Extending the University Data Network
IT-19
About This Policy
- Effective Date:
- 09-19-2008
- Date of Last Review/Update:
- 02-13-2025
- Responsible University Office:
- Information Policy Office
- Responsible University Administrator:
- Vice President for Information Technology and Chief Information Officer
- Policy Contact:
University Information Policy Office, uipo@iu.edu
Scope
This policy applies to all users of Indiana University information technology resources regardless of affiliation, and irrespective of whether those resources are accessed from on-campus or off-campus locations.
Policy Statement
Neither individuals nor units are permitted to independently deploy network devices that extend the university network, or secure or isolate parts of the university network, except as approved by University Information Technology Services (UITS) or as stipulated under the provisions of this policy.
Reason for Policy
Certain network devices such as but not limited to hubs, bridges, switches, routers, firewalls, wireless access points (WAPs), network address translators (NATs), remote access servers (RAS), and virtual private network (VPN) servers, if not deployed and configured correctly, can cause service interruptions and make network problems difficult or impossible to isolate and identify. In addition, if not properly secured, these devices can give unauthorized users access to the university network. The installation of these devices must therefore be managed and coordinated.
University Information Technology Services is responsible for the university's data, video, and voice communications network. This includes designing, deploying, documenting, monitoring, maintaining, supporting, and troubleshooting the physical data, video, and voice networks of the university, as well as the management of the Internet Protocol (IP) address spaces assigned to Indiana University (including public and private addresses).
Procedures
- Remote access services:
- Individuals and units are not permitted to independently deploy remote access servers, VPN servers.
- Layer 2 devices:
- Certain layer-2 devices, such as wired hubs and switches, are very common and pose few problems if deployed prudently; therefore, individuals and units may use layer-2 devices to extend the university network as long as such devices meet university networking standards, are properly and securely managed, and are not used to extend the network beyond the room or cubicle containing the data jack to which the layer-2 device is connected. For example, using a wireless access point, wireless repeater, or a very long cable to provide network connectivity to an adjacent building, another floor, or another room is not acceptable. All layer-2 devices must be deployed securely and in such a manner as to not interfere with the rest of the network.
- Layer 3 devices:
- Deployment of these services and devices will be managed by and coordinated with UITS. Layer-3 devices include but are not limited to routers, firewalls, VPN servers, NATs, and proxy servers. The deployment of stand-alone firewalls in front of single servers or workstations, or host-based (software) firewalls is acceptable and encouraged. However, if an individual or unit desires to protect multiple devices behind a firewall, or if an individual or unit desires to deploy a device that conceals the MAC or IP addresses of the hosts behind it, an exception must be requested from UITS. It should be noted that, if approved, and if multiple hosts are placed behind a NAT device, a problem with any single host behind that device could result in isolation of all hosts behind the NAT device.
- Wireless networks:
- Individuals and units may not deploy wireless networks without an exception granted in accordance with policy IT-20 Wireless Networking.
- Emergency actions:
- UITS engineers, service managers, system administrators, and security and network engineers may temporarily suspend or isolate access to an information technology resource or network device when it reasonably appears necessary to protect the confidentiality, integrity, or availability of the resource or device or data, or to protect other computing resources, devices, or data, or to protect the university from potential harm.
- Exceptions to this policy:
- Requests for exceptions to this policy should be submitted to the Network Operations Center noc@iu.edu or to the UITS Support Center. UITS and/or regional campus counterparts will review requests on a case-by-case basis as appropriate. Approved exceptions to this policy must comply with university networking standards. UITS will maintain a record of approved exceptions to this policy.
- Consultation:
- UITS is available to provide consultation or advice related to this policy and may involve the University Information Policy Office, University Information Security Office, and others in consultation.
- Regional campuses:
- The CIO's campus delegate, in coordination with UITS, is responsible for implementing this policy on regional campuses.
Definitions
- Extending the network
- is defined as connecting something other than a single end-system to a part of the university network (in most cases a data jack). For these purposes, an end-system is defined as a device (e.g., computer) that has no other network connections, physical or virtual, other than the physical link to the data jack. Devices that extend the network include but are not limited to hubs, bridges, switches, routers, firewalls, WAPs, NATs, RAS, VPN servers, or workstations or servers or devices to provide any of this functionality. Connections of end systems to the network are not considered to be extending the network and are not covered by this policy. Also, connecting to machines on the IU network in such a way that the connecting machine does NOT obtain an IU IP address is not covered by this policy (such as by using the Remote Desktop feature of Microsoft Windows).
- IP address spaces
- in this context means blocks of IP addresses assigned to Indiana University by Internet addressing authorities.
- Layer 2 devices
- function at the data link layer of the Open Systems Interconnection Model. Typically these are Ethernet devices such as hubs, switches, repeaters, and WAPs. These devices are often used to provide network connectivity to multiple machines in the same room using a single data jack.
- Layer 3 devices
- function at the network layer of the Open Systems Interconnection Model. Typically these are IP devices such as firewalls, NATs, and packet-filtering routers that isolate or conceal other devices from the rest of the network.
- NAT devices
- rewrite the IP header of a packet traversing the device, changing the IP source and/or destination addresses. They also change the layer-2, or MAC address, to that of the NAT device. Often the result is to present multiple devices behind a NAT as if they were a single device.
- Private IP addresses
- are local network addresses that are not routed to the Internet, so that connections to them from other devices on the Internet are not possible. The most common private IP address blocks are 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 as defined by RFC 1918.
- Public IP addresses
- are local network addresses that are routed to the Internet, so that connections to them from other devices on the Internet are allowed.
- Remote access
- services are defined as any mechanisms that allow a machine outside of the physical university data network to appear as though it is part of the Indiana University network. Typically this involves creating a link over either the data network or a phone line and assigning an Indiana University IP address to the remote machine.
Sanctions
Indiana University will handle reports of misuse and abuse of information and information technology resources in accordance with existing policies and procedures issued by appropriate authorities. Depending on the individual and circumstances involved this could include the offices of Human Resources, Vice Provost or Vice Chancellor of Faculties (or campus equivalent), Dean of Students (or campus equivalent), Office of the General Counsel, and/or appropriate law enforcement agencies. See policy IT-02, Misuse and Abuse of Information Technology Resources for more detail.
Failure to comply with Indiana University information technology policies may result in sanctions relating to the individual's use of information technology resources (such as suspension or termination of access, or removal of online material); the individual's employment (up to and including immediate termination of employment in accordance with applicable university policy); the individual's studies within the university (such as student discipline in accordance with applicable university policy); civil or criminal liability; or any combination of these.
History
- Reviewed July 2024.
- Reviewed December 2011.
- Revised March 4, 2010: enhancing language in Sanctions section
- Approved: September 19, 2008
- Interim: June 26, 2008
- Draft: August 17, 2001
- Revised: December 2007
- Revised: March 2008