Standards for Network Connectivity
At Montana State University Great Falls Campus

These standards supplement Montana State University 's Campus Networking Policy. The information technology departments at each of the four campuses of Montana State University (MSU- Billings, Bozeman , Great Falls and Havre) each have primary responsibility for the design, installation, and operation of the central telecommunications network environments on their individual campuses. In order to achieve a robust and stable network infrastructure, the information technology departments must maintain administrative control over the campus networks and the kinds of data that traverse them. The information technology departments will provide well-defined, basic network connectivity to meet the general campus needs.   Additionally, the information technology departments will work cooperatively with departments wishing to provide their users with additional, specialized networking services to ensure that the designs of those services meet the criteria outlined in this document and can be successfully integrated into the central network. The following standards apply to all devices and networks connected to the central telecommunications networks. Although strongly recommended, these standards are not mandatory for small experimental or instructional networks that are not connected to the campuses' central telecommunications networks.

Standards for Network Connectivity

Purpose

The purpose of these standards is to ensure the security of the MSU networks and the devices connected to them by specifying technological and managerial requirements and recommendations. It is in the best interests of the University that these networks and the devices connected to them be protected against threats to the availability and integrity of the services and information based on them. Such threats include but are not limited to unauthorized use, eavesdropping, vandalism (e.g., viruses, worms, Trojan horses), and denial of service attacks. These standards, therefore, state requirements and recommendations for the secure installation, configuration, and administration of network-connected devices and infrastructure .

Scope

Devices covered by these standards include all network-connected, information technology devices, such as personal computers, printers, photocopiers, firewalls, servers, routers, switches, and hubs, as well as network-connected mechanical devices, robots, and laboratory instruments. Also covered are cabling, wiring, jack components, and wireless networking devices, including all network infrastructure components between the network core router and the network.

For purposes of these standards, "network-connected" indicates devices that are connected by wire, optical fiber, or wireless means to digital telecommunication networks that are owned and/or operated by an MSU campus. Exempted from these standards are devices connected to very small, isolated networks that are (1) managed entirely within individual academic or administrative departments, (2) do not share network infrastructure (cabling, electronics) with any other campus network, and (3) are never connected physically or by wireless means to an MSU campus owned and/or operated network outside the department.

Acceptance

Any use of an MSU telecommunication network signifies the user's agreement to adhere to these standards.

Violations

The information technology department and/or Internal Audit office will investigate suspected violations of these standards. All operators of network-connected devices are required to cooperate fully with such investigations. If suspected violations are seen to pose threats to the security of the network, to other network-connected devices, or to violate other university policies, such as fire and electrical code, ITC Departmental Policies and Procedures, Telecommunication Network Installation Policy 403, etc., the information technology department may disconnect from the network any or all devices involved in the violation. Such devices may not be reconnected to the network until violations are addressed and remedied to the satisfaction of the information technology department. If the device administrator cannot be identified or contacted the information technology department may elect to utilize the network to distribute necessary operating system, application, or virus checking patches or upgrades to remedy the violation. In the case of older operating systems in which patches or upgrades aren't available, the device will remain disconnected from the network until the current operating system has been installed and properly patched.

