Network Security Policy

This policy is intended to protect the integrity of the campus network, to mitigate the risks and losses associated with security threats to computing resources and to ensure secure and reliable network access and performance for the University community. This policy is necessary to provide a reliable campus network to conduct the University's business and prevent unauthorized access to institutional, research or personal data. In addition, the University has a legal responsibility to secure its computers and networks from misuse.

Addressing and Domain Services

  1. Individuals, academic colleges/departments or administrative departments at Villanova may not create nor support an Internet domain, hosted from the University's network without prior approval of the Office for University Information Technologies (UNIT).
  2. UNIT will provision and manage the public Villanova University IP address space and all other related RFC 1918 private addresses in use by the University.
  3. UNIT will manage any related domain names (e.g. villanova.edu).
  4. UNIT may delegate administrative responsibilities to individuals for certain subnets, but retains the right of ownership for those networks.
  5. Technological changes and other factors may require a reconfiguration of the network resulting in a change to the network addresses assigned to computers. UNIT will give prior notice to affected users before making any changes.

Network Connections

  1. Villanova University faculty, staff or students may not connect, nor contract with an outside vendor to connect, any device or system to the University's data networks without the prior review and approval of UNIT. Colleges or departments that wish to provide Internet or other network access to individuals or networks not directly affiliated with the University must get prior approval from UNIT.
  2. All devices placed on the University's network must be registered with UNIT. All authorized University network users (faculty, staff or students) must be assigned a physical network port and network address by UNIT.
  3. Unauthorized access to University networking equipment (routers, switches, hubs, etc.) is not permitted. This includes any port scanning or attempts to ssh, snmp or otherwise gain access to University equipment.
  4. Unauthorized access to University data closets is strictly prohibited.
  5. UNIT will provide a general method for network authentication to University systems.

External Services and Requests

  1. UNIT will take action to prevent spoofing of internal network addresses from the Internet. UNIT will also take action to protect external Internet sites from source address forgery from the University's network.
  2. The University's external Internet firewall policy is to deny all external Internet traffic to the University's network unless explicitly permitted. Access and service restrictions may be enforced by IP address and/or port number. Proxy services may be used in conjunction with the firewall to restrict usage to authenticated individuals.
  3. The University must identify which systems will offer Internet services. To facilitate this, academic colleges/departments and other administrative departments must register with UNIT systems that require access from the Internet. It is recommended that these systems also be protected by access control software, host-based firewalls, etc.
  4. Some network services through standard ports is supported. However, services may be restricted to a limited number of subnets or hosts. For example, electronic mail (SMTP, Port 25) may only be sent and received by authorized mail servers on campus. User access to the mail accounts (POP3, Port 110 and IMAP, Port 143) on these servers will be permitted from off-campus through the firewall.
  5. Most network services through non-standard ports are not supported. Services through non-standard ports may be restricted to a limited number of subnets or hosts. For example, WWW access via the standard HTTP port (Port 80) will be permitted, but to some other arbitrary port number may not be permitted.
  6. Limited encrypted tunnels for passing through the firewall to internal resources, such as X-Windows, is permitted with the prior approval of UNIT. The recommended method is to use Secure Shell (SSH). IP Multicast tunneling is not permitted.
  7. Users that would like to request access through the University firewall must open a help desk ticket and fill out a firewall access request form.

Network Security

  1. UNIT will investigate any unauthorized access of University computer systems. UNIT will work with administrative departments and law enforcement when appropriate.
  2. Systems on the network must have adequate security installed and maintained. All systems connecting to the University network must be configured and maintained in such a manner as to prohibit unauthorized access or misuse.
  3. If security problems are observed, it is the responsibility of all Villanova University network users to report problems to the appropriate system administrators or UNIT for investigation.
  4. Network usage judged appropriate by the University is permitted. Some activities deemed inappropriate include, but are not limited to:
    1. Attaching unauthorized network devices, including wireless router, gateway or DHCP server; or a computer set up to act like such a device.
    2. Engaging in network packet sniffing or snooping.
    3. Operating network servers of any sort in violation of UNIT guidelines. (illegal file-sharing server)
    4. Setting up a system to appear like another authorized system on the network (Trojan).
    5. Other unauthorized use prohibited by the University's acceptable use or other UNIT policies.

Enforcement

  1. Any device found to be in violation of this policy, or found to be causing problems that may impair or disable the network in any way is subject to immediate disconnection from the University's network. UNIT may subsequently require specific security improvements where potential security problems are identified, before the device is reconnected.
  2. Attempting to circumvent security or administrative access controls for information resources is a violation of this policy. Assisting someone else or requesting someone else to circumvent security or administrative access controls is a violation of this policy.
  3. The University considers any violation of acceptable use principles or guidelines to be a serious offense, and reserves the right to test and monitor security, and reserves the right to copy and examine any files or information resident on university computer systems allegedly related to unacceptable use.
  4. Anyone found in violation of this policy will be subject to the disciplinary actions stipulated in the Acceptable Use Policy.

Monitoring and Auditing

  1. UNIT will maintain traffic logs of the firewall for security auditing purposes.
  2. UNIT reserves the right to monitor, access, retrieve, read and/or disclose data communications when there is reasonable cause to suspect a University policy violation, criminal activity, monitoring required by law enforcement or at management request. Reasonable cause may be provided by a complaint of a policy violation or crime or as incidentally noticed while carrying out the normal duties of UNIT staff.
  3. UNIT may perform a non-intrusive security audit of any computer system attached to the University's network at any time, to determine what risks that system may pose to overall information security. Any audit consisting of a penetration test would be performed with advance notice to the system administrator or his/her superior.

Purpose of the Policy

  • Provide a reliable campus network and Internet connection to conduct the University's business.
  • Provide only authorized access to institutional, research or personal data and information.
  • Protect computer system and network integrity at Villanova University.
  • Specifically, this policy will protect University computing resources from:
  • Unauthorized access to resources and/or information
  • Unintended and/or unauthorized Disclosure of information
  • Denial of Service attacks.