Statement on the security of Waterloo computing network and resources

Topics

Preamble

The University of Waterloo's computing and network resources include all subnets of the campus network and its connections to external networks, all computers and other devices attached to the network, and all services made available over the network. These resources exist for use by the members of the University community in support of Waterloo's mission and in accordance with the Statement on Use of University of Waterloo Computing and Network Resources.

Security incidents of any sort tarnish Waterloo's reputation; one of Waterloo's most important assets is how it is perceived by prospective students, faculty, and staff. Security incidents also compromise the university's mission. Failure to exercise due diligence in attempting to secure uWaterloo's resources from misuse may have legal consequences if that misuse results in damage to other systems on the Internet. The loss or corruption of valuable Waterloo data, the unauthorized disclosure of confidential university information (such as student or employee records, financial systems, or research in progress), and the unauthorized consumption of Waterloo resources disrupt essential services and hinder the legitimate activities of the Waterloo community.

The University of Waterloo has experienced and will continue to experience attempts and unauthorized access to computing and network resources by malicious persons (often unknown), here and elsewhere. Incidents include compromises where the perpetrator installs malicious code on a computer at Waterloo and uses it in Distributed Denial of Service (DDoS) attacks on computers here and elsewhere. Such attacks result in serious degradation of network service, and the network segment containing the subverted computer often must be disconnected from the rest of the network until the computer has been identified and removed.

Goals

The intent of this Statement is to protect the integrity of Waterloo's computing and network resources, mitigate risks and losses associated with security threats, and clarify responsibilities so that suspected and identified threats are quickly addressed and related disputes quickly resolved.

Shared responsibilities

Management of and responsibility for University of Waterloo computing and network resources is distributed throughout the Waterloo structure. Distributed management and shared responsibility is a design principle. All parties have a responsibility and an important role to play in the overall security of these resources.

University Committee on Information Systems and Technology (UCIST)

The University Committee on Information Systems and Technology (UCIST) is advisory to the Vice-President Academic & Provost through the Associate Provost, Information Systems & Technology. The members of UCIST have collective responsibility for the administration of this Statement, and individual responsibility for its administration within their respective constituencies. The Associate Provost, Information Systems and Technology, has individual responsibility for the administration of this Statement in constituencies outside the jurisdiction of other UCIST members.

Campus Networks Advisory Group (CNAG) and Computing Systems Advisory Group (CSAG)

The Campus Networks Advisory Group and the Computing Systems Advisory Group are campus committees under the authority of UCIST, to advise on the evolution of network and computing facilities, services, policies, and procedures. The members of CNAG and CSAG have collective responsibility for advising UCIST on the provisions of this Statement, and individual responsibility for implementation of those provisions within the constituency encompassed by their UCIST member.

Information Systems & Technology (IST)

The Information Systems & Technology (IST) department reports to the Associate Provost, Information Systems & Technology. IST's campus-wide responsibilities include the core components of the campus network, including the cabling, switches, and routers that comprise "the backbone", uwaterloo.ca domain naming and 129.97.0.0 network numbering, the central servers that provide the domain and network address assignment and registration and directory services, the backbone connections to external networks, and the backbone connections to the network subnets that are managed at a faculty or department or group level (the unit levels) in the academic and academic-support sectors.

IST has individual responsibility for implementation of the provisions of this statement in constituencies not encompassed by other CNAG and CSAG members.

Distributed management and shared responsibility

In the academic sector, each Faculty has an Associate Dean of Computing who is a member of UCIST and who has overall responsibility for the administration of computing and network resources within that Faculty. In the academic-support sector, each department has a department head whose reporting structure includes a member of UCIST and who has overall responsibility for the administration of computing and network resources within that department.

The authority for a device often is not the same as the authority for the subnet in which the device is connected. For example, a departmental server administered by a departmental system administrator may reside on a subnet managed by Faculty support staff, and desktop computers are often managed by the faculty or staff member for whose use the computer was purchased.

IST, subnet authorities, system administrators, and users share intersecting responsibilities for providing, securing, maintaining, and wisely using the campus network and the computing systems and other devices that are connected to it. These shared responsibilities and obligations rely on the cooperation and collaboration of all parties.

Resolution of disputes

The chain of responsibility and lines of authority, which start at the user of a resource and end at the members of UCIST, include ample opportunity for resolution of disputes when there is a perception that responsibility is not clear or that authority has been neglected or abused. Responsibility for resolution of a dispute begins at the lowest level of authority that encompasses all parties to the dispute.

Proactive security practices

General

  1. Every user of University of Waterloo computing and network resources is expected to honour all applicable university policies, procedures, and guidelines and related directives, including the Statement on Use of Waterloo Computing and Network Resources and University of Waterloo campus network management documents. The authority for a resource may require a formal agreement, beyond the conditions established here, for approval to use that resource. The authority for a resource may further constrain or limit the use of that resource.
  2. The scanning/probing of devices for the apparent purpose of detecting security flaws, when done by individuals other than designated employees who are operating within the jurisdiction and requirements of their job, will be treated as abuse with malicious intent to exploit such flaws.
  3. Suspicious activity may be reported to abuse@uwaterloo.ca for investigation by IST and/or forwarding to the appropriate network and computing-system administrators and CNAG and CSAG representatives.

Authority for subnets and devices

Connection to the campus network is not an unfettered right. It is not acceptable that a device be connected or remain connected to the network unless reasonable steps are taken to keep the device secure from misuse. This usually requires that some identified technically-competent person is responsible for configuration and on-going maintenance of the device and its software.