Requirements and Recommendations - General

Required

• The owner of each network-connected device must identify an individual or group to be primarily responsible for the device and to ensure that the requirements of these standards are met. At the owner's discretion, the group may include the information technology department staff, either contracted to support the device or hired as needed to support it. The person or group with these responsibilities is referred to hereafter as the administrator of the device.
• The administrator of each network-connected device must be adequately trained in the administration of the device and its operating system. An administrator should have completed basic training on the administration of the device and operating system such that s/he can configure the system, including the application of updates, security patches, etc., and perform basic trouble shooting in the event of device problems.
• When a device is used for storage of sensitive material (e.g., institutional data, student grades, social security numbers) administrative duties must be performed exclusively by trained employees fully informed of their responsibilities for the confidentiality and integrity of the sensitive material. It is the responsibility of the device owner to ensure that these responsibilities are fully and effectively communicated to the administrator and the user of the device. Computers on which sensitive data are stored require special security considerations. These computers are to be physically secured in such a manner that access to them is controlled, such as in a locked office or under the user's direct control. Guest login capability is to be disabled on Windows-based computers.
• Administrators of multi-user, network-connected devices must monitor those devices systematically.   If a device is providing critical services, its logs should be written to a secure disk or recorded to another machine through a serial port. The logging information should be analyzed periodically to detect unusual behavior. Ideally, scripts should be devised to automatically notify the administrator to take action in the event of unusual behavior.
• The information technology department or the Internal Audit office may probe periodically the security of network-connected devices. When such a probe would be disruptive to the device in question, the entity conducting the probe will work with the device owner to minimize disruption. Device owners will be responsible for correcting, at their own expense, vulnerabilities identified by these probes.
• Administrators should regularly review and archive the log files that contain information about device activity and should keep those log files for an appropriate length of time.
• Installation of all network wiring and installation of wireless networking infrastructure, such as wireless access points, is the responsibility of the campus information technology department. At MSU-Bozeman, wiring will be done in accordance with ITC Departmental Policies and Procedures.

Recommended

• Device administrators or members of the group responsible for administration should be reachable 24 hours a day, seven days a week in order to respond to major security incidents. If no administrator is available in the event of a major security incident involving the device, and if judged necessary by the information technology department staff, the device will be disconnected from the network until approval for its return to service is given by the information technology department .
• Secondary administrators should be identified and adequately trained to perform the administrative functions for any operational device that is connected to the network in the absence of the primary device administrator, e.g., evenings, weekends, vacations.
• Login access should be blocked for an appropriate length of time after three to five unsuccessful tries. All such attempts should be logged to a file that is owned by the device administrator and is not readable by others.
• Multi-user, network-connected devices should be monitored for idle users. Administrators should notify users that remaining logged on for extended periods when not using their computers poses a security threat to the individual's work as well as to the network and shared resources. Administrators are expected to be equally scrupulous in their own usage of the devices under their control.

Account maintenance

Required

• Access to shared resources should be granted only as needed as determined by the account manager or other authorized individual.
• Sharing of accounts and passwords is prohibited except when approved in writing by the campus information technology department head.
• Account managers must be able to identify all account holders, including name, university identification number (GID), username, role (e.g., faculty, staff, student, consultant, etc.), phone number, and office or home address.
• Computer access of terminated employees is to be deactivated immediately upon notification to the account manager by the employee's management.
• Passwords are among the most important components of any computer and network security scheme. Users and administrators of network-connected devices are required to take all reasonable measures to ensure that users adopt secure, unguessable passwords, change them with reasonable frequency, and share them with no one.
• Passwords are to be kept confidential. No procedure may be established in which account owners are required to disclose their passwords to others.
• Account managers will establish policies to govern the reissuing of passwords to account owners who have lost or forgotten their passwords. Those policies should require positive identification of the owner of the account before s/he is given a new password. The account owner should be required to change the password again immediately to one that is known only to him or her.

Recommended

• When feasible, the account manager should re-certify all established accounts annually to ensure that only valid accounts remain active. The device administrator should create documentation to support the re-certification process.
• Passwords should be a minimum of eight characters in length. They should incorporate at least two non-alphabetical characters. No word appearing in any dictionary should be used unless it is modified to conform to the recommendation in the preceding sentence.
• Whenever supported by the system the device administrator should activate password aging, with 60-180 day expiration, depending on system needs (e.g., 90 days for administrative systems and 180 days for laboratory systems).
• The account manager should keep a history of the last six to ten passwords used for each account if this feature is supported by the operating system.  
• Grace logins should be limited to no more than three.   (A grace login is given after a password has expired and prior to the user changing the password.)

