Computer and Network Use Policies

Rationale for a Network Policy

This document is designed to serve as a guide to using computers and the network on the Columbia University Medical Center campus (hereafter referred to as CUMC). It will provide a frame of reference for anyone who uses the network and the many systems connected to it.

In creating policies that apply to all people who use these resources, CUMC system and network managers need to show how global policies benefit everyone who relies on computing at CUMC. Additionally, these policies will show how it can be risky for individuals to invent rules unilaterally, because large-scale policies and procedures work best when they have been constructed in the context of the entire organization, and when they take into account the needs of everyone affected.

Organization-wide policies, when carefully constructed, have a global perspective that individuals may not be able to achieve when acting on their own. Global policies can be applied to widely varying parts of the organization, and offer a consistent umbrella, with rules that pertain fairly to everyone. Any exceptions to the rules can be devised so that exceptions reflect the organization's needs. In a heavily networked environment, having a perspective that takes the entire organization into account makes it most likely that solutions will not allow one part of the campus to inadvertently have a negative impact on another area. In the end, judiciously crafted organizational policies will help create a computing environment that reflects the needs of its workers and helps establish the fairest and most consistent set of rules for the broad community that relies on computers and the network at CUMC.

• Purpose: The purpose of this document is to establish procedures to ensure the continuous operation of Columbia University Medical Center's (henceforth known as CUMC) data network. The CUMC Network is a resource which is shared between Columbia University Medical Center and New York-Presbyterian Hospital and is jointly operated by those two organizations. The network, as a shared resource, requires central governance and universally applied rules in order to serve well the needs of its operating organizations.
• Scope: This policy applies to all faculty, employees, contractors, consultants, temporaries, students, and other workers at CUMC, including those workers affiliated with third parties who access CUMC information systems and networks. Throughout this policy, the word "worker" will be used to collectively refer to all such individuals. The policy applies to all computer and data communication systems connected to the CUMC network or using an IP address administered by Core Resources or anyone whose traffic traverses the CUMC network. All workers are expected to be familiar with the policies and the consequences of violation as listed below.

CUMC Computer Network Procedures

Default Policy

Columbia University's Computer and Network Use Policy (www.columbia.edu/cu/policy) shall apply on the Medical Center campus unless modified in this document.

Network Availability

Policy:

The University recognizes a requirement of balance between the community's need for a continuously available data network and the community's need for continual improvements in that data network in order to provide better service. The latter need drives a requirement for scheduled downtimes: periods of time when the network is unavailable to the users. These downtimes will occur, but reasonable effort will be made to minimize their impact on the community.

Procedure:

Scheduled Downtime is necessary for all areas of the network in order to perform maintenance and upgrades on the network electronic devices. Working with such change management procedures as are implemented by Information Services, Core Resources shall notify and work with the help desk and affected users to create reasonable scheduling of the downtimes that will mitigate the effect of these necessary downtimes on users' operations.

Network Devices

Policy:

All data network access devices, including switches, routers, hubs, firewalls, cabling, and access points, must be set up, configured, and administered by the department of Core Resources or their designated agent. With the exception of wireless access points and accessories, all such devices must be physically in secure locations accessible only by Core Resources workers. Any network access device (including any mini-hub in an office or on a lab bench) found connected to the network and not administered or already permitted in writing by Core Resources will be disconnected by Core Resources. Equipment installed in telecom closets which are not network access devices or network access devices which are configured into proprietary modes to support particular applications will not be supported by Core Resources.

Procedures:

Procedures and Standards, to be developed more fully, will address the following, among other issues:

• Cabling vendors, whether contracted by Core Resources or by Design and Construction for renovation projects or by individual users for single cable runs, must conform to all Hospital and University installations policies and procedures; in addition, they must be Siemons-certified and the cable labeling and documentation they provide must conform to Core Resources specifications.
• Renovations and Projects which involve the addition of three or more network connections are expected to plan and budget for additional network equipment, as may be specified by Core Resources.
• Data closets, where network devices are connected together through ports on a switch, must be located on the same floor and the same building as those network devices. It is necessary to reserve space in floor designs for those closets when constructing or renovating locations. This requirement exists whether an area uses cabled or wireless network access.
• Cabling standards: Devices are connected to access switches in data closets using copper Category 5e cabling. Data closets are linked together on the campus using multi-mode and single-mode optical fiber (depending on the distance).

