1.0 Types of Network Extension
All extensions to the network should be done by CIS whenever possible. However, if this is not possible, then extending the network can be done in one of five ways (while following the guidelines below):
- Wireless Access Points
- Hubs and Switches
- Remote Access using RDP
The guidelines for extending the network are different for each of these five types. See the appropriate section below.
Should extensions to the network beyond these guidelines be detected on the network, the port to which they are connected will be disabled.
1.1 Wireless Access Points
Departments wishing to add wireless access points must ensure that their devices meet the following guidelines:
- Prior to installation, the device must be registered with CIS via our web form.
- The access point must use some form of encryption on all client connections, with a minimum security configuration of WPA-PSK.
- The device should be deployed in compatibility mode (802.11b and 802.11g), not in G only. Due to its potentially disruptive nature, 802.11n mode is not permitted.
- Those installing these devices should understand that CIS responsibility for troubleshooting does not extend to equipment which is connected to non-CIS wireless access points.
Departments wishing to deploy wireless should work with CIS in order to participate in a cost sharing plan.
Additional wireless access points are not permitted in residence halls. [See the document Connect to Brown's Secure Wireless Network for details on wireless connectivity in residential halls.]
1.2 Hubs and Switches
Adding hubs and switches is permitted in residence halls and departments. However, these devices must follow the guidelines below:
- Prior to installation, the device must be registered with CIS (via a Service Desk ticket) .
- Only unmanaged devices may be connected to the network.
- Those installing these devices should understand that CIS responsibility for troubleshooting does not extend to equipment which is connected to non-CIS hubs and switches.
Extending the network through wire is the most restrictive of the network modifications. Following are the limitations on this type of extension.
- Network cables plugged into network ports must not exceed 25 feet in length. Longer cables can extend the network beyond its tested range.
- No installation of wire should be done in buildings, except by CIS.
- Should departments need to extend wiring, it must be done by CIS, and will be billed to your department. Please fill out a Service Desk ticket to request this service.
1.4 Using Modems to Connect to the Network
Modem users must adhere to the following precautions to ensure that they do not become an entry point for unauthorized network access:
- Turn off the "Auto-answer" feature except when required. If the "Auto-answer" feature is required, then:
- Approved authentication software/hardware must be used and remain active on the desktop system, or
- The computing system must be disconnected from the Brown network, and
- Computing systems with fax modems where auto-answer is required must have interactive communications disabled.
- Disable modems when not in use, either by a physical/logical disconnect or power off.
- Secure external modems when not in use.
- Log modem usage.
- Maintain accurate record of physical locations of all telephone lines identified for data communications use, and be prepared to submit records, upon request, to the Information Security Group or to Internal Audit.
1.5 Acceptable Methods of Remote Access Using RDP
Services using Microsoft Remote Desktop protocol (and others, such as free versions of VNC that do not use encryption) on the university network pose certain risks due to their weak encryption and vulnerability to both Man-In-The-Middle and dictionary brute-force password attacks.
Brown's Information Security Group therefore recommends the following software, any of which should be implemented on all clients and servers needing secure remote desktop access to the network.
Radmin is a commercial product that runs on Windows platforms. It uses strong 256-Bit AES encryption and is reasonably fast and responsive. Its default port is 4899, and it is strongly suggested that this port be changed.
There are two versions, personal and enterprise. Use the enterprise version in order to enable the 128-bit AES encryption and conform to university policy. RealVNC is similar to Radmin, except it runs on a variety of platforms, including Windows, Linux, Solaris, and OS X.
Windows RDP – Certificate-Based Authentication
Microsoft Windows RDP software has the capability to use certificates for authentication. This is the only secure configuration of RDP. Instructions can be found on the following web page.
2.0 Related Policy
Questions or comments to: ITPolicy@brown.edu
Effective Date: March 19, 2004
Last Reviewed: January, 2015
Next Scheduled Review: January, 2017