The following is my interpretation of our official policies in place now. Note that I am in OIT Security, so when - speak of NTS-related items, those interpretations are subject to revision.
Wireless routers are verbotten all over campus. Dorms are now covered by wireless, as is the rest of campus. No non-OIT wireless is permitted, period. Enforcement may lag a bit, and be focused on places where interference is a problem. These present a clear and present danger to security on campus and will eventually be sought out. If you're running a wireless router because of coverage problems, please contact NTS and complain about the coverage (professionally and politely). Wired routers live in a greyer area. They are not explicitly forbidden, but they present problems to our way of doing business, which will, in turn, present problems to users of such devices. NTS billing is not my forte, but I understand that there is a fee to each department for each machine on the network, whether behind a NAT or otherwise. Clearly those are harder to count. When a single machine acts in an inappropriate manner (maliciously or as if compromised) behind such a NAT, the external IP address will be blocked. This obviously affects all of the NAT'ed machines. Likewise we're unlikely to be able to help much beyond identifying the type of activity seen, not the individual machine affected. If you choose to run NAT in this way, I would suggest paying attention to security on the hosts, and at the router. Do egress filtering. Monitor traffic for Bad Things, or at least log flows or sessions. These steps will help protect you, let you take control of your own security posture, and let you respond quickly in the event of an incident. Our goal is to inconvenience users as little as possible while protecting the netework. We'd be happy to work with anyone working to improve their security posture in this way. Rob Maxwell ******************************************************************************* Robert Maxwell, CISSP, GCFA Lead Incident Handler OIT Security, University of Maryland rmaxwell at umd dot edu GnuPG Public Key: http://security.umd.edu/contact/Robert_Maxwell.asc ******************************************************************************* -----Original Message----- From: David Eisner <[EMAIL PROTECTED]> Date: Mon, 28 Apr 2008 15:30:47 To:[email protected] Subject: [UM-LINUX] Unauthorized Routers (was Re: [UM-LINUX] IPtables question) On 4/28/2008 2:04 PM, Robert Maxwell wrote: > This situation is the result of the use of unauthorized routers and switches > being used to allow labs to be placed on the network without the assistance > (or billing) of NTS. Billing issues aside, Is there an official campus policy on the use of "unauthorized routers"? I'm aware that unauthorized *wireless* routers are verboten in the dorms. [1] Furthermore, the entire campus community has been asked to refrain from using them. [2] But what about non-wireless routers? It's pretty common to see, say, Linksys routers used in various labs and departments. Are they not to be used? If so, is this documented somewhere? Or is it more of an informally frowned-upon practice and an issue OIT would rather not force right now? Thanks. -David [1] http://www.oit.umd.edu/TechKnow/page4.html [2] http://www.oit.umd.edu/nts/noc/wireless/FAQ.html