Private Networks

Policy:

Private Departmental networks which are entirely self-contained and independent of the campus network will be permitted on a case-by-case basis after review by CUbhis. Though permitted, these networks will not be supported by CUbhis.

Procedure:

Procedures to allow for users of private data networks on the Medical Center campus to obtain review and permission from CUBhis will be placed here as they are developed.

Links to the Network

Policy:

Dial-in modems or private lines (i.e. circuits) on network connected devices are permitted for emergency server administration and maintenance or point-to-point business information transmissions but must be limited to specific business uses. They must have authentication procedures and other security-related access parameters conforming to the Network Security Policy in place and approved by Core Resources before they may be used.

Procedure:

Procedures to allow administrators of application-based network links to obtain approval from Core Resources for their dial-up or private circuit links will be placed here as they are developed.

Registering Network Devices

Policy:

Registering Network Devices: All devices which will be attached to the network or use network services must first be registered with CUbhis. Devices that are not so registered with CUbhis may be disconnected from the network without notice.

Procedures:

• General Registration

Registration will be administered by the Department of Core Resources.

Devices must have their hardware addresses (MAC addresses) registered with the Core Resources IP admin along with up to date demographic information about the party responsible for the device. The precise information required from students, faculty and staff differs; therefore, the procedures that each is expected to follow to provide the information and obtain IP address assignments also differ.

Requests for registration (and IP address assignment) will be responded to in 48 business hours or less. This IP administration applies to the Columbia Presbyterian Medical Center campus and those remote sites associated with that campus.

• Server Registration and Quarantine Networks:

New Servers and other networked computer equipment which the Security Officer may designate shall be set up and configured while connected to special Quarantine Networks. These networks are not public and devices connected to them cannot exchange data packets with most other devices on the campus network or the Internet. Before going into production, devices must move from Quarantine Networks to production networks.

Responsibilities: The Department of Core Resources shall administer the Quarantine Networks at NYP. The Security Officer shall administer and evaluate the network security testing of servers.

Procedure: Vendors and server administrators or custodians may only assemble and set up new servers either standing alone (no network connection at all) or connected to a network port on a quarantined network. Quarantined IP addresses will be in the form, 10.120.x.x and the specific address appropriate for the location where the server is being set up physically should be obtained Core Resources IP Admin following the usual procedures for applying for an IP address. The Quarantined network for a given location will be on VLAN 999.

By default, all data processing services which would be delivered via the network (e.g. Simple Network Management Protocol service) are not delivered into a Quarantine network. While setting up and configuring a server, the administrator may need certain services to be brought into the Quarantine network for testing. Requests for these services for testing must be forwarded to the Core Resources Security Admin. The requests must be narrowly defined, noting the source and destination IP addresses and the TCP port number used. Network Time Protocol and Netware Core Protocol are exceptions; those services will be routinely allowed into the Quarantined networks.

When its administrator believes that the server is ready to go into production, the server will be scanned - tested for known network security fallibilities. Any security holes identified by the scan must be fixed before the server may be moved off the quarantined network. The scan also generates warnings. These will be pointed out to the administrator but do not require action. When a scan shows no security holes, the server may be moved to a production network.

The server administrator applies to Core Resources IP Admin for a production IP address and gets the port changed from the Quarantine VLAN to a production VLAN. By default, servers will be assigned a private IP address (10.112.x.x or 10.115.x.x on the West Campus) but if the administrator chooses to make the case for the server's needing to reach or be reached over the Internet, a public IP address will be assigned.

Immediately after the server has moved onto a production network, it will be scanned again. If this scan turns up security holes for any reason, its network connection will be broken (by disabling the port) until all holes are fixed. This may require moving the server back into quarantine.

All scan results for the server will be collected and saved by the Security Officer as a baseline measure of that server's security.

