Network Connection Policy
This policy is designed to protect the campus network and the ability of members of the Brown community to use it. The purpose of this policy is to define the standards for connecting computers, servers or other devices to the University's network. The standards are designed to minimize the potential exposure to Brown University and our community from damages (including financial, loss of work, and loss of data) that could result from computers and servers that are not configured or maintained properly and to ensure that devices on the network are not taking actions that could adversely affect network performance.
Brown University must provide a secure network for our educational, research, instructional and administrative needs and services. An unsecured computer on the network allows denial of service attacks, viruses, Trojans, and other compromises to enter the university's campus network, thereby affecting many computers, as well as the network's integrity. Damages from these exploits could include the loss of sensitive and confidential data, interruption of network services and damage to critical Brown University internal systems. Universities that have experienced severe compromises have also experienced damage to their public image. Therefore, individuals who connect computers, servers and other devices to the Brown network must follow specific standards and take specific actions.
This policy applies to all members of the Brown University community or visitors who have any device connected to the Brown University network, including, but not limited to, desktop computers, laptops, servers, wireless computers, mobile devices, smartphones, specialized equipment, cameras, environmental control systems, and telephone system components. The policy also applies to anyone who has systems outside the campus network that access the campus network and resources. The policy applies to university-owned computers (including those purchased with grant funds), personally-owned or leased computers that connect to the Brown network.
3.1 Appropriate Connection Methods
You may connect devices to the campus network at appropriate connectivity points including voice/data jacks, through an approved wireless network access point, via a VPN or SSH tunnel, or through remote access mechanisms such as DSL, cable modems, and traditional modems over phone lines.
Modifications or extensions to the network can frequently cause undesired effects, including loss of connectivity. These effects are not always immediate, nor are they always located at the site of modifications. As a result, extending or modifying the Brown network must be done within the OIT published guidelines. Exceptions will be made by OIT for approved personnel in departments who can demonstrate competence with managing the aforementioned hardware.
3.2 Network Registration
Users of the university network may be required to authenticate when connecting a device to it. Users may also need to install an agent on their computers before they are allowed on the network. The role of such an agent would be to audit the computer for compliance with security standards as defined in section 3.4 below.
OIT maintains a database of unique machine identification, network address and owner for the purposes of contacting the owner of a computer when it is necessary. For example, OIT would contact the registered owner of a computer when his or her computer has been compromised and is launching a denial of service attack or if a copyright violation notice has been issued for the IP address used by that person.
3.3 Responsibility for Security
Every computer or other device connected to the network, including a desktop computer has an associated owner (e.g. a student who has a personal computer) or caretaker (e.g. a staff member who has a computer in her office). For the sake of this policy, owners and caretakers are both referred to as owners.
Owners are responsible for ensuring that their machines meet the relevant security standards and for managing the security of the equipment and the services that run on it. Some departments may assign the responsibility for computer security and maintenance to the Departmental Computing Coordinator or the Departmental Systems Administrator. Therefore, it is possible that one owner manages multiple departmental machines plus his or her own personal computer. Every owner should know who is responsible for maintaining his or her machine(s).
3.4 Security Standards
These security standards apply to all devices that connect to the Brown University network through standard university ports, through wireless services, and through home and off campus connections.
- Owners must ensure that all computers and other devices capable of running anti-virus/anti-malware software have Brown-licensed anti-virus software (or other appropriate virus protection products) installed and running. Owners should update definition files at least once per week. See OIT's Software Catalog for more information.
- Computer owners must install the most recent security patches on the system as soon as practical or as directed by Information Security. Where machines cannot be patched, other actions may need to be taken to secure the machine appropriately.
- Computer owners of computers that contain Brown Restricted Information should apply extra protections. OIT's Information Security Group will provide consultations on request to computer owners who would like more information on further security measures. For instance, individuals who are maintaining files with Social Security information or other sensitive personal information should take extra care in managing their equipment and securing it appropriately.
3.5 Centrally-Provided Network-Based Services
OIT, the central computing organization, is responsible for providing reliable network services for the entire campus. As such, individuals or departments may not run any service which disrupts or interferes with centrally-provided services. These services include, but are not limited to, email, DNS, DHCP, and Domain Registration. Exceptions will be made by OIT for approved personnel in departments who can demonstrate competence with managing the aforementioned services. Also, individuals or departments may not run any service or server which requests from an individual their OIT-maintained password.
3.6 Protection of the Network
OIT uses multiple methods to protect the Brown network:
- monitoring for external intruders
- scanning hosts on the network for suspicious anomalies
- blocking harmful traffic
All network traffic passing in or out of Brown's network is monitored by an intrusion detection system for signs of compromises. By connecting a computer or device to the network, you are acknowledging that the network traffic to and from your computer may be scanned.
OIT routinely scans the Brown network, looking for vulnerabilities. At times, more extensive testing may be necessary to detect and confirm the existence of vulnerabilities. By connecting to the network, you agree to have your computer or device scanned for possible vulnerabilities.
OIT reserves the right to take necessary steps to contain security exposures to the University and or improper network traffic. OIT will take action to contain devices that exhibit the behaviors indicated below, and allow normal traffic and central services to resume.
- imposing an exceptional load on a campus service
- exhibiting a pattern of network traffic that disrupts centrally provided services
- exhibiting a pattern of malicious network traffic associated with scanning or attacking others
- exhibiting behavior consistent with host compromise
OIT reserves the right to restrict certain types of traffic coming into and across the Brown network. OIT restricts traffic that is known to cause damage to the network or hosts on it, such as NETBIOS. OIT also may control other types of traffic that consume too much network capacity, such as file-sharing traffic.
By connecting to the network, you acknowledge that a computer or device that exhibits any of the behaviors listed above is in violation of this policy and will be removed from the network until it meets compliancy standards.