the disparity in network access provision between users on 10Mbs contention networks and users on switched networks. The University’s policy will be that users are connected to Building LANs through dedicated switch ports operating at the most appropriate speed i.e., 10/100/1000Mbs.This Policy will enhance network security by reducing the opportunity for unapproved network monitoring/sniffing. The timescales for implementing this policy will depend on funding allocations and University priorities.

 

The core user access technology for local area networks will be centrally managed Ethernet switch ports providing dedicated connections for the following:

 

• Standard staff desktops
• Open access clusters
• Department supported staff and student workstations

 

Standard staff desktops and open access clusters provide centrally managed customised environments tailored for specific user requirements. The key features of both environments are:

 

• User authentication is required before access to Information Technology resources is permitted
• Mobility – Users do not need to be tied to a specific workstation at a specific location
• Desktop lock down – Desk top environments are customised for specific requirements that can only be changed by authorised users and support staff
• Security – Desk top environments provide security via anti-virus software, operating system and application patch management, authentication, desk top lock down and central support
• Data integrity – File systems and data integrity is maintained by implementing network file storage for all common directories, user specific file store and applications
• System recovery – System rebuilds are supported centrally using standard images

 

Departments who provide local IT support for their staff and student workstations are encouraged to adopt similar safeguards. As a minimum local IT support staff and users must implement the following measures:

 

• Proactive systems security measures i.e.,
• Enforce user authentication before access to Information Technology resources is permitted

• Workstations must be kept up to date with respect to operating system and applications patch levels

• Workstations must be protected by an up to date version of the University’s recommended anti virus software operating with the latest virus definition files

• Data integrity – File systems and data integrity must be maintained by implementing network file storage or local system backup and restore procedures

 

Flexible access facilities

The University’s Policy is to ensure that flexible and secure network access facilities are provided in order that authorised users can use their own systems to access their work related Information Technology resources from locations on campus or while working away from University premises.

On Campus Flexible Access facilities

The technology used to implement this provision will be a mixture of wireless and wired network connection points. The services available over the on campus flexible access network will be advertised via the Computing Service web pages and will be similar to those provided for remote access users. User support will be largely self-service via Web based configuration instructions and FAQs. Limited support will also be available from the University IT Help Desk. Whilst on campus, Flexible access users will be responsible for the following:

 

• Providing a suitable workstation with a functioning network interface card (NIC), NB, this may be an approved wireless or Ethernet NIC
• Registering their workstation for use with the flexible access facility
• Installing and properly configuring all network and client software in accordance with online instructions
• Ensuring all copyrighted software is properly licensed
• Complying with all relevant University Information Technology Policies
• Ensuring laptop batteries have sufficient capacity before attempting critical work
• Systems security –

• University of Glasgow users should understand the risks involved in connecting their personal system to the Internet via different service providers (ISPs) either from home, the University, other institutions or commercial facilities (hotels etc).

• University of Glasgow users must keep their systems up to date with respect to operating system and applications patch levels
• University of Glasgow users must install, operate and maintain an up to date version of the University’s recommended anti virus software
• University of Glasgow users are strongly recommended to install, operate and maintain an up to date version of one of the University’s recommended personal firewall shims
• Visitors must give assurances that their systems have been maintained to the most up to date operating system and application patch levels and are free from virus or other infections
• Physical security of their systems and accessories

• Users must not disclose their authentication credentials to anyone

• Users must not allow any other person to use their system to access University IT resources

• Users must safeguard all sensitive or restricted University data downloaded to their system

• Users must agree that if requested by the University’s Computer Incident Response Team they will supply their personal system for inspection

Remote Flexible Access Facilities

The University’s Policy is that centrally supported VPN services will provide the main secure, authenticated remote flexible access facilities, augmented by application specific services including Terminal Servers and Web based portal services.

 

The University has provided a remote dial-in service for several years and although reliable it suffers from several disadvantages including:

 

• Performance – service is based on analogue PSTN lines and V.42Bis modem pools giving relatively low performance
• Cost – Users out with the Glasgow area pay national call rates NB. There is no University supported local call rate deal associated with this service
• Choice – Users cant take advantage of the many ISP packages on offer including surf packages and broadband packages
• Support – support costs are high with respect to staff time, PSTN line rentals and equipment maintenance

 

In order to circumvent these problems the Computing Service has introduced a more flexible solution based on Virtual Private Network (VPN) technology. The current VPN facility consists of a number of VPN concentrators and client software, which can be used to establish secure authenticated VPN tunnels over almost any IP network. The benefits for end users are as follows:

 

• Choice – Users can choose an ISP and package that suits their requirements and budget
• Performance – Users will be able to choose between a range of connect options including:
• V.90 analogue modems
• ISDN digital broadband services
• Cable modem services currently provided by NTL and Telewest; if located in ‘providers’ franchise area
• ADSL broadband services from BT and participating ISPs; if connected to an ADSL enabled BT exchange
• Cost – Local call rate options, surf packages and broadband packages would be available
• Support – Improved support through concentrated local effort and ISP help lines

 

The VPN facility is documented on the Computing Service web site and provides native access to all campus network resources. This is achieved over a secure (IPSEC) tunnel between the client workstation and the VPN concentrator. Once connected and authenticated the concentrator allocates an IP address for the client from the University’s IP address space. The client accesses campus resources using IP datagrams, with this assigned IP source address, encapsulated over the IPSEC tunnel. The VPN concentrator is responsible for unpacking/decryption and packing/encryption of data to and from the campus LAN and the relevant IPSEC client tunnel. The client workstation therefore looks like any other local workstation to hosts and servers on the campus network. Future versions of the VPN concentrator software will include WebVPN services, which will obviate the need for a ‘thick’ VPN client whilst supporting a similar set of Network applications.