Exceptions: CUMC acknowledges that under rare circumstances, certain workers will need to employ systems that are not compliant with this policy. All such instances must be approved in writing and in advance by the Information Security Officer. It will not be easy to persuade the Information Security Officer that the appropriate circumstances have actually come to pass.

Hostnames and Domain Name Services

Policy:

Hostnames and Domain Name Services for the Medical Center campus will be managed by CUbhis which will do so in conjunction with CUIT at Morningside, since the Medical Center domain names are subdomains of the one administered by CUIT.

Procedure:

Hostnames will be administered by Core Resources. IP Admin will assign hostnames as part of the registration procedure. Aliases may be requested during registration. Procedures for requesting subdomains in the columbia.edu domain space will be placed here as they are determined. Additionally, a list of subdomains which have already been defined will be posted here.

IP Addresses

Policy:

IP Addresses: IP addressing of devices will be centrally managed by CUbhis. Devices found to be using an IP address other than the one they were assigned are subject to disconnection from the network without notice.

Procedure:

The Department of Core Resources will administer IP address assignment.

With the exception of servers and printers, which will use IP addresses that are locally configured on the device, network devices will use the protocol DHCP to lease an IP address from a central server. Stationary workstations will have a static IP address assigned to them by IP Admin. A workstation's responsible operator may choose to configure the machine with that address rather than for DHCP. In that case, any problems resulting from use of that static configuration are the responsibility of that operator. Any IP addressing conflicts will be resolved according to information found in the IP Admin database.

Network Address Translation

Policy:

Network Address Translation devices are not permitted. Devices found to be translating addresses will be disconnected from the network.

Procedure:

Procedures for the orderly identification and resolution of network address translation incidents will be placed here as they are developed.

Firewalls

Policy:

All network firewalls on the CUMC Computer Network will be configured, administered and managed by the Department of Core Resources. Such services must be registered with Core Resources and their use policies approved by the Security Officer. Exceptions must be approved of in writing by the Director of Core Resources.

Procedure:

Procedures for the design, configuration and management of firewalls in coordination with requesting and funding organizations, as well as the procedure for obtaining approval for the firewalls' use policies from the Security Officer will be placed here as they are developed.

Virtual Private Networks

Policy:

All VPN and tunneling services being provided to or by anyone on the CUMC Network must follow a configuration approved by Core Resources and must follow the policies regarding VPN set by the Security Officer. [A link to the Security Officer's VPN policies will be helpful.].

Procedure:

Procedures for publishing and incorporating approved VPN configuration(s) by Core Resources will be placed here as they are developed.

Wireless

Policy:

Wireless networks shall be treated as untrusted (per the industry definition) and users of wireless networks shall be assumed to be accessing patient information. Appropriately secure connections using encryption will be required of all wireless devices.

Procedure:

Wireless installations through March 2003 ("legacy installations") have been configured as extensions of the wired network that happen to use RF instead of cabling. Subsequent wireless installations will be configured to require VPN encryption and Radius authentication and will offer dynamic IP addressing and an ability to roam with an active connection as far as the physical access point topology permits without any need to reconfigure the wireless host.

Standards:

Cisco Aironet hardware will be required for the wireless access points. Aironet is recommended for wireless devices, but only standard 802.11b compliance is required. Wireless devices must employ VPN client software.

Network Protocols

Policy:

The CUMC network will support data communications standards required by its vendors and specified by government agencies for the purpose of transmission of information across a LAN/WAN in a safe and secure mode.

Standards:

Wide-Area Network (WAN) Protocols:
In order to facilitate management, minimize traffic, and reduce the complexity of the CUMC WAN, the Internet Protocol (IP) shall be the standard protocol for data communication across WAN links.

Local-Area Network (LAN) Protocols:
All communications equipment, servers, and client workstations connected to a CUMC LAN shall run protocols consistent with approved industry standards for the type of topology in use. When drafting protocol standards, the following points should be addressed:

1. Any client accessing data or services across the WAN must have support for IP.
2. Approved protocols may not be tunneled across the WAN as this greatly increases the network traffic and is inconsistent with the WAN protocol standard.
3. Any service provided across WAN links must expect to do so using only IP.

