ࡱ> 796% 9bjbj%% "*GG 9l8*$N4$ ==RV$? h uܕ@2{CTSRRNOAO Remote Access Policy 1.0 Purpose The purpose of this policy is to protect NOAO's electronic information from being inadvertently compromised by authorized personnel using a dial-in, remote ssh connection, or remote VPN connection or any network connection.. 2.0 Scope The scope of this policy is to define appropriate remote access and its use by authorized personnel. 3.0 Policy Remote access to NOAO computing facilities must be done in a secure manner that does not reveal passwords or data. No Internet protocols that pass login credentials in clear-text will be allowed. Thus telnet, rlogin and the other Berkeley r-commands and non-anonymous FTP must be blocked. Email servers must use protocols that do not transfer clear-text passwords. Preferred techniques for remote access feature data encryption as well as secure exchange of login credentials; examples include ssh version 2 and VPN tunnels. NOAO employees and authorized third parties (staff, management, visitors, researchers, students, system administrators, vendors, etc.) can use remote connections (dial-in, ssh version 2 or VPN) to gain access to the corporate network. Information and account setup for remote access connections may be obtained through therhe CIS departments. Dial-in access is strictly controlled, using password authentication. Remote ssh connections will use, if at all possible, certificate authentication instead of password authentication. Ssh connections to particular machines will be restricted to particular subsets of IP space through the use of firewall rules or, if necessary, /etc/hosts.allow files. Ssh version 1 is insecure; only version 2 of the protocol is acceptable. Remote ssh connections will use, if at all possible, certificate authentication instead of password authentication. Ssh connections to particular machines will be restricted to particular subsets of IP space through the use of /etc/hosts.allow files. Ssh version 1 is insecure; only version 2 of the protocol is acceptable. VPN connections are allowed on a case-by-case basis and require the installation of a client on the remote machine. It is the responsibility of employee(s) with remote access privileges to ensure non-employees do not use their remote connection to NOAO to gain access to company information system resources. An employee who is granted remote access privileges must remain constantly aware that connections between their location and NOAO are literal extensions of NOAO's corporate network, and that they provide a potential path to the company's most sensitive information. The employee and/or authorized third party individuals must take every reasonable measure to protect NOAO's assets. Thus the local network supporting the machine conducting the remote access connection to NOAO must be kept clean of malware by proper use of anti-virus and firewall technology. Note: Dial-in and remote VPN accounts are considered as needed accounts. Account activity is monitored, and if a dial-in account is not used for a period of six months the account will expire and no longer function.. 