Skip to navigation content (Press Enter).

Network Security Policy

Complete Policy Title: Network Management Services - Physical and Logical
Policy Number:
Approved by: Learning Technology Committee
Date of Most Recent Approval: October, 1996
Revision Date(s): March 21, 1994
August 25, 2000
July 8, 2003
Position Responsible for Developing
and Maintaining the Policy:
Director, CIS
Contact Department: University Technology Services
DISCLAIMER: If there is a discrepancy between this electronic policy and the written copy held by the Policy owner, the written copy prevails.

Policy on Network Management Services - Physical and Logical

General
The strategic direction of the University is to enable network access to all faculty and staff offices, as well as to other identified access points on campus. Excluded from this is access for commercial tenants in University buildings, since many University suppliers provide discounted services only on condition that use be restricted to University purposes. All campus buildings have connections to the network (with the exception of Pinky Lewis Field House), although not all rooms within the buildings have data connections.

Everyone who accesses the campus network must adhere to the Code of Conduct for Computer and Network Users, the FibreWired Acceptable Use Policy summarised therein, and all McMaster University building standards and codes including the CIS Network Wiring Standards Document.

Details
Currently UTS has limited funding approved to provide management, analysis, development, maintenance and operation of the McMaster campus data communications network. This includes management of the McMaster campus network backbone and off-campus connections to peer organizations and to the Internet through the ORION network and through FibreWired Hamilton, and technical support and management of network services provided through UTS. When one-time funds are available and justified, the University also allocates funds for capital expenditures to upgrade the networking infrastructure.

Backbone Restrictions
Only UTS approved people can attach devices (eg. media converters, switches, routers, compute servers) to UTS maintained subnets. In customer managed subnets, if a subnet or network component causes problems to the backbone or other portion of the network, the subnet or network component can be disconnected by UTS until the problem is resolved.

Domain Membership
The McMaster domain (names ending in .mcmaster.ca) is the only one which can provide services using McMaster network IP numbers (130.113...). Conversely, all machines using IP numbers beginning with 130.113... must have domain names within the McMaster name tree (ending with .mcmaster.ca).

If a separate organisation ('spin-off' or not) registers a separate domain, that organisation must contract the maintenance of its own network services (i.e. create its own network including domain name service - DNS) and negotiate connections with the Internet through a commercial or community service provider (ISP).

It is possible for 'affiliated' organisations, with staff who are both University community members and part of these separate organisations, to arrange with an external domain registration service for their separate domain identity to be aliased to an existing McMaster service for sanctioned business which crosses the boundaries of the two organisations. (In effect, this forwards network traffic invisibly from the external domain address to a McMaster address in a way that is not apparent to the external community.)

Network Access for Portable Computers
Full-time employees can register their office computers and be assigned a static IP address to access the campus network, and optionally off-campus networks, without requiring authentication for each session.

Portable computer access to the campus network from public locations is available to all members of the community with a McMaster logon account (students and employees) using the OpenPort mechanism (whether wireless, or an OpenPort wired data jack), using VPN client software to authenticate at the start of each session, and encrypt traffic during the session. The OpenPort mechanism is being expanded to include most classrooms, as well as most public area data jacks. Departments who wish to provide data jack (or wireless) public access points are requested to contact UTS to arrange to use the OpenPort mechanism (i.e. VPN and session authentication).

For data jacks in locations not yet included in the OpenPort system (primarily classrooms), roaming access remains available to full-time employees (typically Roll 1) following registration of the MAC address of the network interface card (DHCP service to data jacks in the specified areas depends upon this prior registration).

While this is not normally available to students, in special circumstances, such as for graduate student teaching, the roaming access request form can be submitted by the student's employing supervisor (McMaster employee) who assumes responsibility, including locating and notifying the student should a problem, such as a virus or worm on the computer occur, and will be term-limited. Undergraduate students would only be allowed to use this mechanism if they required it as part of being employed as a teaching assistant. Again their departmental employing supervisor must take full responsibility.

