IRIS Network Policy
The following policy governs network connected devices in the UC Berkeley Electrical Engineering and Computer Science (EECS) department and the Center for Information Technology Research in the Interest of Society (CITRIS) on networks maintained by Instructional and Research Information Systems (IRIS).
Vision: The IRIS network is a robust, state-of-the-art communication environment supporting UC Berkeley’s goal of excellence in education and research. It is flexible and easy to use for a large variety of devices and supports production services reliably and securely.
This document uses prescriptive keywords such as “MUST,” “MAY,” and “SHOULD” as defined in IETF RFC 2119.
Core Network Policy
In addition to this specific policy, use of the IRIS network must comply with all existing laws (federal and state) and University regulations and policies including the UC Berkeley Campus Computer Use Policy and the Minimum Security Standards for Networked Devices.
- The IRIS network is available only to people with active IRIS accounts.
- Network devices MUST be registered with accurate information when connected to the IRIS network.
- Individuals MUST NOT disrupt the use of production services or run software or devices that negatively affect network operations.
Policy Components
REGISTERED SYSTEM ADMINISTRATOR (CORE 1,2)
- Each device MUST have a registered system administrator who is responsible for ensuring the device complies with all policy requirements.
- System administrators MUST have active IRIS accounts.
DEVICE NAMING (CORE 2)
- The name configured on a device MUST match the registered name.
DEVICE ADDRESSING (CORE 2,3)
- Routable IP addresses used by a network device MUST be assigned to that device by IRIS DNS Administrators.
- Network devices MAY be assigned static IP addresses or static DNS names at the system administrator’s request and upon IRIS approval.
- Network devices SHOULD be configured as DHCP clients.
WIRED NETWORK (CORE 3)
- To support multiple physical devices on a single network port simultaneously, an unmanaged network switch MAY be used.
PROHIBITED DEVICES AND SERVICES (CORE 3)
- Any device or network service listed in Prohibited Devices and Services in Appendix A MUST NOT be operated on IRIS production networks without explicit permission from IRIS.
SECURITY INCIDENTS AND POLICY VIOLATIONS (CORE 3)
- IRIS MUST notify the appropriate system administrator or account holder via email regarding security compromises or policy violations.
- If a response is not received within 4 business hours or before the day’s close of business, IRIS MAY disable the device’s network connection or deactivate the account.
- For serious security threats, problems, or policy violations, IRIS MAY disable network connections or deactivate accounts sooner.
- In the event of a root compromise, a device MUST be reinstalled in accordance with the OS Reinstallation Procedure.
SPECIAL NETWORKS
- If computing needs prevent full compliance with this policy, IRIS MAY setup a Private Network upon request from the system administrator.
- IRIS also offers the Restricted Network, a controlled, firewalled environment for hosting critical services.
- This policy does not apply to campus wireless networks, such as eduroam, Berkeley-Visitor, and Berkeley-IoT.
- To request a special network, please email help@eecs.berkeley.edu with specific needs and information for IRIS to review.
UNUSED NAMES, ADDRESSES, AND NETWORK PORTS
- IRIS network staff MAY deactivate any network port which has not been used for 3 months with notification of system administrators of devices registered on the port.
- If a device is unconnected for 3 months, IRIS DNS Administrators MAY retire static DNS names and IP addresses with notification of the system administrator.
- If a device is unconnected for 6 months, IRIS DNS Administrators MAY terminate network access for the device with notification of the system administrator.
Updates
- This policy will be reviewed annually by IRIS.
- Changes to the Core Network Policy and Policy Components MUST be approved by the CNIL committee.
- The Appendices MAY be updated by IRIS as needed to ensure network and security integrity.
- Updates to the network policy MUST be announced on the IRIS website.
- Comments regarding this policy may always be directed to
iris-policy-feedback@lists.eecs.
Appendices
- Appendix A: Definitions
- Appendix B: Technical Limitations
- IRIS Network Best Practices and Explanations
References
- UC Berkeley Campuswide IT Policy and Privacy
- UC Berkeley Campus Computer Use Policy
- UC Berkeley Campuswide IT Security
- UC Berkeley Minimum Security Standards for Networked Devices
IRIS Network Policy version 1.1, approved by CNIL 2009/09/09
Last updated: $Date: 2018/06/07 04:31:49 $