UIC Networking and Computing Policies

Revision Date: October 08, 2010
Version: 1.00

The University of Illinois at Chicago has always been a leader in providing quality network and computing resources for the pursuit of academic research and education. In recent years, these resources have become one of the cornerstones for providing a well balanced education in many, if not all, of the disciplines.

The Academic Computing and Communications Center (ACCC) is centrally responsible for the development and administration of the Internet at UIC. Throughout this document, the physical network, including all hardware and software used to provide Internet services at UIC, will be referred to as "the UIC network". The term "LAN" will be used to refer to a particular subset of the UIC network, commonly known as a "subnet", or as a departmental local area network.

As time has progressed and the number of people using the internet has grown at an astounding rate, we find the number and types of attacks on UIC Network connected computers has increased steadily. Being connected to the internet means that the time where we can connect computers to the network and assume that they are safe is gone. Today, any computer connected to the UIC Network requires constant attention and maintenance.

With this in mind, the following policies are in effect for all departments connected to the UIC network.

Underlying Principles

The following general statements are considered as given. They provide the basis for making the specific recommendations that appear here and for deriving answers to future policy questions.

  1. The principles of academic freedom apply in full to electronic communications within the limits set within this and other ACCC policies.
  2. The use of computing and network services provided by the campus shall be subject to all applicable State and Federal laws.
  3. ACCC is responsible for the design, operation and management of the computing and network communications services provided at the campus level. Responsibilities include:
    • The choice of protocols supported by the network.
    • The definition of campus standards necessary for efficient operation of the network or for the security of transmitted data and networked computers.
  4. ACCC is the campus' representative to the Internet community and is responsible for ensuring that the campus is a responsible member of that community.

Proper and Authorized Use of the UIC Network

  1. Use of the UIC Network is limited to legitimate users. Legitimate users are defined to be: faculty, staff, persons contracted by the university to perform as a consultant, and registered students.
  2. The UIC Network is provided to support educational, research and public service missions of the University and its use must be limited to those purposes. Specifically, the UIC Network may not be used for commercial purposes and may not be used by non-University entities except as specified by contract.
  3. All users of the UIC network are subject to the terms set forth in the UIC Acceptable Use Policy and any other computer policies in use at the ACCC.
  4. Legitimate non-University users may use their University provided accounts and Internet access only in conjunction with their university-related activities.
  5. UIC Network resources may be used in support of organizations that are consistent with the mission of the university. While it is appropriate for the WWW home pages of these organizations to provide some information about external organizations, clubs, commercial entities, etc., the UIC Network connected equipment may not be the primary source of that information.

Responsibilities of UIC Network Users:

  1. Electronic mail and other forms of electronic communications should be used in a responsible, courteous manner. Use of these electronic communications and electronic mail to harass, threaten, or abuse others either at UIC or off campus is strictly prohibited. All such communications must carry the proper identity of the sender.
  2. Users should understand the weak privacy afforded by electronic data storage and electronic mail. Users should not normally commit confidential information to either.
  3. The contents of electronic messages might be seen by a system administrator in the course of routine maintenance or during problem resolution procedures. In addition, electronic mail systems store messages in files (e.g. the file containing a user's inbound mail.) These files are copied to tape in the course of system backups. The contents of these files and the copies on system backup tapes are confidential and are not to be released without the consent of the owner except under conditions of law when presented with the necessary legal permissions having been reviewed by University Legal counsel.
  4. Individual campus units and departments that provide access to the UIC Network are responsible for ensuring that use is limited to legitimate users and is consistent with University policies and with contractual obligations governing the software or services offered on UIC Network.
  5. Information servers (e.g. WWW and gopher servers) must display the, name, e-mail address, and unit of the University person responsible for maintaining the information displayed.

Responsibilities in Managing UIC Network:

  1. Any use of UIC Network that consumes so many resources as to noticeably degrade services to others will be reviewed by the department administrator (where the problem is occurring) and ACCC. Exceptional measures such as suspension of accounts or lowering the service priority of the offending application may be taken if needed to protect the quality of service to others.
  2. In situations where there is reasonable evidence that University resources are being used illegally or contrary to University policy, ACCC may limit or revoke access to the campus network, network services or campus computers. Systems that allow unauthorized use of copyrighted materials or licensed software will be disconnected from the network.
  3. While ACCC and unit-level LAN and system administrators do not monitor all use of UIC Network, when they do discover illegal activities they will pursue them with the appropriate disciplinary or legal authorities and cooperate with law enforcement agencies.
  4. Each department/unit must appoint at least one designated LAN administrator, responsible for the administration and management of the department's LAN. It is strongly recommended that there be at least one backup system administrator.
  5. All LAN administrators should make themselves known to the ACCC security officer as a point of contact by sending email to security@uic.edu. These administrators should be the focal point for distributed information dealing with computing and security related issues for their LANs. The LAN administrator will also be responsible for collecting and maintaining contact point information for all network-connected machines in their department.
  6. Only ACCC-approved domains may be operated within UIC Network address space. Publicly accessible Domain Name Servers must be approved by ACCC before they are placed in service.
  7. Departments/Units are responsible for the use of their LAN and servers. In particular, units are responsible for oversight of the materials published electronically on their servers for relevance to the department's mission.