Computing and Networking Devices

Required

• When the acquisition of computing and networking devices is specified in a grant proposal, sufficient support funding to comply with these standards must also be included in the proposal or the availability of sufficient funding from other sources must be documented. The MSU campus office that administers grant funds is responsible for administration and enforcement of this requirement.
• No device may be connected to the network until the default passwords for all preconfigured accounts have been changed from the manufacturer-provided passwords to new passwords known only to the administrator or account owner.
• Only devices with network interfaces approved by the information technology department may be connected to the network. In most cases approval will be part of the purchasing process; in all cases approval of the information technology department is required.
• Except by formal agreement between the information technology department and the device owner, routers, bridges, switches, hubs, mini-hubs, and other network electronics connected to the campus network are to be installed, maintained, and monitored exclusively by the information technology department , regardless of who has purchased the device.
• The information technology department will maintain an inventory of all network-connected computers and network electronics in use on the campus network. Users of the network are required to provide the information technology department with all needed information about network-connected devices under the users' control.
• All servers and all network electronics are to be placed in limited access mechanical rooms, locked telecommunications rooms, or locked cabinets. The information technology department and/or the campus facilities services department are to control the keys to all such locations housing hubs, switches, routers, or other central networking equipment.
• Passwords for device logins and firmware must be changed at installation (see Section 5.C.2) and as often as password aging requires. All null and device-test passwords must be changed to acceptable passwords, as described in Section 5.B.9 of these standards.
• Fault tolerance, such as disk mirroring, server duplexing, or RAID is required for servers that store critical institutional data. Additional fault tolerance requirements for research data may be specified in funding agency contracts.

Recommended

• Owners of all network-connected devices are advised that the information technology department may request them to create accounts on those systems for the information technology department to use for emergency system administration purposes. Compliance will be optional but is highly recommended.
• All new network interface devices (e.g., switches, routers, wireless access points, etc.) should support Simple Network Management Protocol (SNMP). SNMP-capable devices are preferable to others even when more expensive.
• Fault tolerance, such as disk mirroring, server duplexing, or RAID should be implemented for all servers that supply essential services.

Operating Systems

Required

• Administrators of network-connected computer systems are required to configure and maintain the operating systems of those computers in such a way as to prevent unauthorized access and usage.
• Administrators of network-connected computer systems are required to install all applicable operating system and utility security patches as soon as possible after the patches are released. Whenever possible, patches should be tested offline to ensure that they are effective and benign.
• All susceptible network-connected devices must be protected against computer viruses, Trojan horses, worms, and denial of service attacks either through the information technology department-approved protective mechanisms inherent to the operating system or by the addition of third-party software (e.g., anti-virus software, firewall software, etc.).

Recommended

• Administrators of multi-user, network-connected computers should keep those computers' operating systems at the latest available revision levels.
• Administrators of single-user, network-connected workstations and PCs should keep their computers' operating systems at the latest practical revision levels.

Communication protocols

Required

• The MSU campuses' telecommunications networks are based on the Internet Protocol (TCP/IP). No other protocols may be used for network transmissions without the knowledge and express permission of the campus information technology department .
• Enterprise services, which include domain name service (DNS), e-mail, routing, WINS services, firewalls, e-mail relay services, and Novell Directory Services (NDS) may be run only by or in cooperation with the information technology department .

Recommended

• All unneeded protocols should be disabled on network devices such as printers and computers or the devices should be configured such that they refuse attempted communications using those protocols.

Application software

Required

• Use of packet sniffer software or any other software that may be used for unauthorized interception of network communications is forbidden on the MSU telecommunications networks unless expressly authorized in writing by the information technology department .
• On Web servers, the CGI-bin directory and Web scripting are vulnerable and should be disabled if not needed.  
• Administrators of multi-user, network-connected computers must keep those computers' network-based application software (e.g., Telnet, FTP, HTTP clients and servers) at the latest available revision levels.