Queries and Infractions
When the UTS Network Group is consulted or discovers cases where it appears this policy has been violated, efforts will be made to consult with the client to explore possible means to accomplish client goals within the strictures of the policy. If matters cannot be ultimately resolved to properly support or connect the registered foreign domain, the Network Group will take steps to prevent traffic from that domain from passing to/from McMaster hosts, as well as complaining to the registrar organisations involved about the improper arrangements.

Reasons for these Restrictions

  • A clear identity is essential for debugging problems, and to combat intrusion - attacks by hackers in various forms
  • Maintaining the McMaster name space and its correspondence to subnets would be very difficult without these rules
  • Conditions of membership in outside networks (ONet and the Internet community) are predicated upon following these conventions and is conditional upon identity not being disguised
  • McMaster's identity and some of its obligations as a legal entity are tied to clarity of identification (address & crest);
  • The purpose of the McMaster data network is to facilitate the teaching, research and administrative activities of the University. The address space (130.113.0.0 through 130.113.255.255 is owned by McMaster University and may not be used without permission by any organisation or entity that is not a member of the McMaster community - faculty, staff or student - for these purposes.
  • Permission may be granted to external entities to use the McMaster network temporarily on an individual basis
  • Such permission will not be granted if the non-McMaster use is 'for profit' since many of the software licenses, discounts & working arrangements presume non-commercial educational status

Subnets
The campus network has been partitioned into a number of subnets (second-level networks connected to the campus backbone and isolated from one another by the backbone switches). Within a subnet, network traffic is contained within workgroups and departments as much as is feasible, thus protecting each subnet from other networks on campus (and vice versa). There are a limited number of subnet ports and these are allocated by UTS. If departmental funding is available, UTS can set up subnets on a fee for service basis.

In each subnet, a customer contact person may be established as the liaison between UTS and the subnet customers. An agreement will be made with the subnet liaison and/or subnet manager to define where the subnet starts and to ensure that the subnet meets UTS and McMaster University standards.

Customers may choose to manage their own subnet. In customer-managed subnets, the subnet manager will be responsible for all activity within a subnet such as registering new workstations, installing and moving network connections, dealing with mail problems and distributed printing. The customer may choose to run non TCP/IP protocols and network and application software which do not affect others not using this software within that subnet. Only protocols approved by UTS are allowed outside the subnet. UTS will provide guidelines on management as well as consultation on a fee-for-service basis.

When a problem exists on any subnet, UTS will seek to determine what is causing the problem. If the source of the problem is equipment owned by UTS, UTS will fix the problem. Where the source of the problem is not apparent, if there are deviations from UTS standards, the subnet must be brought up to standard before UTS can continue with the repair. UTS can be contracted to correct deviations from standards. Where there is customer owned equipment within the subnet, the customer is responsible for the maintenance of that equipment.

In order to provide network services within the subnet, computer server hardware must be capable of running UTS recommended software.

Where customers do not choose to manage a subnet, the "Other Areas" portion of this policy will apply.

UTS Subnet Conventions
UTS has adopted certain conventions to provide the economy of scale necessary to support roughly 100 subnets in 50 buildings with minimal staff. While other choices could be adopted in future, this set of campus-wide conventions is essential to allow any member of the group to respond quickly, be immediately familiar with the situation, and be able to swap and/or re-configure equipment without a need to rediscover deviations between subnets. The current conventions include (in overview):

  1. Cabling to Nordx standards with Cat5E wiring and Nordx components, using one of the group of approved Nordx certified contractors (a certified contractor will supply an overall guarantee for the complete wiring project). Physical Plant has been provided with a UTS wiring standards document for use during the bidding process for major renovation and new building projects.
  2. Equipment from the Cisco line of switches, since uts is familiar with the configuration command structure, including semantic quirks that differ between vendors, and has adopted common configuration conventions across campus. Rather than maintenance contracts, a common equipment line allows UTS to keep spare switches ready to swap out defective equipment. The common vendor choice simplifies network management, and enables services to be deployed which rely on elements of the Cisco feature set.
  3. Physical separation and exclusive access to switch passwords in order to control configurations. UTS cannot maintain equipment located within a shared space unless it is physically divided. External access is needed to provide service at any time.

