Educause Security Discussion mailing list archives
Re: Outside Entities Computers
From: Adam Stone <adstone () LBL GOV>
Date: Fri, 14 Dec 2007 08:30:32 -0800
I'm amazed by the level of central control some orgs on this list seem to have. In any large research university there are going to be thousands of short and long term visitors, visiting faculty devices, visiting postdoc devices, industrial partner devices, experimental devices provided directly by vendors who want to test them, faculty-owned devices, collaboration owned devices, etc. On any given day, we have hundreds of devices on our network that are not "ours" and our network is modest in comparison to large research university. That said, our philosophy is that minimum standards apply whether the central IT org controls the device or not and irrelevant of who owns it. Scanning and IDS provide assurance that the device is behaving within some realm of reasonableness - we do not require root on the box or control of the OS to have that level of assurance. If the device misbehaves, they are bounced from the network until they explain it or fix it. Network registration gives us a contact person. We take steps to minimize the impact of a single misbehaving device by putting monitoring at many distributed points and by minimizing the overlap between various webs of trust. This not only allows for the patterns researchers expect (bring devices, work with others), it makes clear where the locus of responsibility for security sits: End Users and System Administrators (not the central IT or central security organization). Adam Stone IT Policy University of California - Lawrence Berkeley National Laboratory On 12/14/07, Lovaas,Steven <Steven.Lovaas () colostate edu> wrote:
For those of you that run centrally administered networks, it may be easy enough to just say "if it's not centrally managed it doesn't get full access." For Universities with more distributed IT structures, this is harder. Short term guest access is one thing, but there are any number of classes of devices whose users are going to require ongoing access to the main network, and whose OS and apps are not going to be centrally managed. ROTC is a case in point. Funds and procurement rules are generally federal, and they basically do their own thing. But because they're also working with students they need access to all the things that other departments need. This would be a great case for defining a separate security zone with a firewall and some sort of remote application access (citrix or SSL vpn or something of that sort). There's a more general question, though, that Buz brings up. Do you allow non-University clients at all? If so, how do you deal with them? Steve ============================================ Steven Lovaas, MSIA, CISSP IT Security Manager Academic Computing & Network Services Colorado State University 970-297-3707 Steven.Lovaas () ColoState EDU ============================================ -----Original Message----- From: Buz Dale [mailto:buz.dale () USG EDU] Sent: Friday, December 14, 2007 8:30 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Outside Entities Computers I would think if the ROTC brought up a machine on campus it would be be a federal (DOD) Gov't machine. As such, it should have very strict requirements. It's possible the staff in your local ROTC are not aware of this. Also, do you have a connection policy about machines connecting to your network? A special VLAN or Lan they can be placed on outside of your firewall and considered hostile? Luck, Buz On 12/14/07, jason rinne <jasonrinne () hotmail com > wrote:The ROTC department here on campus has brought in two of their owncomputersto use in their office. My concern is security (anti virus, windows updates) on the computer itself and identifying who was logged in andwhenin case an issue ever came up. Would anyone like to share their thoughts or policies on outsideentities(such as ROTC) bringing in their own computer for use in their office on campus? Jason Rinne IT Department Missouri Valley College Marshall, MO www.moval.edu ________________________________ Don't get caught with egg on your face. Play Chicktionary! Check it out!-- Buz Dale buz.dale () usg edu IT Security Specialist 1-888-875-3697 (In GA) 1-706-583-2005 Office of Information and Instructional Technology University System of Georgia GMT -5:00
Current thread:
- Outside Entities Computers jason rinne (Dec 14)
- <Possible follow-ups>
- Re: Outside Entities Computers HALL, NATHANIEL D. (Dec 14)
- Re: Outside Entities Computers Buz Dale (Dec 14)
- Re: Outside Entities Computers Lovaas,Steven (Dec 14)
- Re: Outside Entities Computers Brad Judy (Dec 14)
- Re: Outside Entities Computers Adam Stone (Dec 14)
- Re: Outside Entities Computers Torres, Juan (Dec 14)
- Re: Outside Entities Computers Valdis Kletnieks (Dec 14)