Safe Connect/Policies

From ITS Wiki - Information Technology Services - University of Rhode Island

Jump to: navigation, search

Types of Policies

The following are the the various types of policy that can be enforced by URI's Safe Connect Network Access Control system: Authentication and Policy Key (See Below).

Authentication

Users must authenticate using their eCampus username and email password, or by using a guest account.

Policy Key

Users must have the Safe Connect Client installed and running. The client software must be able to communicate with URI's Safe Connect Enforcer. This policy only applies to Windows and Macintosh devices.

Antivirus

Note: Antivirus policies only apply to windows Machines.

Installed

At least one Safe Connect/Supported AV Supported Antivirus Solution must be installed.

Running

At least one installed Antivirus solution must be running.

Updated

At least one installed Antivirus solution must definitions updated within the last two week.s


Note: The antivirus solution can be different for each of the installed/running/updated requirements. For example, if a user has McAfee and Norton installed, only has McAfee running, and only have updated definitions for Norton, all three policies will pass.

OS Patches Policy

Note: The OS Patch policy only applies to windows machines.

The machine must have windows update settings compliant with the minimum security requirements. In most cases, this policy requires that windows be set to download and install updates automatically.

Block Access

It is not possible to pass the block access policy. Penalty for failure is quarantine.

NAT

There must not be a third-party NAT device (such as a home router) between Safe Connect and the computer.

Definitions

Quarantine/Block

Safe Connect uses the words "quarantined" or "blocked" when a machine's internet access has been restricted. While a machine is quarantined, it will only be able to access resources within URI (Webmail and www.uri.edu, for example); resources not hosted by URI (Google, Yahoo, CNN, ...) cannot be accessed while quarantined.

Warning

When a computer is not in compliance with Safe Connect policies, Safe Connect issues a warning. The warning comes in the form of a web page with information about the problem and how it can be fixed. Safe Connect issues a warning every time a machine is quarantined, but does not quarantine every time it issues a warning.

Standard Requirements

Standard requirements apply only to the following operating systems:

  • Windows Vista+
  • Mac OS X, 10.5+

Authentication

  • Requirement: Users must successfully authenticate once.
  • Fail: Machine is quarantined until Authentication passes.
  • Pass: Safe Connect evaluates compliance with the remaining policies.

Policy Key

  • Fail: Machine is quarantined until the policy passes.
  • Pass: Policy evaluation continues.

Antivirus installed policy

  • Note: Applies only to Windows and OS X machines.
  • Pass: Safe Connect checks for compliance with the AV running policy.
  • Fail: A continuous warning every 12 hours until AV is installed.

Antivirus running policy

  • Note: Applies only to Windows and OS X machines.
  • Pass: Safe Connect checks for compliance with the AV definitions policy.
  • Fail: A continuous warning every 12 hours until AV is installed.

Antivirus update policy

  • Note: Applies only to Windows and OS X machines.
  • Pass: Safe Connect checks for compliance with the AV definitions policy.
  • Fail: A continuous warning every 12 hours until AV is installed.

OS and Patch Policy

  • Note: Patch Policies only apply to windows machines.

Windows computers must be running Windows Vista or greater.
Macintosh computers must be running OS X 10.5 or greater.

The requirements and enforcement for this policy differ based on where a machine is located. Computer labs and computers located in Fogarty Hall, or other areas with specialized policy may have requirements different than those listed here. These users should contact their local IT people or the Office of Information Security for further information.

  • Requirement: Patches must be set to download and install automatically.
  • Pass: Policy evaluation continues with NAT Policy.
  • Fail: Two warnings will be issued one day apart. One day after the second warning, the machine will be quarantined until the policy passes.

Nat Policy

  • Note: This policy is only enforced on the student side currently.
  • Pass: Internet Access granted.
  • Fail: Machine is Audited until the NAT device is removed.


Other OS Requirements

These requirements apply to machines whose operating systems are not covered by the Standard Requirements.

Linux, Windows 98 and Me, Apple Mobile

Authentication

Users must authenticate each time the device is connected to the network. Failure to authenticate will result in an immediate quarantine.

Game Consoles

There are currently no policies applied to game consoles. Game consoles will be blocked when they first connect to the network. After generating outbound HTTP traffic, they will be unblocked.