Network Security

The security afforded by commonly used operating systems and by current networking technology is often weak. Because of the interconnections provided by the network, a security violation on one machine can threaten security of other systems on the network. Policies in this section describe the steps that will be taken in response to security threats. They also describe circumstances when data normally considered private can be collected and examined by ACCC, a designated LAN administrator, server, or system.

  1. Any security violation that represents a significant misuse of University resources or violates ACCC policies will be brought to the attention of the appropriate authorities.
  2. In the event that ACCC judges that a LAN, or any portion thereof, presents an immediate security risk to UIC, the network, or any system connected to the network., ACCC may terminate or restrict the LAN's network connection without notice. If there is no immediate risk, ACCC will bring the matter to the attention of the LAN's network administrator. If ACCC is unable to resolve the problem at this level it will contact the unit head.
  3. In the event that ACCC or a LAN or system administrator judges that an account on one of its multi-user systems presents an immediate security risk, the administrator or ACCC may inactivate the computer account without prior notice.
  4. ACCC will occasionally scan computers connected to the UIC network for security vulnerabilities using a tool for that purpose. If the ACCC security officer becomes aware of security weaknesses of a severe nature either through the results of these scans or other means, the administrator is responsible for securing the system to the satisfaction of the ACCC security officer in a timely manner. Failure to do so will result in the restriction of internet access for the affected system.
  5. The ACCC security officer will make known the identity of the machine which will perform security scans for the UIC network.
  6. The administrator of a server or desktop machine on a UIC Network connected computer is responsible for the security of that system. With the exception of servers of public information, e.g., Web pages a UIC Network connected server or computer must require user authentication before allowing connections to it from the network. At minimum, this will require the connecting user to supply a unique userid/password. The system administrator must monitor and log accesses and keep other system logs that could be useful in establishing the identities of individuals who use the system to breach network or system security. The administrator of a server which distributes public information and which does not require user authentication must not provide unrestricted access to UIC Network or Internet services.
  7. All machines connected to the university network must be registered with an ACCC operated or approved domain name server. Machines found connected that are not properly registered will be considered security threats and will have their network access blocked.
  8. Units that operate publicly accessible computers connected to UIC Network must implement safeguards against network abuse appropriate to the network access available to users of those systems.
  9. Any terminal server that grants network access through the phone system must authenticate each user, requiring at minimum a unique userid/password.
  10. The owner of a private system (e.g. a desktop system in a faculty member's office) that is connected to UIC Network is responsible for ensuring that the system is not used by unauthorized individuals.
  11. Network data transmissions are not secure. Sensitive data should either be encrypted separately before transmission or be transmitted with a network transmission protocol that provides encryption automatically.
  12. Software and hardware which permit the capture and examination of UIC network packets, (commonly known as sniffing) must be used only by authorized personnel. Constraints on the use of these tools include:
    • These tools must be used only with the knowledge of the ACCC or the network administrator of the affected network.
    • The minimum information needed to solve the problem must be collected from each packet, e.g., the part of the packet containing user data should not be captured unless needed to solve a problem.
    • All data collected must be discarded as soon as it has served its purpose.
    • All information collected by these tools must be considered confidential. No disclosure of any kind can be made without approval of University legal counsel.
  13. Managers of systems and network services have the right to log connections to their machines and services made via dialup or UIC Network. The information recorded may include the source and destination for a connection and session start and end times. Logs maintained by ACCC's network servers may include additional information such as the user's network ID. Operators of multi-user systems have the right to keep logs of activities on their systems. The logs may include timestamps and commands issued. Network administrators will monitor users' data transmitted across the network only after obtaining appropriate administrative authorization or when asked to do so by a law enforcement agency.
  14. Units may establish policies governing use and monitoring of their own LANs that differ from those stated here, so long as those policies are made known to users of their LANs and do not mitigate the policies stated here.
  15. Unless permission has been granted by ACCC, a system connected to UIC Network must not be used to provide network services or access to any person or organization who is not a legitimate user affiliated with UIC. For example:
    • A desktop computer and modem on campus must not be used to provide network access to anyone who is not a legitimate user.
    • A UIC Network connected machine must not be used to provide e-mail or e-mail routing services for persons or organizations that are not legitimate users.
    • No UIC Network connected system may route traffic between UIC Network and networks outside of the UIC.EDU domain without the written approval of ACCC.
  16. The following devices may not be installed on the UIC network unless expressed consent has been given by the ACCC Network group. Unapproved devices are subject to filtering or disconnection.
    • Private hardware firewalls and/or NAT devices
    • Private wireless access devices
    • Private DHCP servers