You are here

Local Network Access Policies

The following policies cover any computer attached to the local Ethernet network. Failure to abide by any/all of these terms may result in denial of network service, either through explicit action on the part of local network management, or as the result of maliciousness outside of local control (i.e. "cracking"). Depending on the severity of an incident, academic misconduct and/or legal proceedings may be initiated. Local network management (hereafter referred to simply as "management") may be contacted by sending E-mail to Site Management.

 
  1. While we recognize that everyone has a number of passwords to manage, it is prohibtited to post account authentication information (e.g. username and password) in the open. In this context, "the open" includes notes taped to monitors, desktops, etc. The rule of thumb is, if someone standing at a computer can easily find authentication information allowing him/her to access the system, the information is not sufficiently secured.

  2. Networking equipment, including (but not necessarily limited to) network jacks, cables, and other components of the "backbone" MUST NEVER be modified by users. End-users should never attempt to extend network cables via "couplers", splicing, etc. Contact management if you are having a network problem or you need assistance in network "drop" placement.

  3. So-called "broadband" routers (or routers of any kind, really, including those that provide wireless [WiFi] connectivity) MUST NOT be attached to the network by end-users. Any such device discovered on the local network without authorization by management will lead to the immediate termination of network connectivity for the device and anything attached to it, and perhaps even (at least temporary) confiscation of the router by ECR6 Management, to prevent its connection to the network.

  4. Management MUST be contacted before any computer is attached to the local network, to arrange for network configuration.

  5. Network configurations (e.g. IP addresses, computer system names, network protocols, etc.) are not to be changed by the user. All such modifications are to be made exclusively by management, or by someone officially permitted to do so by management. "Borrowing" an IP address (or a network connection) from one system to be used on another is prohibited.

  6. Any computer system attached to the local network must have a monitor, mouse (or pointing device of some kind) and keyboard attached at all times. Perpherals that come with a new computer system (e.g. monitors, mice, keyboard, etc.) cannot be separated from the computer with which they were ordered during the warranty coverage period of the system.

    Personally-owned computer devices cannot be installed on OSU-owned systems. In this context, "installation" means user-initiated software loading for the purpose of supporting a hardware peripheral. If you insert your own "thumb drive" into the USB port of a Windows system, for example, and Windows loads a driver to support it, that would be allowed, but if the insertion of the USB drive triggers or requires the installation of application software that would require administrative access on the computer, the device cannot be used on departmental computers.

  7. Personally-owned systems cannot be attached to the departmental network. osuwireless is available in several areas to accommodate personal connnectivity.

  8. Desktop computers connected to the network are not to be moved without prior notice sent to management. Notification is also required for any computers which were at one time attached to the network and are being taken out of service, so that any addresses in use can be reallocated.

  9. Data acquisition and/or instrument control systems should not be used for general Web browsing, E-mail, etc. When you use such a system for such purposes, you subject the system to a higher probability of infection or compromise than if the system is left alone to solely handle the attached instrument(s). There are countless cases of an infection preventing normal system behavior, and limiting (or even blocking) normal operation with any connected devices. In fact, depending on how an instrument is attached to a computer, you even risk physical damage to the instrument. The best way to address this is to operate instrument control systems without connection to the local network. If you must have a network connection on such a system, it is safest to dedicate the system's use only to its data acquisition and/or instrument control role(s) and use other systems for common desktop productivity operations.

  10. Any system which is capable of providing a command line (shell) to a remote user (e.g. via the Telnet protocol) is potentially susceptible to "cracking." To minimize such systems' vulnerability, these systems MUST be connected to the network backbone via a network switch (as opposed to a network hub). (Such systems include computers running any variant of Linux/UNIX, OpenVMS, etc., which come complete with command line shells, and any other system [e.g. Windows XP/7] which is configured to run a command line shell [such as a telnet "daemon].) The design of a network switch helps to protect a system attached to it from the common "cracking" practice of "packet sniffing".

  11. For the best performance and security, when connecting a number of computers/printers within a room to a single network connection, we recommend the purchase and installation of a network switch. For specific vendor recommendations, please contact computer management.

