Guidelines for the use of the university network

The University of Kassel's data network offers its users a great deal of freedom compared to typical company networks. This flexibility is important in an educational institution, but has its limits if it affects other users or jeopardizes their security. The rules of the "Usage regulations for the information processing and data communication infrastructure" of the University of Kassel apply here.

These guidelines are aimed at administrators and IT officers in the various university institutions. They specify the general provisions of the user regulations for technical measures in the area of "Networks and Network Services". The data network is operated by the IT Service Center (ITS), specifically by the Data and Telecommunications Department (ITS-DTK).

The IT Service Center provides data network connections to the workplace in all university buildings. These connections can be organized flexibly in VLANs (Virtual Local Area Networks). If you still wish to use your own data cables, please note the following:

• Approval: The installation must be coordinated in advance with the IT Service Center. ITS-DTK will ensure proper cabling in order to comply with safety regulations (e.g. fire protection).
• Protection of existing installations: Cable runs within rooms must not damage ITS installations or make their maintenance more difficult.

Access to physical networks (e.g. WLAN access points) is managed exclusively by the ITS. In the event of violations, the corresponding network connection may be switched off. Please also observe the special instructions for the operation of WLAN access points.

Network services within the meaning of these guidelines are network-related services that are operated on a computer or other device of the institution (e.g. DHCP server, packet filters/firewalls, etc.). For the regulation of network services, it is important whether the computers on which these services are running are located in a building network or in a self-managed subnet/VLAN (Virtual Local Area Network).

A self-managed subnet/VLAN in the sense of these guidelines is a self-contained broadcast domain within which only devices of the respective facility are operated (in contrast, a building network is shared by several facilities). A self-managed subnet/VLAN and IP addresses must be applied for from the ITS. If there are more than 64 IP addresses, the need must be justified. A self-managed subnet/VLAN can be switched university-wide.

Common network services and their specifications are listed in detail below:

DHCP is generally only permitted as "static" DHCP (a registered MAC address is always assigned the same IP address) in the self-managed VLAN. During configuration, it must be ensured that only valid (and assigned) IP addresses of the university are distributed. Furthermore, it must be ensured that only DHCP requests from the self-managed VLAN are answered. Anything else (dynamic DHCP, DHCP in a building network) is not permitted. The details of the assignment must be documented at least in the form of a configuration file for the DHCP service that can be produced at any time. Changes to this configuration file must be traceable for a reasonable period of time for the purpose of troubleshooting (example: Linux/ISC-DHCPd and revision control of dhcpd.conf with RCS or similar). A person (an actual person or a "logical person", e.g. an administrator) must be assigned to each IP address.

When operating a packet filter, it should be noted that all network devices behind the packet filter must remain visible to the ITS at protocol level. In practice, this means that the packet filter must allow IP and ICMP packets with the source and destination addresses 141.51.25.71 and 141.51.25.72 to pass through. The policy beyond this is the responsibility of the institution. On request, the ITS operates and administers a packet filter with a policy according to the institution's specifications. This so-called virtual firewall (or the device on which the firewall runs) is located at the ITS.

If you have a self-managed subnet/VLAN, you can (statically) route it yourself if you wish. As a rule, routing is operated on the same computer as packet filters/firewalls. Consultation with ITS-DTK is mandatory.

Nameservers are operated, managed and published worldwide by ITS-DTK. Dynamic DNS entries and DNS wildcards are not permitted and corresponding entries are not made. A caching-only DNS can be operated by the customer if required.

Other server services include authentication services/user administration, mail servers, web servers, FTP servers, VoIP, video conferencing systems, etc. In principle, there are no restrictions. However, a self-operated MX (mail exchanger) must be registered informally. We advise you to critically examine whether the effort for your own server service is really worthwhile - the ITS offers a range of convenient solutions here. The ITS, Computer Systems Department and Applications Department can provide information about the possibilities. As every member of the university has a UniAccount anyway, we advise against having your own user administration.

The following applies to all of the above network services: The provisions of the user regulations must be observed. In particular, the university's data network may only be made accessible to authorized persons in accordance with the user regulations. Other users must not be hindered (e.g. by an incorrectly configured DHCP server) or endangered (e.g. by spreading malware such as worms, viruses, etc.).

Furthermore, a number of legal regulations, such as the aforementioned Fire Protection Ordinance and the Hessian Data Protection Act, must be observed. The latter prescribes, among other things, a procedure directory in which all procedures in which personal data is processed are listed. This applies in particular to its own user administrations, DHCP servers and mail servers (or their log files).

If the ITS becomes aware of violations of legal provisions, the information is forwarded to the responsible offices within the university and blocked if necessary.

ITS-DTK maintains a connection database in which applicants and users of each connection to the University of Kassel data network are listed.

Every data network connection that is to be put into operation must first be registered with ITS-DTK using the form provided for this purpose. A simplified procedure can be agreed with ITS-DTK if a large number of connections are to be put into operation (e.g. in the case of relocations or moves). The registration of a connection is only possible with complete personal details (name, address, cost center, etc.). In particular, a valid e-mail address of the University of Kassel (ending at .uni-kassel.de) must not be missing.

Requested connections and IP addresses are not valid indefinitely. The validity of an IP address or connection generally expires when the applicant or operator leaves the university. In this case, an application should be submitted in good time (before the person concerned leaves) with the data and signature of the new applicant/operator together with a list of all IP addresses concerned (for many connections: simplified procedure by arrangement).