Purpose and Scope

This standard outlines acceptable devices which may be connected to the campus network and describes actions which may be taken by Berkeley IT in cases where installed devices cause a disruption to network service or adversely affect network infrastructure.  In addition, this standard discusses the availability of radio spectrum in the 2.4 GHz, 5.0 GHz and 6.0 GHz bands and the importance of this resource to the function of the campus Wi-Fi network. 

This guidance is in addition to other applicable University policies, in particular:

• Campus Online Activities Policy
• Computer Use Policy
• Electronic Communications Policy
• Minimum Security Standards for Networked Devices
• Procedures for Blocking Network Access

These and other policies related to Information Technology are available at https://security.berkeley.edu/policy/policy-catalog.

 

Wired (Ethernet) Network Connectivity

Subject to the policies outlined above, members of the campus community may connect any device which utilizes the Ethernet (IEEE 802.3) standard for layer 2 communication to any provided campus network connection they are authorized to use.  Berkeley IT provides a network which will, within reasonable limitations, transmit any IPv4 or IPv6 datagram to or from any such connected device. Should any device connected to the campus network be deemed to be the cause of a disruption to the operation of the network, Berkeley IT may remove that device from the network by disabling its connection.

Connection of Network Equipment

The above standard includes networking equipment, I.E. devices the purpose of which is to provide some additional network service, E.G. user and department operated switches or firewalls. Berkeley IT will not provide any support for user connected networking equipment. In the event of a report of network service issues, Berkeley IT will test only up to the campus provided network jack. If this is deemed functional any further work necessary to resolve the problem is the responsibility of the owner of the connected equipment. If user connected networking equipment disrupts the operation of the campus network Berkeley IT reserves the right to take any actions necessary to remediate the issue.

Wireless (Radio) Spectrum / Wi-Fi

User installed equipment must not interfere with campus-provided Wi-Fi.

UCB uses the IEEE 802.11a/g/n/ac/ax protocols as its wireless network standards, transmitting in the 2.4 GHz, 5.0 GHz and 6.0 GHz radio frequency spectrums.  The IEEE 802.11 protocols are the most common standards for wireless network connectivity (i.e. Wi-Fi). Because these bands are unlicensed, they can be utilized by many different types of equipment, not necessarily restricted to Wi-Fi. Because only one transmitter can operate on a radio frequency at any time, any system which operates in 2.4 GHz, 5.0 GHz or 6.0 GHz may cause disruption to the campus network. This includes user installed Wi-Fi routers and access points.

Because Wi-Fi is the primary method which campus students, staff and faculty use to access all network and IT resources, Berkeley IT must ensure its reliability throughout campus.  In pursuit of this goal, we will work with the operators of any interfering systems to abate or modify them to minimize impact to the campus network. Berkeley IT provides devices such as wireless headsets and cordless phones which do not interfere with the campus network.  These can be requested via the Telecom Catalog (see Resources below).

Examples of some types of devices which may cause interference with the Wi-Fi network can be found at:

https://berkeley.service-now.com/kb?id=kb_article_view&sysparm_article=KB0010265

 

User Connected Wi-Fi Access Points and Routers

In order to provide wireless access to authorized users, Berkley IT installs access points on and around the campus.  These access points are small devices that connect to the campus network infrastructure and are centrally managed to ensure a high level of service. User connected access points and routers are devices that are installed by other groups such as departments and individuals, which do not interoperate with the centrally-supported Wi-Fi network.  User connected access points are strongly discouraged, except in cases where campus wireless networking is not available. Locations where user connected access points are present due to unavailability of campus Wi-Fi should submit a Telecom Catalog request to Enhance WiFi Service, so that the user connected device can be removed.

A common reason given for the installation of department or user operated Wi-Fi routers is ease of access for users, particularly guests.  Operators of these installations should be aware that often these types of installations contravene network security policies listed above and may lead to the blocking of all connectivity to the service.  