4.0 Revision History First EditionUpdated: March 15, 2007y 15, 2006 Updated: September 28, 2009 Updated: July 12, 2006 Updated: November 19, 2006 Updated: February 16, 2007     NOAO Remote Access Policy Page  PAGE 1 !-  e  $\gݰte^OHhOJPJQJ^J OJQJ^JHhxOJPJQJ^JHhOJPJQJ^JHhOJPJQJ^JHh{OJPJQJ^JHhOJPJQJ^JHhyOJPJQJ^JHhwOJPJQJ^JOJPJQJ^JcHdhw5OJPJQJ\^JOJPJQJ^J5CJOJPJQJ\^J!-   gHhC$Eƀ^hH & FC$Eƀ$a$ 8  n'F & FEƀ'HhC$Eƀz^hH & FC$EƀJ M N   i k ?A̺waRH9OJPJQJ^JcHdh&OJPJQJ]^JOJPJQJ^JcHdh&*HhOJPJQJ^JcHdh&OJPJQJ^JcHdh& OJPJQJ]^JcHdh&Hh&OJPJQJ^J'Hh&OJPJQJW&^J#Hh&6OJPJQJ]^J6OJPJQJ]^JOJPJQJ^JOJPJQJ^JcHdhA&HhA&OJPJQJ^J  M N m%H & FC$Eƀ&DC$Eƀ&F & FEƀ'h^h p q sF & FEƀ'CEƀ'q efBCX_F & FEƀ' h^h`^F & FEƀ'ACXelp|  +,2sjeeeeZK@0JCJOJQJ^Jj0JCJOJQJU^JCJOJPJQJ^J jUCJOJQJ^JCJOJQJ^JcHdh&OJPJQJ^JcHdh&OJPJQJ^JcHdh&Hh&OJPJQJ^JOJPJQJ^JcHdh&Hh&OJPJQJ^JOJPJQJ^JcHdh &Hh &OJPJQJ^J5OJPJQJ\^JOJPJQJ^J  6789DC$Eƀ&2345689CJOJQJ^J0JCJOJQJ^JmHnHuj0JCJOJQJU^J 1h/ =!"#$% i8@8 NormalCJ_HaJmH sH tH <A@< Default Paragraph Font<Z@< Plain TextCJOJQJ^JaJ,, Header  !, @, Footer  !&)@!& Page Number@2@  Balloon TextCJOJQJ^JaJ9 *!-   MNpq e f B C X 6 : 000000000 00 00 00 00 0000 00 0000 0000000 0@0 0 888;A29   q 9 8 ,35;!l,b$/ W".ԛn@0(  B S  ?9 X[UXWbkn( / ^ l         7 : XdUXX |         7 : 33333 Sue HayesY:\remote_access_www.doc Sue Hayes)Y:\admin\cybersec\remote_access_mar07.doc Sue Hayes#Y:\admin\cybersec\remote_access.doc Sue Hayes#Y:\admin\cybersec\remote_access.doc Sue Hayes#Y:\admin\cybersec\remote_access.doc Sue Hayes#Y:\admin\cybersec\remote_access.doc:|YVxH" {gWЗ Ffr^dsh^`OJQJo(hH^`OJQJ^Jo(hHopp^p`OJQJo(hH@ @ ^@ `OJQJo(hH^`OJQJ^Jo(hHo^`OJQJo(hH^`OJQJo(hH^`OJQJ^Jo(hHoPP^P`OJQJo(hH^`OJQJo(hH^`OJQJ^Jo(hHopp^p`OJQJo(hH@ @ ^@ `OJQJo(hH^`OJQJ^Jo(hHo^`OJQJo(hH^`OJQJo(hH^`OJQJ^Jo(hHoPP^P`OJQJo(hH^`.^`.pp^p`.@ @ ^@ `.^`.^`.^`.^`.PP^P`.h^`OJQJo(hHh^`OJQJ^Jo(hHohpp^p`OJQJo(hHh@ @ ^@ `OJQJo(hHh^`OJQJ^Jo(hHoh^`OJQJo(hHh^`OJQJo(hHh^`OJQJ^Jo(hHohPP^P`OJQJo(hHh^`OJQJo(hH^`OJQJ^Jo(hHopp^p`OJQJo(hH@ @ ^@ `OJQJo(hH^`OJQJ^Jo(hHo^`OJQJo(hH^`OJQJo(hH^`OJQJ^Jo(hHoPP^P`OJQJo(hHxHgWYVFfr                  B?ܜ>)V.\br%nJ:UG                   @e e Ce l 9 @@Unknown Steve Grandimfleming Sue HayesGz Times New Roman5Symbol3& z ArialG  MS Mincho-3 fg?5 z Courier New5& zaTahoma;Wingdings"1h& &&   t0d( c  3qHPCisco Dial-In Access Policy Cisco User Sue HayesOh+'0 $0 L X d p|Cisco Dial-In Access Policyisc Cisco UserIiscisc Normal.dotI Sue HayesI9e Microsoft Word 9.0s@ԭ@$Ё@@ @@Jx@ ՜.+,0 hp  Cisco Systems, Inc.(  Cisco Dial-In Access Policy Title  !"#$%'()*+,-/0123458Root Entry Fuܕ@:1TableRWordDocument"*SummaryInformation(&DocumentSummaryInformation8.CompObjjObjectPooluܕ@uܕ@  FMicrosoft Word Document MSWordDocWord.Document.89q