IP Port Numbers:
IP port numbers which are deemed detrimental to the network's health by the Security Officer will be closed.

Procedure:

Treating it as though it were a new system, for which notice is required, parties considering a new protocol for implementation on the CUMC network shall advise Core Resources of their thinking.

Legacy Protocols:

The legacy protocols, IPX and appletalk receive limited support. Appletalk is supported on local area networks only, not wide area links. IPX gets wide area transmission only on higher bandwidth links and only when a business need is shown.

Bandwidth Utilization

Policy:

Total network traffic to or from a single device (averaged over an electronically long period of time, such as five minutes or more) may be regulated by network administration in order to keep the network available to all users.

Explanation:

The network has stretches on it where bandwidth is plentiful compared with the amount of data traffic that goes there. These include the 100 megabit ports that individual workstations may connect to. There are other stretches, for example, the 100 megabit microwave links to Columbia University's Morningside campus, where the bandwidth is more heavily used and therefore less plentiful. Because these heavily used links exist (they are potentially "oversubscribed"), a policy is required specifying the maximum network bandwidth a workstation is permitted to utilize before it is considered a "network hog" and may have its network connection turned off. That bandwidth threshold is 2 megabits per second, averaged over at least five minutes.

Well behaved applications will not exceed this threshold, even if your ethernet connection runs at 100 megabits per second. This is because, for a well-behaved application, five minutes is pretty close to forever. A workstation which is not being used abusively will not exceed this threshold.

Note that bursting -- briefly exceeding the 2 megabit per second limit -- is permitted. Being able to burst is the reason why everyone still benefits from having 100 megabit per second connections and should still get network interface equipment which supports that speed.

Note also that Kazaa and other software sharing systems behave abusively with regard to network bandwidth. So do Denial Of Service attacks caused by hacking.

The rules for servers are slightly different in that servers may be busy enough to utilize more than 2 megabits per second of bandwidth, averaged over at least five minutes. However, most of that traffic should be confined to the campus where the server is located. Therefore, servers are also subject to the above bandwidth utilization limitation when campus links or wide area connections are examined.

Procedure:

[This is draconian; see the explanation above for an understanding why. Briefly, bandwidth hogs impact everybody and therefore cannot be dealt with at a leisurely pace.]

When network utilization on a link exceeds 50%, that link may be subjected to a traffic analysis. Any device found in that analysis to be exceeding the permitted bandwidth utilization threshold may have its network connectivity suspended (immediately) and the causes of that high network utilization investigated (subsequently).

Notice of New Applications or Systems

Policy:

The Director of Core Resources shall be advised of any proposed systems, whether departmental or enterprise-wide, that will require attachment to the CUMC Network.

Any department or organization engaged in the identification, evaluation, testing, procurement or implementation of any network- attached application or system shall follow the associated procedures.

Procedure:

1. The individual responsible for managing the selection effort for any network-attached system shall provide relevant information to the Director or Core Resources at the beginning of the selection process.
2. Capacity planning, user access, server location(s) and integration or impact on existing network systems shall be quantified, so that the necessary infrastructure to support the contemplated implementation shall be available.
• Infrastructure Requirements Quantification
  The department shall incorporate network/infrastructure engineering-level participation before any new systems can be introduced to the CUMC Network. Estimated traffic requirements, based on per-user averages, required availability, WAN (including Internet and/or dial-up) requirements, and details relating to interdependencies with other CUMC systems must be quantified in advance.
• Network Security Issues
  Systems employing or requiring security to prevent unauthorized use or access shall be assessed for any integrated security mechanisms, as well as compatibility with CUMC network security.
• Network Protocol(s)
  The networking protocol(s) employed by the contemplated system shall be identified as part of the planning process.

1. Report from Network Communications Department After Review
   Upon review of the appropriate materials submitted by the requesting Department, the Director of Core Resources shall outline the estimated effort, if indicated (including manpower, hardware, and software) to provide network support for this project. This outline shall be delivered to the project's funding source for incorporation into the overall budgeting of that system.
2. Project (if approved) is scheduled and appropriate leaders and resources are established to complete the request.