Marist College Standard for Authentication, Authorization and Auditability

• All new applications are required to use CAS - Central Authentication Service from Apereo, or Shibboleth from Internet2 for authentication. Central directory services and account control are required to use LDAP. Roles are determined by the LDAP "employeetype" attribute.
• Where alternatives are possible, no transmission of passwords in clear text is allowed. All authentication will use encrypted transmissions. Projects will be established to eliminate all processes that cannot.
• The authoritative source for students for LDAP is Banner Student, for employees (both faculty and staff) is Banner HR, for alumni is Banner Alumni. If someone is not in Banner Student or Banner HR as a current faculty, staff or student, they will not be identified in LDAP as a student, faculty or staff, and are not entitled to services for those "employeetypes".
• Access logs for all servers, proxies and network resources shall be kept a minimal of 30 days.
• After the Fall 2008, the Marist network will be protected by several methods. Access to the network has been enforced by Cisco Network Admission Control (NAC) or Cisco Identity Services Engine (ISE).
• Public labs (DN258, HC0004 and Library E-scriptorium) will be configured to use a web proxy server that will require Marist account code authentication to use web resources off the Marist campus.
• There is a Juniper SRX Firewall that will prohibit inbound non-Marist access to most of the Marist campus, except for the DMZ. All Marist machines will have unrestricted access to the Internet, except for certain services that have been blocked for some time now, such as Netbios and outbound SMTP.
• The Juniper SRX firewall will allow Marist machines to connect into the DMZ with little restriction, and non-Marist resources will be able to connect into the DMZ for specific documented resources.
• All Windows servers, and Intel-based Linux machines will have Tripwire for servers installed, which will be centrally managed. All machines in the DMZ will have SNMP configured for monitoring by Operations.

Current Network Access

• Current security on the Marist network are enforced by Cisco NAC/ISE. All client computers are required to be current on OS patches and anti-virus software and definitions.
• Once a NIC has been allowed onto the network, an IP address is requested via Dynamic Host Configuration Protocol (DHCP) by sending its MAC address to a DHCP server which also maintains a table of valid MAC addresses, and gives an IP address for known MAC addresses. Without a valid IP address, no computer will be able to use the Internet or most service s on the local campus. There are also various tools used to scan for other problems on campus.
• All unrestricted public access areas labs on campus, including Donnelly and the library, are allowed unrestricted access to local applications in these areas, such as Word, Excel and other desktop applications, but are forced to logon authenticate for web surfing using a web proxy server, similar to what is done for off campus access to the library resources.