If you believe you have a requirement that is not being met by the campus Wi-Fi network, please contact Berkeley IT (contact information below) and we will work with you to devise a supportable solution. 

In cases where a user connected Wi-Fi device is determined to be the cause of network disruption for other users, Berkeley IT will remove the device from the network.

 

Network Address Translation Devices

Devices such as routers, firewalls, and wireless access points, often use a technology called Network Address Translation (NAT) to allow many systems to communicate on the network using the same publicly available IP address. While such devices permit many computers to connect to the network cheaply and easily, there are serious security implications for these devices that must be considered before they are connected to the campus network.

When network monitoring and scanning activities generate a security alert for an IP address in use by a NAT device, the registered security contact for that IP address is notified via email. Hosts connected to the campus network through a NAT device are not exempt from campus security policies, including Minimum Security Standards (MSS), and are subject to network blocking procedures. Since all hosts behind the NAT device share the same campus IP address, a block on the IP address will remove every host behind the NAT device from the network.

If you operate a NAT device on the campus network, be aware that:

The NAT device administrator must identify hosts responsible for security issues and relay the related security notice to the party responsible for that host. If the NAT administrator cannot identify the host, or if the host is not secured in a timely fashion, the administrator must block the host or remove the entire NAT device from the network until the host has been secured.

Failure to comply with this policy will result in the Information Security Office (ISO) blocking the public IP address, disabling network access to the NAT device and all connected hosts.

 

To mitigate security problems associated with NAT devices:

Logging

Logging for NAT devices must be enabled sufficient to identify specific hosts behind the device in response to security incidents. Without these logs, Security Operations cannot help to identify the responsible system, and we cannot resolve reported incidents until the system is identified. Due to the limited amount of flash memory on NAT devices, this may require offloading logs to a secondary system, such as a syslog server, especially if many hosts are sharing the device.

Setting up appropriate logging on your NAT device is essential in order to identify hosts behind the device in response to security incidents. Guidelines for appropriate logging:

• Log all private IP addresses assigned by the device, or configure fixed private addresses for each authorized device
• Log inbound and outbound connections made through the device, including timestamp, source IP address/port, and destination IP address/port
• Synchronize the device to a network time server, such as the campus network time servers: https://berkeley.service-now.com/kb/?id=kb_article_view&sysparm_article=KB0012882
• Save at least two week's worth of logs from the device. Since devices have limited internal memory, it may be necessary to offload logs to external storage. Commonly supported methods include:
  • Sending logs via email
  • Storing logs on flash memory connected to the device through a USB port
  • Sending logs to an external syslog server
• Review your logging setup for completeness, and make sure you understand how to retrieve and review logs in response to security incidents

Access Control

Access to the NAT device must be restricted to known hosts. NAT device administrators must have a mechanism in place to identify unique hosts behind the device.

Your NAT device must use an appropriate method to restrict access to specific hosts authorized to use the device. It is not acceptable to offer public, unauthenticated access to the campus network, especially over wireless when physical access to the ports is not required to connect. Some acceptable access control methods include:

• MAC Address filtering
• WPA2-PSK ("Personal")
• 802.1x ("Enterprise")

Note that for wireless routers, WEP is a very weak protocol and the access password can be obtained easily by "sniffing" traffic to and from the wireless device, and therefore it is not an appropriate method for access control.

Requests for Exceptions

If you are unable to meet the above requirements for access and logging, you will need to seek a Security Policy exception: https://security.berkeley.edu/quick-links/request-information-security-policy-exception

 

Resources:

 

To request improved Wi-Fi connectivity or service at your location: 

https://ucb.service-now.com

In the Service Catalog select Data Network Services and then Expand Wi-Fi Coverage

 

Troubleshooting or to report issues with existing Wi-Fi coverage: 

For Faculty and Staff:

Online:

https://berkeley.service-now.com/ess/

Email:

trouble@berkeley.edu

Phone:

510 664 9000 Option 1

 

For Students:

Contact Student Technology Services: https://studenttech.berkeley.edu/techsupport