Retired-Policy on the Operation of Private Remote Access Services Connecting to PennNet

Information Systems and Computing's Information Security organization is the organization at the University of Pennsylvania that has responsibility for addressing network security matters on PennNet. This authority extends to the recommendation of good security practices and subsequent investigation of any unauthorized access to or misuse of PennNet.

This policy specifies the requirements for the operation of private remote access services connecting to PennNet, specifically modems and modem pools.

The purpose of this policy is to provide operational requirements that will ensure authenticated and authorized access to PennNet via remote access services like modems and modem pools. It will also ensure that any security investigations that involve access to these services can be carried out with the aid of uniform and sufficient logging information.

Modem: Acronym for MOdulator DEModulator. A device that sends digital data signals over the analog PSTN (Public Switched Telephone Network). Permits users to access networks such as PennNet or the Internet, or access to hosts, from remote locations.

Modem pool: a group of modems that a user can dial into or out of from his/her computer. A modem pool can provide multiple user access to a network or a group of hosts.

Network access: access to a network of hosts

Host access: access to a single host, as would be provided by software such as a remote control application.

ISDN: Acronym for Integrated Services Digital Network. A means to provide higher speed network access over the PSTN.

If remote access services are not run according to these requirements, unauthorized and/or unauthenticated persons may gain access to PennNet and other University resources and information. If access is not logged according to these requirements, ISC Information Security may not be able to carry out investigations.

This policy applies to devices such as dial-up modems that use PSTN lines, and ISDN lines, which can provide direct access to PennNet, or PennNet-attached computers in cases of remote computing control applications.

1. In accordance with the Policy on Acceptable Use of Electronic Resources at https://catalog.upenn.edu/pennbook/policy-acceptable-use-electronic-resources, making University computing resources available to individuals not affiliated with the University of Pennsylvania without approval of an authorized University official is prohibited.
2. Remote access services must authenticate the user connecting to the service.
3. The names used for authentication must be registered in the Penn authentication database.
4. Any host involved in the authentication process must be in compliance with the Critical PennNet Host Security Policy.
5. The following information must be logged for each connection:
   a. A unique key found in the Penn authentication database
   b. Login and logout times
   c. Modem or port logged into
   d. Associated PennNet IP address of the modem or host/port modem is plugged into
6. Each remote access device used to provide network access must have its own PennNet hostname registered in accordance with the Policy on the use of PennNet IP address space at https://www.isc.upenn.edu/computing-policies/ITPC/ipaddress.

1. Use of an Internet Service Provider (ISP) in place of operating a private modem pool is strongly recommended. Modem pool operating costs can be prohibitive.
2. Use of the Campus Authentication System is highly recommended.
3. An authorization step is recommended in order to limit the use of the remote access services to intended users of the service.
4. Logging or registration of originating phone number for each connection is recommended.

A. Verification: Information Security will actively use security scanners annually to scan all critical systems. Note that ISC does not plan to actively police the network in an effort to discover non-compliant remote access services, but will act on those discovered during the normal course of events in operating and/or troubleshooting the network.

B. Notification: Notification shall be made to the LSP for the area. Whenever possible and practical, the administrator of the remote access service will also be notified.

C. Remedy: Remedy may be an immediate removal of the service from the network, depending on the severity of the operational impact and security risk to PennNet. Information Security will offer assistance to the systems administrator or LSP for the area in correcting security problems, after which the device may be re-connected to the network, and or normal service restored.

D. Financial Implications: Because the remote access device or host that connects this service to PennNet is considered a critical host, the department or unit owning the critical host shall bear the costs of ensuring compliance with this policy.

E. Responsibility: Responsibility for remedy lies with the system administrator and/or remote access service owner.

F. Time Frame: The actual time interval will depend on the severity of the security risk to PennNet. Non-compliant remote access services must either be remedied within thirty days of notification of the support person, or must be removed from PennNet.

G. Enforcement: Please see the Policy on Computer Disconnection from PennNet at http://www.upenn.edu/computing/policy/disconnect.html, and the Critical PennNet Host Security Policy at https://www.isc.upenn.edu/ITPC/dhcpserver

H. Appeals: Please see the Appeals section of the Policy on Computer Disconnection from PennNet at http://www.upenn.edu/computing/policy/disconnect.html

• Policy on the Use of PennNet IP Address Space
• Policy on Computer Disconnection from PennNet
• Critical PennNet Host Security Policy
• Policy on Acceptable Use of Electronic Resources at https://catalog.upenn.edu/pennbook/policy-acceptable-use-electronic-resources/
• Newton's Telecom Dictionary (17th Edition)

https://www.isc.upenn.edu/ITPC