    Ideally, each network connection should be a direct link to the network backbone. In many cases, this is cost prohibitive and/or the backbone couldn't deal with the additional connections, directly. In such situations, the purchase and installation of a network switch would be warranted. There are basically two types of network switch: managed and unmanaged. An unmanaged switch is what you can get off the shelf at the nearest electronics store for well under $100, whereas a managed switch is much more expensive and is not typically carried by the large consumer electronics chains. If a room needs multiple connections, a managed switch is always preferred. We are willing to support the use of an unmanaged switch in cases where no more than eight (8) device connections are needed, not including the connection from the switch to the departmental backbone. It should be noted, however, that with an unmanaged switch, should it be necessary to block access for a given device attached to the switch, we would have to block access for all devices attached to the switch; with a managed switch, we can selectively control each switch port. So, if you can't risk having a given device's network access blocked because another device attached to the same switch needs to be blocked, you should opt for a managed switch. As mentioned, above, ECR6 Management will need to work with you to determine an appropriate model of switch, regardless of the kind you need.

    Building/room renovations should always be planned to provide integrated managed networking. Networking gear in such installations will be considered as part of the network backbone, and may be used to provide connectivity to areas outside of the renovated space.

    If you have more than one computer/printer to be attached to the network, you will need cables to span between your switch and your computer equipment. The OSU Bookstore in the Central Classroom building carries a small selection of common network cable lengths. Any network cable must be rated as at least "Category 5." (If you find cable with a higher number, it would still be Category 5 compliant.)

  12. A network connection may not span between rooms (e.g. through the use of a network hub or switch, a long network cable, etc.), unless the cable run(s) can be individually managed (implying the cabling is part of the departmental backbone). If you require a network connection in a room which is not equipped with the necessary network jack, you will need to arrange for installation of a new "drop". Practically every room in the local building complex is equipped with at least one network jack. Check with management to find out if your room is equipped with a network jack, and its location.

  13. Access must be maintained for management for any system which requires "privileged access" for network (re)configuration. (For example, management must have "root access" for any Linux/UNIX systems attached to the network.)

  14. Physical access to network jacks and network equipment must be maintained at all times without obstruction or obfuscation. For example, it is improper to place furniture in front of a network jack which would limit or completely block the visibility of the jack's identification number. Likewise, direct access must be maintained for any network gear (hubs, switches, etc.), and all network jacks must remain clearly/cleanly identified. (Be careful when painting.)

  15. Computer systems attached to the network are not to be configured with "open" accounts, or other means of acquiring system access without authentication. Similarly, computer accounts are to be maintained only for local users. Anyone who is not affiliated with The Ohio State University (or more specifically, CBE or MSE) is NOT entitled to a local computer account. Accounts for external (non-OSU) users are ONLY to be provided under the auspices of an official research project or support contract.

  16. Management should be consulted before any system intended as a server is placed into operation. Local computer systems should not be running services which are not required, including (but not necessarily limited to) routing daemons, DNS servers, FTP servers, mail servers (e.g. UNIX sendmail), Web servers, etc.

  17. Operating systems on computers attached to the network are not to be changed without the approval of management. "Dual booting" (i.e. running more than one operating system on a single computer) is NOT permitted; such systems are notoriously complex to support, causing confusion in management and complicating network security. (For example, ECR6 Management wouldn't be able to rely on a single access method to such a system in order to manage it.) If you need to run more than one operating system on the same hardware, you'll need to use a virtualizaton product such as VirtualBox (free for educational use), VMware or Parallels; in such cases, Windows or Mac OS X must be the "host" operating system.

  18. Any OSU-owned computer is to ONLY be configured with a North American English operating system if/when connected to the local network. All software on such systems must similarly only present an English interface. Operating systems running in a native language other than North American English are ABSOLUTELY NOT PERMITTED on OSU-owned computers connected to the departmental network.

  19. The following types of programs are NOT PERMITTED on the local network:

    • So-called "pay-to-surf" programs: These are applications and/or schemes that offer to pay/reward the user for visiting Web sites. Using the resources of the University for personal monetary gain is not allowed.

