This policy is intended to ensure secure and reliable network access and performance for the University community. It addresses Internet addressing and domain services, network connections, internal services, network security, monitoring and auditing. The policy also sets forth enforcement procedures and provides for the Chancellor to appoint a Network Security Committee to review the Policy on a regular basis and to ensure that it may be fairly interpreted and enforced.
Individuals, academic colleges/departments, or administrative departments at UNC Charlotte may not create or support an Internet domain hosted from the University’s network without prior approval of the ITS.
ITS administers the UNC Charlotte IP address and the uncc.edu domain. ITS also manages any additional domains that support the mission of the University. (ITS also administers all other network addressing systems at UNC Charlotte, e.g., Novell NetWare and AppleTalk.)
Technological changes and other factors may require a reconfiguration of the network resulting in a change to the network addresses assigned to University computers. ITS will give prior notice to affected users before making any changes.
No UNC Charlotte departments, faculty, staff, or students may connect, or contract with an outside vendor to connect, any device or system to the University’s data networks without the prior review and approval of ITS.
Colleges or departments that wish to provide Internet or other network access to individuals or networks not directly affiliated with the University must obtain prior approval from ITS.
All devices placed on the University’s network must be registered with ITS. All authorized University network users (faculty, staff, or students) must be assigned a physical network port and network address by ITS. Network connections at public access ports are restricted to authorized members of the University community.
Physical access to University networking equipment (routers, switches, hubs, etc.) is not permitted without the prior approval of ITS.
ITS will provide a general method for network authentication to University systems.
ITS will take action to prevent source network address forgery (spoofing) of internal network addresses from the Internet. ITS will also take action to protect external Internet sites from source address forgery from the University’s network.
The University’s external Internet firewall policy is to deny all external Internet traffic to the University’s network unless explicitly permitted. Access and service restrictions may be enforced by IP address and/or port number. Proxy services may be used in conjunction with the firewall to restrict usage to authenticated individuals. This policy is designed to protect University network users from attacks launched from the Internet.
The University will identify the systems that will offer Internet services. To facilitate this, academic colleges/departments and other administrative departments must register with ITS systems that require access from the Internet. These systems must also be protected by access control software, e.g., TCP Wrappers.
The University’s internal Internet firewall policy is to deny all internal IP traffic outbound to the Internet unless explicitly permitted. This policy is designed to protect others on the Internet from attacks launched from the University’s network.
Some network services through standard ports are supported. However, services may be restricted to a limited number of subnets or hosts. For example, electronic mail (e.g., SMTP, Port 25) may be sent and received only by authorized mail servers on campus. User access to the mail accounts (e.g., POP3, Port 110 and IMAP, Port 143) on these servers will be permitted from off-campus through the firewall.
Most network services through non-standard ports are not supported. Services through non-standard ports may be restricted to a limited number of subnets or hosts. For example, WWW access via the standard HTTP port (Port 80) will be permitted, but via some other arbitrary port number may not be permitted.
Limited encrypted tunnels for passing through the firewall to internal resources, such as X-Windows, is permitted with the prior approval of ITS. The recommended method is to use Secure Shell (SSH). IP Multicast tunneling is not permitted.
All modem connections that allow someone from outside the University network to access the University’s network must be registered with ITS. The University reserves the right to block any modem connections, or disconnect any computer system, that allows unauthorized access to the network.
In collaboration with academic and administrative departments, ITS shall identify the appropriate network security level for University systems. These levels are, from highest to lowest: Mission-critical, Important, Normal and Low. Efforts shall be made to protect University computer systems and review it periodically.
In coordination with administrative departments and law enforcement, ITS will investigate, or cause to be investigated, any unauthorized access to University computer systems.
Systems on the network must have adequate security installed and maintained. All systems connecting to the University network must be configured and maintained in such a manner as to prohibit unauthorized access or misuse. For example, a guest account must have a secure password.
It is the responsibility of all UNC Charlotte network users to report security problems to the appropriate system administrators or ITS for investigation.
Network usage judged appropriate by the University is permitted. Some activities deemed inappropriate include, but are not limited to:
Establishing unauthorized network devices, including a router, gateway, or remote dial-in access server; or a computer set up to act like such a device.
Engaging in network packet sniffing or snooping.
Operating network servers of any sort in violation of ITS guidelines.
Setting up a system to appear like another authorized system on the network.
Other unauthorized uses prohibited by this Policy, University Policy 307, “Responsible Use of University Computing and Electronic Communication Resources,” or other ITS organization policies.
ITS maintains traffic logs of the firewall for security auditing purposes.
To safeguard the integrity of the University's computing and electronic communication resources, and to minimize the risks to both those resources and the end users of those resources, ITS will monitor data traffic to detect anomalous network activity and will access, retrieve, read, and/or disclose data communications when there is reasonable cause to suspect a violation of applicable University policy or criminal law, or when monitoring is otherwise required by law.
With the permission of the system administrator or his or her superior, ITS may perform a security audit of any computer system attached to the University’s network. ITS will provide a report after the audit is completed.
Any device found to be in violation of this Policy, or found to be causing problems that may impair or disable the network in any way, is subject to immediate disconnection from the University’s network. The Data Network Services Department or other IT departments may require specific security improvements where potential security problems are identified.
Attempting to circumvent security or administrative access controls for information resources is a violation of this Policy. Assisting someone else or requesting someone else to circumvent security or administrative access controls is also a violation of this Policy.
Initially approved by the Board of Trustees September 27, 2002
Revised May 21, 2004