» Home >

ITM Project Technical updates

Internet Traffic Management Project

Drivers

  • Compliance with legislation
  • Manage limited resources
  • Block malware entering campus
  • Prevent exposure of UO credentials
  • Improve user experience through proxy’s

General

As a general guideline, user authentication will be required for internet access. For staff, sites such as Facebook and Twitter etc will be subject to reasonable use while auction, dating, gambling, game sites are only to accessed out of office hours.

Controlled

Everything is allowed except for; malware, phishing, illegal, pornographic, objectionable material. Staff use of the peer to peer protocols is for University of Otago legitimate use only. Students will not have access to peer to peer.

Exemptions

The University of Otago permits exemptions to the various ITM policies. These require the Head of Division approval. The ITM Policy leaves the process of authorising exemptions open. However ITS suggests that staff requiring an exemption seek approval from their manager, The Departmental Manager should consolidate requests before seeking approval from the Head of the Division and then contact the ITS Service Desk. ITS needs a document (electronic is preferred) which includes:

  • Name
  • Department
  • Contact details (phone, email)
  • Exemption requested (site, or categories)
  • Period exemption to be in place (there will be regular audits of exemptions)
  • Reason for exemption (this is to assist the Heads of Division and not used by ITS)

It is possible that staff who require casual infrequent access may be satisfied by accessing sites outside the exemption times specifically between noon and 2:00pm.

Edge Cases

During the pre-implementation period ITS has identified a number of edge cases that exist on campus that are non compliant under the ITM Policy. As a general rule these tend to fall into the following categories: NAT’d devices, Unattended machines, Servers, Appliances, Multiple Simultaneous Users, Kiosk type machines

Glossary

Often people ascribe different meanings to various key words; the project team have defined a glossary to ensure consistent understanding of the various words and terms.

  • Policy – document approved by Vice Chancellor
  • Process Rule – set of conditions and actions part of ITM
  • Self Assertion – acknowledged action that overrides normal restrictions
  • Exemption – a process outside ITM to approve access
  • Reasonable Use – policy of max of 1 hour per day up to 3 hours per week
  • Time Restricted – policy, accessible outside 8:30-12:00 and 2:00-5:00

User Class Definitions

As the project progressed, it became evident that there were various classes of users on the Universities network. Were possible the project team have used existing definitions to make management and understanding easier.

  • External – Identifiable user not staff or student
  • Guest – unidentifiable user not staff or student
  • Staff – users who are UO staff
  • Students – users who are UO students

Device Class Definitions

The various devices connected to the Universities network are classified (from an ITM point of view) into the following broad categories:

  • Internet Server – device offering services to the internet with admin user access only
  • Kiosk – workstation with 1 or more unidentifiable users who are not staff or students
  • White Listed – permitted to access predefined list of sites managed by ITS
  • NAT’d – device that performs address translation to one address ie proxy, wireless access point etc
  • Multi User – simultaneous users accessing the internet
  • Workstation – computer with 1 or more users not concurrently accessing the internet

Policy Categorisation

The categorisation below correlates the University of Otago policy and the vendors categorisations and their description of their categorisation.

Note that the method of classification is commercially sensitive but includes automated and human assessments.

Objectionable(8c) – Pornography

Mature content websites (18+ years and over) which present or display sexual acts with the intent to sexually arouse and excite

Social Networking(2) – Social Networking

Includes websites that aid in the coordination of relationships and companionship. Includes legal and non-sexual sites related to on-line dating, personal ads, dating services, clubs, etc

Gaming(8b) – Games

Sites that provide information about or promote electronic games, video games, computer games, role-playing games, or online games. Includes sweepstakes and giveaways. Sport games are not included in this category, but time consuming mathematic game sites that serve little education purpose are included in this category.

Malware – Spam URLs

Websites or webpages whose URLs are found in spam emails. These webpages often advertise sex sites, fraudulent wares, and other potentially offensive materials.

Malware – Phishing

Counterfeit web pages that duplicate legitimate business web pages for the purpose of eliciting financial, personal or other private information from the users.

Malware – Malicious Websites

Sites that host software that is covertly downloaded to a user’s machine to collect information and monitor user activity, and sites that are infected with destructive or malicious software, specifically designed to damage, disrupt, attack or manipulate computer systems without the user’s consent, such as virus or trojan horse.

Dating8(b) – Dating

Websites that host or promote dating, interpersonal relationship related material.

Gambling8(b) – Gambling

Sites that cater to gambling activities such as betting, lotteries, casinos, including gaming information, instruction, and statistics

Auction(8b) – Shopping and Auction

Websites that feature on-line promotion or sale of general goods and services such as electronics, flowers, jewelry, music, etc, excluding real estate. Also includes on-line auction services such as eBay, Amazon, Priceline.

Process Rule by User Class

The following classes are the likely classes that will define the various user groups.

MalwareIllegal Objectionable (8c) Social Networking (2) Time Restricted Sites (8b) P2P (6)
Student Blocked Blocked Allowed Allowed Blocked
Academic Blocked Exemptions Reasonable Use Exemptions Self Assert
General Blocked Exemptions Reasonable Use Exemptions Self Assert
Guest Blocked Blocked Allowed Allowed Blocked
External Blocked Blocked Allowed Allowed Blocked

 

Process Rule by Device Class

The following classes are the likely classes that will define the various devices

MalwareIllegal Objectionable (8c) Social Networking (2) Time Restricted Sites (8b) P2P (6)
Internet Server Blocked Blocked Allowed Allowed Allowed
Kiosk Blocked Blocked Allowed Allowed Blocked
White Listed Blocked Blocked Blocked Blocked Blocked
NAT’d Blocked Blocked Blocked Blocked Blocked

 

Blocked Message

Blocked sites will have the following comment HTML comment tag inserted near the top of the page. This is to facilitate scripts etc to determine if they are able to access the requested page.

<!–ITM-BLOCKED–>

Timeline

The scheduled timeline is currently being reviewed and will be updated as soon as it is to hand.

Tools

Fortinet, the vendor has a URL checker http://www.fortiguard.com/webfiltering/webfiltering.html which allows users to submit a web site or address to confirm its classification. This same site allows user to request reassessment of a site.

ITS intends to develop as part of the project a tool to determine access and vendor classification based, this is scheduled to start around June 2012.

Part of the Fortinet solution is a VPN Service. This will allow users to access services from locations that may not be accessible any other way. Note that this VPN service is only intended to be used on campus and in no way should it be considered an alternative to the existing VPN client from CISCO.

Additional Information

  • FAQ – https://blogs.otago.ac.nz/infosec/
  • Email – itm.project@otago.ac.nz
  • ITS Update – www.otago.ac.nz/its/help/itsupdate.php
  • Can I get a new wireless access point installed in my department?
    If a permanent wireless access point is required for your department, please see your Property Services sector manager first. They will investigate what is required (how many access points and where to put them) and give your department a quote for the installation.

 

 
 
 

Any views or opinion represented in this site belong solely to the authors and do not necessarily represent those of the University of Otago. Any view or opinion represented in the comments are personal and are those of the respective commentator/contributor to this site.