Other Areas
Where the customer does not choose to be the subnet manager, individual ethernet connections and moves are carried out by UTS on a time and materials basis at the current UTS labour rate. There is a minimum charge of 1/2 hour. UTS recommended communications software is installed as part of the ethernet install charge. There are minimum equipment requirements to run the communications software. See Supported Hardware Configurations for further details.

In the absence of a customer subnet manager, uts is responsible for the maintenance of the ethernet infrastructure up to the data wall jack.

Networking infrastructure maintained through uts operating funds does not include upgrading of wiring or hardware, but includes maintenance of the existing connection. uts applies for one-time funds and capital funds to upgrade the infrastructure in its budget each year. If approved, recommendations for spending those funds are made based on the areas where improved networking can enhance academic pursuits or increase reliability of the existing infrastructure.

Where customers have applications requiring faster networking technology than the current uts standard, it will be considered on an individual basis. The impact on other customers on the subnet must be examined. The customer requesting the faster ethernet would have to pay all costs including rerouting of the subnet if that was required to protect other people on the subnet.

New data connections can be provided by uts at customer expense on a time and materials basis. New buildings or major renovations are wired for data at the time of construction as part of the capital building expense overseen by Physical Plant's Planning Department. In cases where a number of ethernet connections are required, such as a lab, it is the responsibility of the customer to seek funding for any lab infrastructure work required. This would include provisions to provide a switch to create a subnet. In all cases where it is the responsibility of the customer, University wiring standards must be followed as outlined in "Structured Approach to Premises Wiring at McMaster University: uts Network Standards".

uts is responsible for the maintenance of the ethernet infrastructure within each classroom, supplying UTP Cat-5e wiring up to and including the data jack in the wall. uts is not responsible for supplying or maintaining patch cables.

Excluded from this are the Ancillary buildings outlined in Appendix A. The customers in these buildings are responsible for the capital and maintenance costs of the networking infrastructure within the building. uts will maintain the fibre to the building. If there is not fibre to the building, the customer must fund the installation.

Where ancillary departments are located within a non-ancillary building, uts will provide network maintenance up to the hub where their station is attached to the network. It is up to the Ancillary departments (listed in Appendix A) to provide funding to maintain the network from the local communications equipment closet to their workstations.

Ancillary Departments/Buildings

Appendix A
Ancillary operations are not funded by University operating funds. Any install or move in an ancillary department or building will be funded by the department making the request. They will be billed on a time and material basis. This would include all network hardware costs such as main corridor conduit and communication closet hardware including active network components such as concentrators and ports required on the hub.

The ancillary departments include:

  • Athletics and Recreation (non academic areas)
  • Bookstore
  • Continuing Education
  • Faculty Club
  • Hospitality Services
  • Housing
  • Parking
  • Printing
  • Student Health Services
  • Telecommunications

The ancillary buildings include:

  • All of the residences
  • Day Care Centre
  • Divinity College
  • Health Sciences (separate network funding)
  • Refectory
  • Wentworth House

No wiring will be done in Norman (Pinky) Lewis Field House because it is not cost effective.

March 21, 1994

September 1996

August 2000

Service Bulletins

Citrix Receiver Client Update

UTS asks Citrix users to upgrade Citrix Receiver Client to the most current version by February 28, 2017. See UTS Citrix website for installation and removal information.


Mosaic Upgraded Interface

Service Desk

Client Self Service:
https://servicedesk.mcmaster.ca
Hours: Monday - Friday
8:30 am - 4:30 pm
Phone: 905-525-9140 x24357 (2HELP)
Email: uts@mcmaster.ca
Location: Main Campus BSB Rm. 245
Service Catalogue:
http://www.mcmaster.ca/uts
-->

Great Idea Site

Great Idea