Identification of Computing & Networking Users
It is necessary to identify users of the University’s computing and networking facilities for the following reasons:
- LJMU’s computing and networking facilities are provided exclusively for the use of staff and students of the University, and for other associates of the University who have express permission to use its facilities.
- When a problem occurs arising from computing or networking activities, the resolution of this often requires that the source of the problem can be identified.
- The LJMU network is connected to the Internet, thus inappropriate activities taking place on the LJMU network can have an adverse effect on facilities in other organisations. Such activity can almost always be traced by an external organisation to the network from which it originated. It is then the responsibility of the originating organisation to be able trace the source of any activity causing concern.
- LJMU’s Internet connection is provided by JANET, who will hold the University responsible for any unreasonable or unacceptable use of the JANET network, and may suspend the University’s Internet access if any activities arising from the LJMU network represent a serious threat to other JANET users.
All access to, and use of the University’s computing and networking facilities must be such that it is possible to identify the actual user, or the user responsible for such access.
In general, this requires that users must identify and authenticate themselves with their LJMU username and password before access to computing or networking facilities is granted.
Exceptions to this are:
- Network Connections in Halls of Residence: each bedroom has a network point, all activities on which are traceable and which are deemed the responsibility of the occupier.
- For short-term activities (e.g. Summer Schools) for which only limited computing access is required and the overhead of establishing individual user accounts is not justifiable. In these cases, a generic group account is provided, limited to the duration of the event and from which all activities are deemed to be the responsibility of the organiser.
Individuals who are responsible for the management or configuration of University provided client systems (e.g. Desktop Machines, Laptops, PDAs, etc.) or the provision of indirect means of network access (e.g. LAN Docking Points, Wireless, Dial-up, etc.) must ensure that these are configured to require user authentication.
For client system access control, PLN provide a University-wide user Authentication Service against which (almost) any client-type can authenticate. All authentication requests are logged to enable all computing activities to be traced.
For network access control, PLN provide a University-wide Network Gateway through which all indirect means of network access must be routed. The Gateway Service enforces user authentication before granting network access. All access requests are logged to enable all networking activities to be traced.
Network points in use by client systems for which it is not possible to enforce user authentication must be routed through the Gateway Service.
The University’s User Authentication or Network Gateway Services must be used for access control whenever possible. If it is not possible to use these services a local authentication service must be deployed. This must log all access requests in a manner that enables individual activities to be traced. Requests from PLN to trace activities must be undertaken in a time-scale commensurate which the severity of the problem. Inability to identify the source of a problem may require PLN to suspend network access to an entire subnet in order to protect the interests of the University.
Kevin Walsh, PLN, February 2004