Systems Security & Network Access & Management Policy

5.4.1 Outgoing internet access - How to add / remove a device from the Outgoing Internet IP Blacklist

Prior to introducing a logging service and allowing permissive outgoing internet access the network community have requested a blacklist for devices that should never be allowed direct internet access. The blacklist would effectively be the opposite of the current internet access / JIPS list.

It is recommended that the outgoing internet access blacklist:

• Is only used when an administrator does not want a specific device to have direct outgoing internet access. It is anticipated that this will be a minority of devices.
• Must not be used to block internet access for an individual / staff desktop PCs.

5.4.2 Add a device to the Outgoing Internet Access IP Blacklist

If a device should be included in the Outgoing Internet Access IP Blacklist, applications are to be submitted to NaSA by the respective faculty/school/department firewall administrator, User-Rep or head of department. NaSA will accept e-mail requests that are sent to ipblacklist-request@leeds.ac.uk with the subject header "IP Blacklist addition" but will only action these when they are followed up by a letter on headed paper which is signed by the respective head of the department, User-Rep or other person who has been given this authority.

The only exceptions to this rule are that:

• NaSA will process e-mail applications ipblacklist-request@leeds.ac.uk from the firewall administrator, head of department or User-Rep when a letter has been received previously from that person which covers all future requests for that faculty/school/department; or,
• NaSA will process urgent requests received by e-mail to ipblacklist-request@leeds.ac.uk on the understanding that a confirmation letter signed by the respective firewall administrator, head of department or User-Rep is received within an agreed time. If the confirmation letter is not received by the time it is due the devices will be removed fro the blacklist.

5.4.3 Remove a device to the Outgoing Internet Access IP Blacklist

If a device should be removed from the Outgoing Internet Access IP Blacklist, requests for removal should be e-mailed to ipblacklist-request@leeds.ac.uk with the subject header of 'IP Blacklist removal'.

Note:

• All requests to add / remove a device to the Outgoing Internet Access IP Blacklist need to be approved by a member of staff with higher authority than the user requesting the access.
• All authorities approved for submitting direct internet access (previously JIPS) requests are automatically approved for submitting Outgoing Internet Access IP Blacklist requests.

5.4.4 Add a device to the Peer-to-Peer Software Register

Staff who have a need to use peer-to-peer file sharing software1 on the campus network must first register it with ISS2 . All applications to add a device to the Peer-to-Peer Software Register must be submitted through the respective User-Representative. The ISS Network Group will only accept e-mail peer-to-peer file sharing software registration requests from User-Reps that are sent to p2p-register@leeds.ac.uk, with the subject header "Peer-to-Peer Software Register Request". The email is to contain the following information:

• Name of user
• Department of user
• Purpose of peer-to-peer software
• IP address of device.

An up to date list of peer-to-peer file sharing applications which require to be registered, along with a list of peer-to-peer type applications that do not, can be found at http://www.leeds.ac.uk/informationsecurity

5.4.5. Remove a device from the Peer-to-Peer Software Register

When peer-to peer software is no longer required the Peer-to-Peer Software Register must be updated accordingly. The ISS Network Group will accept e-mail requests from the member of staff who the software is registered to, that are sent to p2p-register@leeds.ac.uk with the subject header "P2P Software Register Remove". The email should contain the following information:

• Name of user
• Department
• IP address of device.

5.4.6 Scanning Shared Networks

System administrators and computer support staff wishing to use scanning software on their network, where network resources are shared with other faculties/departments, are to:

• inform all faculty/school/department administrators with whom they share network resources of their intentions and the reason for wanting to carry out the scan; and,
• obtain the consent of all administrators with whom they share network resources for the scan to go ahead.

Scanning may only be undertaken where the consent of all faculty/school/department administrators sharing the network resources have agreed to it.

Prior to carrying out a scan faculty/school/department administrators sharing network resources should be reminded that it is about to occur and they should be provide with the IP address of the machine that will perform the scanning. In addition, they should be notified when the scanning has been completed.

Scan results in respect of other network resources may not be divulged to anyone other than the administrator of those respective faculty/school/department resources.

It is advisable for those carrying out scanning activities where network resources are shared, to retain records of consent and other correspondence for a reasonable period.

---

 

1 Peer-to-peer software may only be used for official University purposes on devices that are attached to the University network.

2 Registration is not required for devices that connect to the residential network and/or the wireless network only as measures are in place to prevent the use of file sharing peer-to-peer software on those networks..