In accordance with University of Waterloo campus network management practice,

  1. No subnet may be connected to any part of the campus network without the prior approval and on-going sponsorship of the CNAG member whose jurisdiction includes the constituency served by the subnet. This assures representation at UCIST and puts the responsibility for determination of relevance to the University of Waterloo's mission where it rightly belongs (if the CNAG and UCIST member will not approve the subnet, then clearly that proposed use of Waterloo resources falls outside the university's mission). The CNAG/UCIST sponsor may require a further agreement with the unit to justify and/or limit its use of the shared resources.
  2. Each unit that administers a subnet of the campus network must provide its CNAG and CSAG representative and IST with the name, email address, and telephone number for the person who has policy-level administrative authority for the subnet and the devices within it (the ADMIN) and the person who has day-to-day technical/operational authority for the subnet and the devices within it (the CONTACT). In situations of distributed management within a unit, it is possible to designate an ADMIN and a CONTACT for a specific device. In the absence of a designated ADMIN or CONTACT for a device, authority and responsibility fall to the ADMIN or CONTACT for the subnet containing the device. In the absence of a designated ADMIN or CONTACT for a subnet, authority and responsibility fall to the ADMIN or CONTACT for the subnet that is one level closer to the campus backbone.
  3. The CONTACT for a subnet is the authority for approval to connect a device to the subnet.
  4. Devices that are not properly configured and maintained are a threat that can seriously impair the function of network and computing resources at the university and elsewhere. The CONTACT for a device is responsible for ensuring that it has been configured properly to obtain and use its assigned Waterloo domain name and network address, and that reasonable steps are taken to protect the device against misuse.

Information Systems & Technology (IST)

  1. IST maintains the central repository of all ADMIN and CONTACT information, endeavors to maintain its accuracy by periodic confirmation from the designated individuals, makes it available within uWaterloo in a public form, and uses it to target the distribution of security alerts to those who are responsible for the affected devices.
  2. IST tracks evolving network and computing-system security technologies (network-port user authentication, virus and intrusion detection, firewalls, etc) and deploys them within the campus as dictated by university priorities and funding.
  3. IST provides best-advice considerations regarding the proper configuration of the more popular computing systems that are connected to the network. See the IST Security "How to" documents. IST also provides notices of security vulnerabilities and patches, recommendations and guidelines for network and system administrators, and other pertinent information in an effort to prevent security breaches.
  4. IST configures the campus-network "edge" router that connects to the external networks to reject traffic types that are known to be significant security liabilities or activities that impede mission-relevant traffic by consuming significant shared-resource bandwidth. The list of traffic types rejected is determined in consultation with CNAG and CSAG.
  5. IST configures the "core" routers that interconnect the second-level unit subnets to activate all available intrusion-rejection features that do not seriously impede the performance of the routers or the transmission of mission-relevant traffic.
  6. IST monitors network performance for the backbone and its external and internal connections, to detect and anticipate performance problems. Abnormal usage patterns are often the first indication of a security compromise. For this reason, IST may request that a CNAG or CSAG representative call upon the CONTACT for a device or subnet to account for its use of the shared resource.
  7. IST conducts security monitoring via non-invasive "scanning" probes to all devices in the network, to identify a service by port number and/or greeting provided by server software. This is done to detect vulnerabilities and anticipate other security problems, and, where possible, to detect unauthorized intrusions. IST will keep CNAG and CSAG informed as to the addresses of the devices that are used to perform these scans.

Reactive security practices

Immediate response to critical incidents

A critical incident exists when a device is behaving in such a way as to disable or seriously disrupt performance or threaten the security of other devices. Critical incidents also include violations of applicable laws (civil and criminal). A critical incident requires an immediate response to correct the incident or negate its impact.

When IST becomes aware of a critical incident, IST takes whatever immediate action is possible to temporarily negate its impact (for example, by blocking traffic to/from the device, at the IST-administered switch or router closest to the device), and then notifies the appropriate CNAG and CSAG representatives, who will ensure that action is immediately taken to disconnect/block the device from the network. IST also notifies the CONTACT and ADMIN who are responsible for the device. Connectivity will not be restored until the CNAG and CSAG representatives have verified that the cause of the problem has been fixed.

Notification of vulnerabilities

When IST's monitoring indicates a vulnerability, IST notifies each CNAG and CSAG representative and provides a list of the devices in their constituency that have that vulnerability. IST also sends copies of the notification to those who are responsible for each affected device. The notification provides reference to details on the nature of the vulnerability, its severity, the action the CONTACT for the device is requested to take to eliminate the vulnerability, and the timeframe within which that action should be taken. An uncorrected vulnerability is a critical incident waiting to happen, so it needs to be resolved quickly, within a few days at most.

The CNAG and CSAG representatives are responsible for deciding whether the device should be allowed to remain on the network if the corrective action cannot be taken within that timeframe. There will be exceptional situations in which a device with a known vulnerability must be left connected to the network for longer than the timeframe stated in the notification (for example, a device running a lengthy simulation that must be left undisturbed, or where the requested action is incompatible with the functioning of the device, or where staff involved are dealing with higher-priority issues). The CONTACT for the device, the CONTACT for the subnet, and the appropriate CNAG and CSAG representatives must exercise their best judgement to resolve the problem as promptly as possible, since failure to do so could have an adverse result such as the device being compromised and involved in a denial-of-service attack. At that point, the device and possibly the entire subnet might have to be disconnected, and the negative impact on many UWaterloo computer users could be great.

Document milestones
Year Milestone
2002-04: final endorsement of 2001-10 draft by CSAG and CNAG
2002-06: UCIST endorsement of 2001-10 draft
2002-12: CSAG/CNAG clarifications re distribution of responsibilities for response to events requiring corrective action
2008-01: Formatting change, no wording changes