    • Surfing emulators: These are programs which are often used in conjunction with the aforementioned "pay-to-surf" schemes. The surfing emulator runs on a computer and mimics the bahvior of someone visiting Web sites. Since this is used indirectly for personal monetary gain, use of such programs is not allowed. These programs also consume undue amounts of bandwidth.

    • Pre-release or "beta" software is not to be installed on any OSU-owned system without the express consent of ECR6 Management. The local network (which, for the purposes of this policy, includes any devices attached to it) serves the production enterprisecomprised of faculty, staff and students in the departments of Chemical and Biomolecular Engineering and Materials Science and Engineering. It is not to be used as a "test bed."

    • Peer-to-peer (P2P) file sharing applications: These are programs which allow the direct transfer of files between two computers on the Internet. There is no reason why someone on our network should need such ability for academic and/or research needs. Such software isn't allowed to be run on the local network, and it is prohibited on OSU-owned systems connected to the local network. (That is, it must not even be installed on such systems.)

    • Peer-to-peer (P2P) media players: A number of programs are available that allow you to listen and/or view streamed media which is "served" across a number of random systems across the Internet. Such programs consume our bandwidth to the Internet and thus restrict access for legitimate purposes.

    • Other peer-to-peer (P2P) applications: In general, P2P programs can't be used on the local network, since they generate too much traffic which appears as various forms of prohibited behavior. The one exception is the Internet telephony application known as Skype. To use Skype on the local network, though, you MUST follow these instructions.

    • Bandwidth optimizers: These are applications or mechanisms which purport to increase the speed of your network connection. All modern operating systems, by default, are already optimized for Ethernet network connectivity. Using a program to optimize your connection (which is typically designed to optimize slower connections, such as using a MODEM) will only tend to decrease your network bandwidth.

    • Download accelerators/managers: These are programs which attempt to increase the speed of downloading files by opening multiple connections to a file server, or by allowing the download of multiple files at once. These applications place an undue amount of strain on the network, since they require more bandwidth than a standard file download request is designed to handle.

    • IRC: Internet Relay Chat is a popular means for "trojan horses" and other mechanisms which might compromise a computer's security of spreading. The risk is too high to allow IRC on the local network, so no one should be using it here. Note that many Web sites utilize IRC to provide for real-time "chatting." As such, if you attempt to use such a facility and find it won't work, this is probably due to the blocks on our firewall limiting access to IRC.

    • Warez (as in "softwarez" [sic]), or "cracked" programs: These aren't necessarily network-related applications, but are programs that have been "broken" to allow running them without paying for a license that would otherwise restrict them. The distribution and/or use of such programs is ILLEGAL. Any computer used here that is found to have such software installed will have its network connectivity terminated and the owner/user[s] of the computer will be reported to the appropriate authorities. Please don't steal software, which is what you're doing when you run such programs.

    • Network games: Any computer games that call for network communication are not permitted on the local network, due to the large amounts of bandwidth they might require. Games of any sort shouldn't really be installed on any OSU-owned systems in any of the departments/centers served by the computer facility.

    Programs that provide for "instant messaging" are another case of network-related applications that can cause problems. Such programs are permitted on the local network, but they are not supported. In other words, you can run such programs if you are able, but no effort will be made to specifically accommodate or maintain this ability.

  20. Nothing connected to the network requires the use of Netware (e.g. IPX/SPX) protocols, and these protocols should not be enabled.

  21. The so-called "welcome screen" of Windows XP (and newer) is a security risk, since it essentially lists all the accounts available on the machine "Fast user switching" is also a problem, since it can make determining who is using a system at any particular time difficult, because more than one user can be logged on at once. As such, fast user switching and/or the welcome screen in Windows XP (and other operating systems that offer similar capabilities) should be disabled. If you (or the systems for which you are responsible) are running Windows XP/7, your computer(s) should be configured to disable the display of the last user to login to the system.

