Recently I have been discussing multiple new security measures for academic networks. From these discussions with other schools, engineers, and suppliers, I have created set of goals to help keep the development of network security on track and within budget.
Physical access can be managed without a great deal of expense. The goals to reach for are:
- We allow only the devices we have confirmed and labeled
- We can control the number of concurrent devices a user is using on the network
- We can identify by IP, Serial Number, or MAC Address (or a combination of the three) the owner of a device
- We can remove a user from network access, and restrict their devices, with minimal effort
- We have processes and procedures to register devices; users can switch devices through these processes
- Users can only circumvent the processes by giving their login IDs, passwords, and hardware to another person
These goals do not imply the direct management of equipment; nor do they capture user data. These goals ensure that devices on the network are approved, registered, and can be clearly identified.
Achieving these goals is the first step towards the concept that accessing the network is a privilege not a right. Privileges can be revoked. If revocation is not possible, then the concept/policy cannot be enforced.