A. Name: Policy on Requirements for Authenticated Access at Public Jacks, Kiosks, Wireless Networks, and Lab Computers on PennNet
B. Number: 20010910-netauth
C. Author(s): J.Bauer (SEAS, ISC Networking), D.Kassabian (ISC Networking), D.Millar (ISC Information Security), M.Robinson (Wharton Computing)
[ ] proposed [ ] under review [X] approved [ ] rejected [ ] obsolete
E. Date proposed: 2000-09-20
F. Date revised: 2004-01-12
G. Date approved: 2001-09-10, 2004-01-12
H. Effective date: 2004-01-12
II. Authority and Responsibility
Information Systems and Computing is responsible for the operation of Penn's data networks (PennNet) as well as the establishment of information security policies, guidelines, and standards. It therefore has the authority and responsibility to specify requirements for access to PennNet. This authority extends to requirements for authentication in access to PennNet.
III. Executive Summary
This policy specifies authentication and accounting requirements for certain user access to PennNet. Specifically, it addresses access to PennNet from locations or devices that are not directly associated with a specific individual Penn user. Primary examples are access to PennNet from public network jacks, kiosk computers, wireless networks, and lab computers. This policy is therefore addressed to the local computing directors and computing support personnel responsible for these areas and/or these network jacks. This policy document also provides related "best practice" recommendations on configuration decisions associated with authentication and accounting.
The purpose of this policy is to specify the minimum user authentication and accounting requirements for access via public network jacks, kiosk computers, wireless networks, and lab computers attached to PennNet.
These requirements will help provide accountability for the actions of potentially unknown users while on Penn's network.
Public - For the purposes of this policy document, "public" is defined to be those campus spaces that are not in private or semi-private offices or suites with locking doors. All outdoor locations in which PennNet is available are also considered "public" campus locations for the purposes of this policy document.
Public Network Jack - For the purposes of this policy document, a "public network jack" is defined as an unsupervised network jack in a public area with the intention of providing walk-up network service to the individuals in that public area.
Kiosk - For the purposes of this policy document, a "kiosk" computer is a limited function computer or similar user interface device that is connected to PennNet, available in a public or common area and is intended for shared use by any person in that common area.
VI. Risk of Non-compliance
This policy applies to user access to PennNet from locations or devices that are not directly associated with a specific individual Penn user. Primary examples are access to PennNet from public network jacks, wireless networks, lab computers, and PennNet-connected kiosk computers. Standalone kiosks which do not connect to PennNet or can only connect to authenticated network services are exempt.
This policy is therefore addressed to the local computing directors and computing support personnel responsible for these areas and/or these network jacks.
VIII. Statement of policy
IX. Recommendations and Best Practices
The following related practices are strongly recommended by ISC:
A. Verification: ISC reserves the right to review the access control implementation for computers, servers, and services that provide user access to PennNet.
B. Notification: Notification shall be made to the LSP for the area.
C. Remedy: Remedy will be the re-configuration of the computer, server or service to require appropriate authentication and access control as per this policy. ISC will offer consulting assistance to the operator of the computer, server or service where possible in order to bring the access control into compliance as quickly as possible.
D. Financial Implications: Costs associated with the implementation of authenticated access control are the responsibility of the department, individual, school, or center providing the service.
Please see the Policy on Troubleshooting Charges for Violations of PennNet Policies at http://www.isc-net.upenn.edu/policy/approved/20020827-troubleshooting.html for information on additional fees that may be assessed to cover the costs incurred in troubleshooting related to violations of this policy.
E. Responsibility: Responsibility for remedy lies with the provider of the computer, server or service.
F. Time Frame: Non-compliant devices must be remedied within two weeks of first notification from ISC Information Security, unless a special waiver is granted.
G. Enforcement: Please see the Policy on Computer Disconnection from PennNet at http://www.upenn.edu/computing/policy/disconnect.html
H. Appeals: Please see the Appeals section of thePolicy on Computer Disconnection from PennNet at http://www.upenn.edu/computing/policy/disconnect.html