Edmund A. Hajim  School of Engineering and Applied Sciences

SOHO and Building-level Firewall Service Policy

If you have a networked device or devices behind a SOHO or Building-level-type firewall on any of the HSEAS network segments, you are expected to know and abide by the following policy, and ensure that any users of those systems know and abide by this policy:

  1. You are responsible for your systems. We may provide advice, but we do not administer or repair those devices as part of our normal responsibilities.
  2. You do the administrative work yourself
  3. You may hire any reasonable (i.e., someone with administrative experience and skills) to perform the work for you.
  4. You may hire the CNG staff to perform this work - just like you would hire Paul Osborn to do electonics/machining work for you. The Dean has set our rate at $100/hr. Work on these type of systems takes a back seat to our work performed for those with systems on the production network.
  5. You may not attempt to circumvent the security provided by the firewall. This includes (but is not limited to)
    1. Falsifying MAC (hardware/ethernet) addresses
    2. Providing gateway services to non-registered devices
    3. Do not provide services to other hosts behind the firewall and gateway those services outside of the firewall ( e.g., do not run a sendmail server to exchange mail with external hosts)
    4. Do not attempt to provide services to hosts/devices outside your protected LAN (i.e., do not make it possible for external hosts to enter the protected LAN, e.g., via peer-to-peer services, such as, but not limited to, Direct Connect, LimeWire, Kazaa, GNUtella, etc). Note that some forms of video-conferencing (e.g., Skype) may be allowed after discusssions with the CNG. Please be aware that peer-to-peer (p2p) file sharing is not necessary to conduct business within HSEAS. We have safer alternatives.
  6. You are expected to follow good administrative practices.
    1. Have good antivirus/anti-spyware software that is updated on a regular basis. Updating once a week is insufficient; daily updates are reasonable, and even better are those packages (newer versions of Norton, Trend, Sophos or AVG) that update on an almost real-time basis.
    2. Keep your systems up-to-date with patches.
    3. While you are behind a firewall, you are still required to observe privacy concerns. Specifically, you may not read anyone else's mail and may not read any user files that require administrator (root) privileges. To do so is a violation of Federal and State law, and UR policy.
    4. No pirated software or other copyright violations.
    5. Provide for backups (and make sure the backup media is secured).
    6. Good passwords (known only to the account holder), no shared accounts, no accounts without passwords.
    7. Accounts may only be assigned to members of HSEAS, and any names should not be in conflict with names in use as assigned by the CNG. That is, if 'joe' is the HSEAS login name for 'Joe Smith', then you may not use 'joe' for 'Joe Jones'. There should be no misrepresentation as to the identity of any user.
  7. If a problem emanates from the firewall
    1. We will normally attempt to contact you - but may have to act before we can do so.
    2. We will attempt to determine the source of the problem behind the firewall. If we are able to do so, we will then alter the firewall configuration so that traffic from the offending device is not passed outside the firewall (hosts behind the firewall may still be affected by the offending device). The firewall configuration will be restored once the problem is resolved by you or your agents.
    3. If we are unable to determine the source of the problem, and if we deem the problem sufficiently severe, we will disable the switch port providing network connectivity to the firewall. Connectivity will be restored as soon as the problem is resolved by you or your agents.
  8. All networked devices behind the firewall should be registered with the CNG. A web form is available for registering devices at
  9. You must be able to provide upon request by any CNG member, reliable, secure logs that can show who was using each system at any specific time.
  10. You must report any intrusion or suspected instrusion to the CNG (send mail to problem@seas.rochester.edu or contact a staff member by pager or phone) as soon as it is noticed. You need to watch for such intrusion attempts.
  11. The CNG may need to audit your system or systems to check for compliance with policy and good practices.

Last modifed: Thursday, 07-Apr-2011 09:34:45 EDT