Remote Access Guidelines

Remote Access Guidelines

1.0 Purpose

The purpose of these guidelines is to define standards for connecting to the College of Public Health’s network from a remote location. These standards are designed to minimize the potential exposure to the College of Public Health from damages which may result from unauthorized use of College of Public Health resources. Damages include the loss of sensitive or confidential data, intellectual property, damage to public image, damage to critical College of Public Health internal systems, etc.

2.0 Scope

These guidelines apply to all College of Public Health employees or students with a College of Public Health-owned or personally-owned computer or workstation used to connect to the College of Public Health network. This policy applies to remote access connections used to do work on behalf of the College of Public Health, including reading or sending email and viewing intranet web resources.

Remote access implementations that are covered by these guidelines include, but are not limited to, dial-in modems, frame relay, ISDN, DSL, T1, VPN, SSH, and cable modems, etc.

3.0 Guidelines

3.1 General

It is the responsibility of the College of Public Health employees and students with remote access privileges to the College of Public Health network to ensure that their remote access connection is given the same consideration as the user’s on-site connection to the College of Public Health.

General access to the Internet for recreational use by immediate household members through the College of Public Health network on personal computers is prohibited. The College of Public Health employee is responsible to ensure the family member does not violate any College of Public Health policies/guidelines, does not perform illegal activities, and does not use the access for outside business interests. The College of Public Health employee bears responsibility for the consequences should the access be misused.

3.2 Requirements

  • Secure remote access must be strictly controlled. Control will be enforced via one-time password authentication, public/private keys with strong pass-phrases or password encrypted authentication. For information on creating a strong pass-phrase see the Password Guidelines.
  • At no time should any College of Public Health employee provide their login or email password to anyone, not even family members.
  • College of Public Health employees and students with remote access privileges must ensure that their College of Public Health-owned or personal computer or workstation, which is remotely connected to College of Public Health’s corporate network, is not connected to any other network at the same time, with the exception of personal networks that are under the complete control of the user.
  • Routers for dedicated ISDN lines configured for access to the College of Public Health network must meet minimum authentication requirements of CHAP.
  • Frame Relay must meet minimum authentication requirements of DLCI standards.
  • Non-standard hardware configurations must be approved by College Office of Information Technology.
  • All hosts that are connected to College of Public Health internal networks via remote access technologies must use the most up-to-date anti-virus software, this includes personal computers.
  • Personal equipment that is used to connect to College of Public Health networks must meet the requirements of College of Public Health-owned equipment for remote access.
  • Organizations or individuals who wish to implement non-standard Remote Access solutions to the College of Public Health production network must obtain prior approval from College Office of Information Technology.

4.0 Enforcement

Any employee found to have violated these guidelines may be subject to disciplinary action, up to and including termination of employment.

5.0 Definitions

Cable Modem: Cable companies such as Mediacom Broadband provide Internet access over Cable TV coaxial cable. A cable modem accepts this coaxial cable and can receive data from the Internet at over 1.5 Mbps. Cable is currently available only in certain communities.

CHAP: Challenge Handshake Authentication Protocol is an authentication method that uses a one-way hashing function.

DLCI: Data Link Connection Identifier ( DLCI) is a unique number assigned to a Permanent Virtual Circuit (PVC) end point in a frame relay network. DLCI identifies a particular PVC endpoint within a user’s access channel in a frame relay network, and has local significance only to that channel.

Dial-in Modem: A peripheral device that connects computers to each other for sending communications via the telephone lines. The modem modulates the digital data of computers into analog signals to send over the telephone lines, then demodulates back into digital signals to be read by the computer on the other end; thus the name “modem” for modulator/demodulator.

DSL: Digital Subscriber Line (DSL) is a form of high-speed Internet access competing with cable modems. DSL works over standard phone lines and supports data speeds of over 2 Mbps downstream (to the user) and slower speeds upstream (to the Internet).

Frame Relay: A method of communication that incrementally can go from the speed of an ISDN to the speed of a T1 line. Frame Relay has a flat-rate billing charge instead of a per time usage. Frame Relay connects via the telephone company’s network.

ISDN: There are two flavors of Integrated Services Digital Network or ISDN: BRI and PRI. BRI is used for home office/remote access. BRI has two “Bearer” channels at 64kbit (aggregate 128kb) and 1 D channel for signaling info.

Remote Access: Any access to College of Public Health’s network through a non-University of Iowa controlled network, device, or medium.