    All systems which are capable of prompting for both username and password must be configured to do so. No "automatic logins" are permitted on any system connected to the local network (or any part of the OSU network infrastructure).

  22. Operating systems: On PCs, Windows XP Pro(fessional) and Windows 7 Pro (including Enterprise [as typically provided by OSU] and Ultimate) are supported. (Windows Home Edition is not allowed on OSU-owned systems connected to the local network.) Macintosh systems should be running the most recent version of Mac OS X (though, more generally, versions later than v10.4 are fine). Linux/UNIX is allowed, but not supported. (End-users will need to provide day-to-day maintenance and support, themselves. Proof of compliance with University and Departmental networking policies must be provided on request, and certainly before network connectivity is established.)

  23. Any decisions which might affect an OSU-owned computer system's operation (e.g. operating system installation/configuration) and/or security (e.g. anti-virus software installation/configuration) must be approved by computer support staff before the fact. If you choose to make such changes yourself without involving support staff, and/or you arbitrarily ignore networking policy, you implicitly absolve computer staff of responsibility for supporting your system(s) and incur the full responsibility of maintaining it in conformance with all policies and standards of the local deparment(s), University, and federal/state law.

  24. Users should note that resources provided via Windows file sharing or SAMBA under Linux/UNIX (and Mac OS X) are not generally accessible beyond the local network. Windows users should ensure they do not maintain any "Network Places" which refer to such facilities.

  25. Administration of computing devices within CBE, MSE and related units is the official responsibility of ECR6 Management. Administrative access to systems for end-users is covered by the College of Engineering's Local Administrative Privilege Standard (LAPS). The terms of the departmental LAPS are basically covered under our mechanism for providing management-level access for so-called "Group Administrators."

    In order to ensure consistent application of security measures and for auditing purposes, departmental computers which require network access must use the departmental wired network infrastructure and will be joined to a Windows (Active Directory) domain whenever possible. These measures are necessary to provide compliance with University computing standards and policies.

  26. Anti-virus/anti-spyware software (generally known as "anti-malware") is REQUIRED on any system where it's available. Management understands that certain computers used for instrument control may be harmed if anti-malware software is installed. Under this unique situation, any other measures available that would protect the system must be implemented (known as "compensating controls"). In any other case, if anti- malware software is not going to be run, the system must not be connected to the network. All systems connected to the network are expected to be maintained and kept up-to-date in terms of patches/updates, ideally through whatever automated process is included with the operating system.

  27. Any system with a built-in "host-based" firewall (or for which host-based firewall software is available) must have it enabled and blocking access to the system, by default, except for access which is specifically required. If a built-in firewall isn't available, the alternatives are to upgrade the operating system or acquire a third-party firewall product.

  28. OSU's Policy on Responsible Use of University Computing and Network Resources states that, "Accounts and passwords may not, under any circumstances, be shared with, or used by, persons other than those to whom they have been assigned by the university." In other words, an account is only assigned to a specific person (or limited set of specific people), and the means to gain access to that account can't be shared with anyone else. As a general rule, this disallows the use of "guest accounts."

  29. Access to accounts with administrative privileges must be restricted to use during tasks which require that level of access. In most cases, the account you use on a system attached to the local network will only have normal user access; a separate account should be used to manage the system. If you habitually use an administrative account for day-to-day tasks, the access the account has can be leveraged to compromise the system.

    For example, say you are using an administrative account under Windows XP, and you visit a Web page that happens to have been compromised with a malicious piece of software (known as "malware") designed to automatically install a program on your PC that sends E-mail spam. The program also disables any anti-virus software, to avoid having itself become known to you, which of course leaves the system open to other potential compromises. (This is a very common scenario.) Because of the elevated privileges the account you are using has, the malware basically has free reign of your system. If you were using an account with normal user access (as mandated), the malware might have some effect, but it will typically be limited to your account. As such, an account with administrative access can be used to clean the system of the malicious software.

    The implementation of different accounts for different roles (managment vs. normal use) falls under the paradigm of "Privilege Separation." This is a Best Practice in Information Technology, and is necessary to help maintain limited security exposure.