Purpose

Sometimes employees work from home on a machine connected to a home network. This work may include accessing or storing WPI information via email, files, or applications such as Banner. The machine may or may not be owned by WPI. It is the employee's responsibility to provide a reasonable level of security to guarantee the integrity of their own systems and to ensure the security of WPI applications and data.

This standard provides steps to help:

  • Safeguard home computers and networks from attackers and viruses
  • Protect the confidentiality and integrity of any sensitive data, including passwords
  • Prevent malware from penetrating WPI systems via home computers

Scope

This standard covers all home or non-WPI networks that are used to process or store any WPI information, whether using a WPI-owned or non-WPI device.

Standards

Purchasing a router

When selecting a router to purchase:

  • Ensure that the list of features includes stateful packet inspection (SPI). This will ensure a balance between preventing unwanted traffic while letting applications function.
  • Ensure that it supports WPA2-PSK. Older WEP encryption can be broken easily and is no longer considered secure.

Router Configuration

In addition to offering the convenience of connecting multiple computers to a single DSL or cable modem connection, a router equipped with good firewall capabilities is the first line of defense against attacks. Here are some tips on getting the most out of one.

Router Passwords and Access

  • Check the management settings for your router. Ensure that you have changed the password from the default and that the ability to configure the router from the Internet side is disabled.
  • Never enable your router's remote access functionality. These are websites that are used to configure the router from outside the local network. Often times, these websites have vulnerabilities that can crash your router or possibly give external users access to your network.

Router Updates

Vendors periodically come up with software (called firmware when referring to routers) updates for routers to address bugs or security vulnerabilities. Periodically check your vendor website to ensure that you are running the latest firmware version.

Firewall

  • Never assume a network has a firewall, and do not disable the one included with your operating system.
  • Whenever possible avoid having your computer's IP into the DMZ fields on your router. If the IP address is in the DMZ field, this will bypass your router's firewall and expose the computer directly to the Internet.
  • If possible, use the default firewall configurations; these work for normal operations. Exceptions are not part of the default. However, there are reasons for users to occasionally create an exception. Make sure any exceptions created in the firewall policy are up-to-date and relevant to your network configuration. Do not allow unused exceptions to exist.

The most common exceptions are made to host local websites and to allow remote access into local computers. Make sure all website software is kept up to date and accounts for any remote access software (Windows Remote Desktop, SSH, VNC, etc) contain strong passwords. Follow the WPI Password Standard. WPI recommends that the following exceptions are never enabled or open to the Internet:

  • Windows file sharing ports (sometimes called 'CIFS' or 'SMB'):
    • TCP ports 135, 139 and 445
    • UDP ports 137 and 138
  • Simple Network Management Protocol (SNMP): UDP port 161
  • Telnet: TCP port 23

Wireless Networking

  • Always assume any given wireless connection is not trustworthy and use the WPI VPN and other encrypted access methods (i.e. HTTPS) whenever possible, especially when handing sensitive data.
  • If you are not using wireless but have it installed on your home router, simply turn it off. If it is on:
    • The SSID is the name that your wireless access point will advertise. Change this from the default value to discourage others from connecting and to slow down attackers attempting to crack the wireless encryption. Do not use identifying values like your address or name and do not use WPI's SSID.
    • Make sure that WPA2 is enabled and configured with a strong pass phrase. This pass phrase can be up to 63 characters long, may contain multiple words and should be something not easily guessed by an attacker.
    • Some routers support allowing only pre-configured MAC addresses to access the wireless network. If your home network has this capability, it should be used in addition to the wireless encryption and all the devices on your wireless network should be added to the Allow list.

Computer Systems

All machines behind the router, or used as standalone computers without a router should conform to the Mobile and Personally-Owned Device Management Standard.

Remote Access

Users will use encrypted methods to access WPI systems whenever possible. Connection methods such as HTTPS, SSH and WPI's Virtual Private Network (VPN) are all acceptable.

Revision History

  • The Information Technology Division endorsed this standard on September 2006.
  • After a minor revision, the faculty Committee on IT Policy endorsed this standard on April 15, 2008.