 

Other service or application specific remote access services are provided as follows:

 

• SSL – Secure web access is supported via secure socket layer protocols
• SSH – Secure access to certain systems is supported over the secure shell protocol
• Secure e-mail is supported via PGP encryptions, secure pop/imap and secure web-mail
• Terminal services providing authenticated and secure access to virtual desktop environments

 

It is important to note that although the VPN service provides a secure authenticated tunnel between a remote system and the University’s campus network, this tunnel will only be as secure as the remote system itself. If for example a remote system has been compromised via another network then establishing a secure tunnel from it to the University’s campus network will present a real security threat; this scenario would apply to all modes of remote flexible access. Users of the University’s remote flexible access facilities must therefore safeguard their systems by adhering to the following

 

• Users must comply with all relevant University Information Technology policies
• Remote access sessions, other than for the purpose of accessing public information, must be authenticated
• If a user requires access to restricted University information then their remote access session must be authenticated and conducted using strong data encryption
• Users must not disclose their authentication credentials to anyone, not even family members
• Users must not allow their system to be used for access to any University IT resources by any other person, not even family members
• Users must not enable access from other connected networks to the University’s campus network over a remote access session

• Systems security –

• Users should understand the risks involved in connecting their personal system to the Internet via different service providers (ISPs) either from home, other institutions or commercial facilities (hotels etc).

• Users must keep their systems up to date with respect to operating system and applications patch levels
• Users must install, operate and maintain an up to date version of the University’s recommended anti virus software
• Users connecting via always on networks e.g., broadband networks, must have a University approved personal firewall shim installed and kept up to date with recommended security policies.
• Users must safeguard all sensitive or restricted University data downloaded to their system

• Users must agree that if requested by the University’s Computer Incident Response Team they will supply their remote access system for inspection

ClydeNET and SuperJANET access services

The University’s Policy is to provide high performance, secure and resilient access to the ClydeNET Metropolitan Area Network (MAN) and the SuperJANET academic network. ClydeNET represents the consortium of 28 HE and FE institutions responsible for the ClydeNET Metropolitan Area Network, established and operated to promote inter site collaborative ventures and shared common access to the SuperJANET Academic network. All access to and from the campus network depends on the University’s connections with ClydeNET and SuperJANET. To provide enhanced resilience the Computing Service has implemented the following:

 

• Dual connections from the campus backbone routing service to the ClydeNET access router
• Dual connections from the ClydeNET access router to ClydeNET and the SuperJANET access router

 

However this model still presents single points of failure risks associated with core routing and circuit termination equipment located at the University’s James Watt North Building and the WorldCom premises in Glasgow.

 

The University’s Policy is to further enhance Wide Area Network (WAN) resilience by providing an alternative access point between the campus backbone routing service and SuperJANET from another location on the main Gilmorehill campus. This work will involve collaboration with other ClydeNET partners, other Scottish MANs, UKERNA and the Scottish Funding Council.

 

Support

The University’s Policy is that the Computing Service department provides central support for the following services:

 

• Campus backbone cabling infrastructure and building PDS systems
• Campus backbone routing service and all building LAN routing and switching services, unless by special arrangement
• All core support services including:
• DNS services
• WWW services
• WWW caches
• E-mail hubs and relays
• Remote access services
• IT Security services
• File store services
• Print services
• Directory services
• Authentication authorisation and accounting services
• Video conferencing and other collaboration services

 

The key benefits associated with this approach may be summarised as follows

 

·        Fully managed services backed by dedicated teams and published statements of service

·        Consistency of provision

·        Clear lines of responsibility

·        Economies of scale

·        Accountability and compliance monitoring

·        Single points of contact with users and other service providers

 

Under certain circumstances decentralised support arrangements may be required; in such environments University Policies and procedures will be established to guide departments and support staff to ensure that the University’s overall security and access requirements are satisfied.

 

The University’s Policy is to introduce new network services and applications, where these would lead to improvements in the IT facilities offered to staff, students and other partners. However introducing new network services and applications will depend on appropriate levels of funding, including all support overheads.

References

This policy is based on information gathered from a variety of sources including:

 

• Local procedures and experience
• Consultation with interested parties
• Other Organisations and Institutions

 

The following Organisations and Institutions have provided reference material and deserve acknowledgement:

 

Brown University Information Technology Plan

http://www.brown.edu/Facilities/CIS/IT2000/1.html

 

CAUSE/EFFECT A framework for Universal Intranet Access

http://www.educause.edu/ir/library/html/cem9729.html

 

University of Glasgow Universal access working group reports

http://www.gla.ac.uk/infostrat/wgroups/wg4/

 

UC Davis Connecting to Campus Computing Resources

http://access.ucdavis.edu/RAMPReport/rampone.cfm