- System Management
- Access Control
- Dynamic Host Configuration
- Public Access
- Acceptable Use
- References/Additional Information
- Mailing lists
Several other topics are important to system and network management but are well beyond the scope of this document. We mention some important ones here, to direct future research.
All computers require system management. The operating system and applications must be updated and patched regularly, and various configuration changes must be made when network changes are made. Backups of important data should be done frequently. Virginia Tech further describes a set of "Minimum Security Standards" which should be used as guidelines for establishing system installation and management routines.
The network layer for the communications path between two endpoints may pass through many segments or devices. In the case of remote access, some of these pieces may be under the control of hostile third parties. For this reason, the network layer is not an appropriate place to create security mechanisms. Applications must assume that all network traffic may be monitored, intercepted, or forged and implement security at the higher layers. The most secure solution is to use applications that do end-to-end encryption between the client and server.
A secure replacement for
OpenPGP offers file
and e-mail encryption and digital signatures. Neither of these tools are
officially supported by the Information Center, but both are in widespread use
on campus. It should also be self-evident that TLS/SSL should be used wherever
Virginia Tech CA has further information about this,
and offers personal x509 certificates for email encryption, as well.
If you care about security at the network layer, you should look into IPSec, which is a standardized protocol to encrypt the contents of IP packets.
Any kind of security based on network addresses or domain names is
not secure at all. The question of how to determine Virginia
Tech users by IP address or domain name comes up frequently when someone
wants to restrict access to a resource to Virginia Tech users. Neither
of these is a reasonable solution. There may be cases where non-University
users originate connections from
vt.edu domain names or where
University users are using domain names or addresses that are not
Virginia Tech's. Further, malicious users can and will gain access to VT
hosts by a variety of means. Further information on university expectations can
be found in policy 7010.
A host that is used by a large number of people (e.g. in a lab) presents special problems. The system manager should assure that there are access controls in place to be able to trace a particular activity back to the responsible party or to limit what can be done from the host.
Dynamic Host Configuration
It may be desirable to use dynamic host configuration (DHCP) in some situations. NI&S offers DHCP as a service on most of the network. DHCP pools are open, so all hosts connected to a DHCP network may obtain a lease via DHCP.
It is acceptable for a department to run a DHCP server so long as three things are done:
- Only known MAC addresses (registered with the server owner) should be configured.
- The server owner must maintain log archives to be able to identify what client was using a particular address at any given time.
- NI&S is informed of your intention to do so, so that we can adjust network settings accordingly.
In order for your hosts to not recieve a lease from the NI&S DHCP servers, you
may set the dhcp client identifier or vendor class identifier to include
NIS_IGNORE, or you may register your host's MAC address to our DHCP exclusion
list. These steps are necessary should you wish to run your own DHCP server on
a network with NI&S DHCP. A free DHCP server can be obtained from
Internet Systems Consortium.
NI&S operates a dynamic DNS service for special uses under the
dynamic.vt.edu. Should you have an application that requires dynamic DNS, you
should familiarise yourself with the
nsupdate protocol and contact the
Acceptable Use Of Information Systems At Virginia Tech and a number of State and Federal laws describe allowable network and computer resource use. Incidents such as threatening e-mail or denial of service attacks often must be investigated by University personnel or law enforcement. It is important that the NL for a sub-domain know who the system manager is for all hosts in the sub-domain and pass along any information related to problems to that person. The system manager is expected to know who was using the host at a particular time or to be able to secure the host against unauthorized use. It is expected that the individual user responsible for problems can be found.
A typical case would be that an outside organization contacts NI&S to report network abuse. NI&S will pass this report along to the NL for the sub-domain of the machine and the NL will pass it along to the system manager. The system manager is expected to work with the original complainant and resolve the situation. Support is available from the Information Center and NI&S for some phases of this resolution.
In cases of persistent abuse that is not corrected, or on-going incidents, NI&S may shut off the connection to a host until the system manager corrects the problem.
- Acceptable Use Of Information Systems At Virginia Tech outlines general policies about information systems at Virginia Tech.
- Virginia Tech Information Technology Policies outlines further IT-related policies, many of which are related to security of systems and data.
- Virginia Tech IT Security Office has resources on securing and hardening systems.
- IETF Standard 13 (RFC 1034) Domain Concepts and Facilities is an introduction to the Domain Name System.
- IETF Standard 11 (RFC 822) Standard for the Format of Internet Text Messages specifies the format of mail messages and has some requirements for the format of domain names.
Mailing lists are a good source of information. Much like news groups, there
are both local and international lists that cover useful topics. A local list
that is probably worth subscribing to is
TECHSUPPORT, which is the "support
for support" list. You can
Phil Benchoff, Eric C. Landgraf 2021-09-09