Network Device Connectivity
The purpose of this standard is to establish the framework and controls under which a device is granted access to University networks, as well as the restrictions placed on devices that do not meet the network security requirements in this standard. The accompanying Network Device Connectivity Policy specifies the type of users and devices that are typically authorized to connect.
University Networks
Campus Network
The primary point of access for faculty, staff, and students. It is comprised of wired, Wi-Fi, and remote access VPN components.
The Wi-Fi network broadcasts three network names:
- “urwin” – A secure, encrypted, and authenticated wireless network for faculty, staff, and students
- “Richmond” – An open MAC authenticated network for approved legacy devices that do not support WPA2 Enterprise protocols
- “eduroam” - A secure, encrypted, and authenticated wireless network for students, researchers, and employees from participating educational and research institutions
Restricted Network
A wired only network for aging assets that do not meet minimum network security requirements. Wi-Fi access to this network is not currently provided.
Visitor Network
An anonymous and unencrypted Wi-Fi only network for visitor connectivity to the Internet. The wireless network name is “VisitUR.”
Examples of Classified Networked Devices
Workstations
- Primary and secondary workstations provided to faculty, staff, volunteers, and contractors by Information Services
- Consumer desktops and laptops brought to campus by faculty and students
- Workstations located in computer labs, libraries, and shared study spaces across campus
Servers
- Microsoft Windows
- Red Hat Linux
- Network Attached Storage (NAS) appliances
Smart Devices
- Smart Phones and Watches
- Tablets
Embedded Devices
- Internet of Things (IoT) - smart bulbs, Alexa, and similar home automation devices
- Building environmental control and monitoring systems
- Multimedia and video conferencing equipment
- Point of Sale (POS) devices
- Building access control, vending, and laundry devices
- Time clocks
- Security cameras
- Game consoles and Smart TVs
- Printers and multi-function devices
Network Restrictions
Restricted Network
- Cannot connect to any University systems outside of the Restricted Network. Some infrastructure services, such as DNS and NTP, are permitted.
- Systems will not use centralized University authentication (NetID and passwords).
- Systems will not be in public locations. Physical access must be controlled with faculty/staff supervision.
- Systems will be assigned, for asset management purposes, directly to a faculty/staff member and their department.
- Information Services will be responsible for hardware maintenance of University-owned workstations if parts are available in stock, and network connectivity for devices purchased through information Services.
- Back up of data on any devices on this network will be the responsibility of the faculty/staff.
Visitor Network
- Supports web browser access (HTTP, HTTPS) to the commodity Internet and most public facing University of Richmond web sites (http://www.richmond.edu, for example).
- Supports the IPsec protocol for connectivity to a corporate remote access VPN, if required.
- University of Richmond secured web resources such as Blackboard and Banner require a connection to the urwin Wi-Fi network, available only to faculty, staff, and students. They are not available to visitors.
- No authentication encryption. Data is sent in the clear unless protected by a higher layer protocol such as HTTPS or IPsec.
Campus Network Requirements
Workstation Requirements
- Workstations must support DHCP. Manually configured or static addresses are not supported. Workstations that require an unchanging assigned IP address may be supported via DHCP reservations if Network Services deems appropriate.
- The workstation operating system must be patched on an automated basis to guard against security vulnerabilities.
- University approved endpoint protection software must be installed and configured to automatically update. Please see information at https://spidertechnet.richmond.edu/TDClient/1955/Portal/KB/ArticleDet?ID=83336&SIDs=3727 .
- A host firewall must be configured to disallow all inbound connections.
- Wireless workstations should be configured to connect to the “urwin” encrypted wireless network via WPA2 Enterprise 802.1x authentication.
- Workstations must be configured to authenticate end users to a central password store such as Active Directory, OpenLDAP, or MIT Kerberos.
Server Requirements
- Server administrators are responsible for the maintenance of their servers. This includes patching, troubleshooting, and sometimes rebooting.
- Server documentation must be provided to Network Services (network@richmond.edu) so that the impact of the server on the campus network can be assessed. Documentation must include what other endpoints on the network the server will communicate with and what protocols and ports will be used.
- The server operating system must be patched on at least a quarterly basis to guard against security vulnerabilities, with the exception of High Performance Computing clusters that will be patched on at least an annual basis.
- Servers must be configured to authenticate end users to a central password store such as Active Directory, OpenLDAP, or MIT Kerberos. This requirement may be waived for non-University collaborator accounts.
- University approved endpoint protection software must be installed and configured to automatically update. Please see information at https://spidertechnet.richmond.edu/TDClient/1955/Portal/KB/ArticleDet?ID=83336&SIDs=3727 .
- If the server contains University data, backups should be configured and scheduled to occur in accordance with University standards. Please see information at https://is.richmond.edu/policies/computer-systems-backup.html .
- The server will be periodically scanned with enterprise vulnerability security software. For any vulnerabilities found that can be corrected, the application owner will be responsible for remediation based on criticality.
- A host firewall must be configured to only allow those inbound connections that are required for the server to function as designed.
Smart Device Requirements
- Smart device owners are responsible for the maintenance of their devices. This includes patching, troubleshooting, and sometimes rebooting.
- Devices must support DHCP. Manually configured or static addresses are not supported.
- Wireless devices should be configured to connect to the “urwin” encrypted wireless network via WPA2 Enterprise 802.1x authentication.
Embedded Device Requirements
- Embedded device owners are responsible for the maintenance of their devices. This includes patching, troubleshooting, and sometimes rebooting.
- Devices must support DHCP. Manually configured or static addresses are not supported. Devices that require an unchanging assigned IP address may be supported via DHCP reservations if Network Services deems appropriate.
- Device documentation must be provided to Network Services (network@richmond.edu) so that the impact of the device on the campus network can be assessed through an approval process with an ongoing review component. Documentation must include what other endpoints on the network the device will communicate with and what protocols and ports will be used.
- Wireless devices will be registered and permitted to connect to the MAC authenticated “Richmond” unencrypted wireless network.