| Please note: In their review of this document, the Executive Policy Review Group determined that the registry should be centralized, not distributed as a registry of registries as noted in this document, and that CIT should manage that central registry. For more information about the University Policy Office and the Executive Policy Review Group, please see http://www.univco.cornell.edu/policy/home.html. On June 3, the University Policy Office promulgated this policy, http://www.univco.cornell.edu/policy/NR.for.html. For CIT information, education and rollout of this policy, please see http://www.cit.cornell.edu/computer/support/netreg |
TO: Polley McClure
FROM: Tracy Mitrano
RE: University Policy on a Network Registry
DATE: March 5, 2003
According to University Policy 4.1, The Formulation and Issuance of University Policies, I am writing to request that you, as Responsible Executive Officer, present the attached University Policy on a Network Registry to the Executive Policy Review Group for general approval.
I. BACKGROUND
This policy shall require the establishment and maintenance of a registry of all information technology devices connected to the Cornell network. This registry shall contain all relevant information such as physical location, IP and/or MAC address, name of system or network administrator and/or end user. It shall not be a requirement that the registries be tied to a single depository, but that each "subnet" or single port gateway must keep a registry relative to its services and devices on its "subnet" or behind its single port gateway. CIT will maintain a record of network administrators with responsibility for their registries, and encourages transparency of their subnet registries. In the absence of transparency, network administrators shall supply CIT with all relevant information for a 24/7 means of access and/or communication in the event of an emergency. [emphasis added]
A network registry is an inventory of all the devices attached to the University network. At this time the University does not have either a comprehensive or even collective network registry. Commensurate with its decentralized administrative structure, and since the transition from mainframe computing to distributed and personal computing on the university network, the University has without benefit of policy both created patchwork registries (for example for its ResNet services or certain subnets, for example the subnets upon with CIT devices operate) and allowed departments to manage subnets without requiring the registration of devices operating in that department, or subnet, on the University network. The result is an uneven and incomplete inventory of devices attached to the network.
An uneven and incomplete inventory results in greater difficulties managing the functionality and ensuring the security of the network. In the case of copyright violations, it may also have the effect of exacerbating potential legal liabilities. Judicial Administration will also be served by identification of alleged violators of University Information Technologies Policy. For example, if the network operations center detects that a machine is operating in an aberrant manner (for example, by sending out scans, often as the result of a compromise, or "hacking," it will contact the network administrator to request remediation. (Interim University Policy on Security Incidents Reporting, 5.4.2) In some cases, network administrators report that they do not know what device it is, who the user is or where it is located; in other words, they can do nothing about it. The network operations center will then have to block the Internet Protocol (IP) address, which is a necessary but overbroad approach to addressing the problem located in a single machine.
For IP address that serve a variety of users, for example public ports, this necessary but overbroad approach inconveniences a number of users and may do nothing to correct the actual problem. In the case of a copyright notice, these maintenance and security concerns become still more complicated by the potential for contributory copyright liability that the University may face if it fails to eliminate the allegedly offending material. While the University takes decisive steps to alleviate liability (for details of this procedure, please see: http://www.cit.cornell.edu/oit/policy/memos/dmca.html, or attached, "Procedure Pertaining to the Notifications of Copyright Violations on the Cornell University Network") portable devices may generate multiple notices as they move to different IP addresses, even though it is the same device and same user responsible for the legal and policy violation. In the case of policy violations, Judicial Administration would also be exercised with greater fairness because identity of allegedly offending users would be more uniform among the subnets that have registration and therefore can identify users and those whom do and cannot bring those names forward for potential disciplinary action.
This proposed policy would attempt to correct these gaps in functionality, security, potential legal liability and/or policy violations by requiring the registration of devices to the network. Network registration should greatly enhance the ability of network operators, security specialists and the DMCA copyright agent to focus the requisite remedies and referrals on the specific devices and users. Moreover, it is altogether appropriate that inasmuch as the University has responsibility for its network services, as well as for university-owned information technologies resources, that it be able to identify the resources, (if appropriate) the identify the physical location of the device (for example, a desktop) and the owner (in the case of devices not owned by the university) or user or person responsible for a university owned devices.
II. CONTROVERSIAL ISSUES
For network administrators of subnets not in the practice of registering the devices, this policy presents additional duties and responsibilities. Maintenance, security, legal and policy considerations outweigh that impact, and may in time even have an salutary effect in their own ability to manage their subnets. The fact that this proposed policy does not require a central registry, but only that each subnet create and/or maintain such a registry, reflects a respect for network administratoršs operations. Education should effectively counteract any other potential controversy on these matters, along with an understanding of the obligations that Cornell Information Technologies, as stewards of the University network, has in maintaining network service and security.
III. GOALS
To enhance the maintenance and security of the University network, as well as to alleviate potential legal liability and address alleged University policy violations, through the creation of a distributed network registries of devices connected to the University network.
Legal developments such as the Verizon decision last week (Jan. 2003) combined with the preponderance of security incidents that include copyright violations have resulted in a new procedure for handling Digital Millennium Copyright Act (DMCA) notices.
The distribution of copyrighted material for which the distributor does not have the permission of the owner is a violation of federal law and university policy. Popular file sharing programs, such as KaZaA or Morpheus or iMesh, commonly share files out from your computer after you have downloaded them. Copyright holders scan for these files as a means of policing their property rights in the music, games or videos. Their scans target places like Cornell because file share programs automatically favor fast distribution, such as occurs on the university network given its large bandwidth capacity.
As a part of its compliance with federal copyright law, Cornell University deploys a procedure to respond to bona fide notices of copyright violation by copyright holders. This procedure operates as follows:
Because intentional file sharing of material for which the user does not have the copyright holder's permission is a violation of the University Policy 5.1, Responsible Use of Electronic Communications, in those cases the user shall report to the Office of Judicial Administration for disciplinary processing. These procedures help to protect the user against copyright holders going through legal processes to obtain the identity of the user.
In the case where the copyright notice is the result of a computer compromise (electronic activities that cause damage to a computer), or a "hacking," and not the intentional activity of file sharing on the part of the computer's user, the agent shall instruct the user to fix the computer or to make an appointment with the HelpDesk (helpdesk@cornell.edu) to have it fixed. The agent will request the block be lifted upon receipt of information that the machine has been repaired.
Users of file share programs should be aware of the liability that they create for themselves by deployment of these programs over Cornell University's network. Specifically they are advised to turn off the outbound functions of these file share programs; information on how to do so may be found at: http://security.uchicago.edu/peer-to-peer/no_fileshare.shtml. Please write IT-policies@cornell.edu with any questions regarding the law or policy of copyright and file sharing on the Cornell campus. Programming on information technology ethics education may also be found at: http://www.cit.cornell.edu/oit/UCPL.html.
Tracy Mitrano
Policy Advisor for the Office of Information Technologies
Copyright Agent for Cornell University
POLICY STATEMENT
The University requires that all information technology devices (including wireless hubs / switches) connected to the network will be recorded in an up-to-date registry. Such a registry shall contain all relevant information such as physical location, IP and/or MAC address, name of system or network administrator and/or end user. It shall not be a requirement that the registries be tied to a single depository, but that each "subnet" or single port gateway must keep a registry relative to its services and devices on its "subnet" or behind its single port gateway. CIT will maintain a record of network administrators with responsibility for their registries. Subnets and single port gateways will either make their registries accessible or provide 24/7 contact information to the network operations center and the IT Security Director.
REASON FOR POLICY
The University seeks to enhance the maintenance and security of the University network, as well as to alleviate potential legal liability and address alleged University policy violations, through the creation of a distributed network registries of devices connected to the University network.