Recommended

Wireless Local Area Networks

In order to achieve a robust and stable wireless infrastructure and prevent unintended interference to FCC licensed and unlicensed services, the information technology department must maintain control of the radio frequency spectrum that wireless devices utilize as their base transport mechanism.   802.11b wireless local area networking uses the FCC unlicensed 2.4 GHz Industrial, Scientific, Medical (ISM) band. 802.11a and 802.11g wireless use the FCC unlicensed 5 GHz National Information Infrastructure (U-NII) band. Certain other "wireless" devices available in the consumer marketplace use the same 2.4 or 5 GHz frequency band.   These licensed and unlicensed devices may cause interference for one another. These devices include, but are not limited to other wireless LAN devices, cordless telephones, wirelessly connected or controlled video cameras, and wireless speakers.

Required

• Wireless local area network equipment installed at MSU must support data encryption techniques as outlined in the 802.11x standards or must support other available techniques such as, VPN, 3DES, etc.
• To ensure the highest level of service to users of wireless networking, the information technology departments need help from all members of the campus community in minimizing potential interference among devices capable of such interference. Faculty, staff, students, and contractors who wish to purchase, install, and use any 2.4 or 5 GHz device in university-owned buildings are required to coordinate those activities with the campus information technology department. When a non-network device is required for a specific teaching or research application, the information technology department will work with the owner to ensure that use of the device may be accommodated without causing interference to the wireless network community.
• The information technology departments will not actively monitor use of the airspace for potential interfering devices. However, we will seek out the user of a specific device should we find it causing harmful interference to the campus wireless network or other FCC-licensed services. In these cases, the information technology departments reserve the right to restrict the use of any FCC Part 15 ISM or U-NII device in any university-owned building and in outdoor spaces on the Montana State University campuses.
• All wireless access points must allow access only to those user devices whose MAC addresses are registered on the access point or are authorized by an appropriate authentication server (e.g., wireless gateway, radius server, etc.).

Recommended

MSU Standards for Authentication of Network Users

The university has an obligation to assist in federal, state, local, and campus law enforcement investigations of alleged computer-based violations of the law. As such, we may be required to identify computer users involved in suspected illegal activities. In order to facilitate compliance with these requests and to ensure the security of MSU data, the identities of users of the data communications network, at any given point in time, must be ascertainable.

Required

1. All users of network-connected computers must authenticate to the network or authentication device in such a manner (e.g., Kerberos, LDAP, Windows domain login, etc.) that the use of any computer can be traced to the user. Users of p ublic access computers located in the library buildings are not required to authenticate if their access is restricted to the Internet. Other devices, such as laboratory instruments and printers which do not support authentication are also excluded from this requirement.

2. All Dynamic Host Controlled Protocol (DHCP) servers connected to the MSU data communication networks must be configured in such a manner that the servers log the MAC address of each user's machine and the IP address assigned to it, as well as the assignment and release times of the IP address. Upon request, records pertaining to the ownership of the MAC and IP addresses must be made available to authorized university or law enforcement personnel by the DHCP server administrator.

The Montana University System Board of Regents has implemented information technology policies that apply to all public institutions of higher education within the state of Montana . These policies may be reviewed at:

http://www.montana.edu/wochelp/borpol/bor1300/bor1300.htm .

Freedom from Harassment

All members of the campus community have the right not to be harassed by the computer or network usage of others. The following activities constitute harassment (1) intentionally using the computer to annoy, threaten, intimidate, or offend another person, (2) intentionally using a computer to interrupt the academic, research, administrative, or related pursuits of another, and (3) intentionally using the computer to invade the privacy, academic or otherwise, of another.

Copyrighted Material

Computer users are prohibited from copying, storing, or distributing copyrighted material, such as music, video, etc., in violation of the federal Copyright Act.

Notification of Suspected Breach

Network users are responsible for promptly reporting suspected or detected violations of these standards to the MSU Executive Director for Information Services/Chief Information Officer or his/her delegate at each campus.

Appeals Process

Appeals of decisions made by the information technology departments at each campus relative to these standards or the MSU Campus Networking Policy may be made to the appropriate university official or committee at each campus, such as the Executive Director for Information Services/Chief Information Officer at MSU-Bozeman.