New Hanover County

Information Technology Department

Issued:  10/09/02

Policy Number:  6-02

Subject:  REMOTE ACCESS POLICY

PURPOSE AND SCOPE:

The purpose of this policy is to define standards for connecting to New Hanover County Government's network from any workstation, server or wireless device. These standards are designed to minimize the potential security exposure to New Hanover County Government from damages, which may result from unauthorized use of New Hanover County Government resources. Damages include the loss of sensitive or company confidential data, intellectual property, damage to public image, damage to critical New Hanover County Government internal systems, etc.  Any employee found to have violated this policy may be subject to disciplinary action, as outlined in the Personnel Manual.

This policy applies to all New Hanover County Government employees, contractors, vendors and agents with a New Hanover County Government-owned or personally owned computer or workstation used to connect to the New Hanover County Government network. This policy applies to remote access connections used to do work on behalf of New Hanover County Government, including reading or sending email and viewing intranet web resources.

Remote access implementations that are covered by this policy include, but are not limited to, dial-in modems, frame relay, ISDN, DSL, VPN, SSH, and cable modems, etc.

CHANGE SUMMARY:

None.  This is the Original Document.

POLICY:

General

1.      It is the responsibility of New Hanover County Government employees, contractors, vendors and agents with remote access privileges to New Hanover County Government's network to ensure that their remote access connection is given the same consideration as the user's on-site connection to New Hanover County Government.

2.      General access to the Internet for recreational use by immediate household members through the New Hanover County Government Network on personal computers is permitted for employees that have flat-rate services. The New Hanover County Government employee is responsible to ensure the family member does not violate any New Hanover County Government policies, does not perform illegal activities, and does not use the access for outside business interests. The New Hanover County Government employee bears responsibility for the consequences should the access be misused.

3.      Please review the following policies for details of protecting information when accessing the network via remote access methods, and acceptable use of New Hanover County Government's network:

a.      Acceptable Encryption Policy (future)

b.      Virtual Private Network (VPN) Policy (future)

c.      Wireless Communications Policy (future)

d.      Acceptable Use Policy

Requirements

1.      Secure remote access must be strictly controlled. Control will be enforced via one-time password authentication or public/private keys with strong pass-phrases. For information on creating a strong pass-phrase see the Password Policy (future).

2.      At no time should any New Hanover County Government employee provide his or her login or email password to anyone, not even family members.

3.      New Hanover County Government employees and contractors with remote access privileges must ensure that their New Hanover County Government-owned or personal computer or workstation, which is remotely connected to New Hanover County Government's network, is not connected to any other network at the same time, with the exception of personal networks that are under the complete control of the user.

4.      New Hanover County Government employees and contractors with remote access privileges to New Hanover County Government's network must not use non-New Hanover County Government email accounts (i.e., Hotmail, Yahoo, AOL), or other external resources to conduct New Hanover County Government business.  Lotus Notes email is the only official email for New Hanover County Government.

5.      Routers for dedicated ISDN lines configured for access to New Hanover County Government network must meet minimum authentication requirements of Challenge Handshake Authentication Protocol (CHAP).

6.      Reconfiguration of a home user's equipment for the purpose of split-tunneling or dual homing is not permitted at any time.

7.      Frame Relay must meet minimum authentication requirements of DLCI standards.

8.      Non-standard hardware and security configurations must be approved by the IT Department.

9.      All workstations, servers or wireless devices that are connected to New Hanover County Government internal networks via remote access technologies must use the most up-to-date anti-virus software.  This includes personal computers. Third party connections must comply with requirements as stated in the Third Party Agreement.

10. Personal equipment that is used to connect to New Hanover County Government's network must meet the requirements of New Hanover County Government-owned equipment for remote access.

11. Organizations or individuals who wish to implement non-standard Remote Access solutions to the New Hanover County Government production network must obtain prior approval from the IT Department.

OTHER INFORMATION:

Term                          Definition

Cable Modem           Cable companies such as AT&T Broadband provide Internet access over Cable TV coaxial cable. A cable modem accepts this coaxial cable and can receive data from the Internet at over 1.5 Mbps. Cable is currently available only in certain communities.

CHAP                         Challenge Handshake Authentication Protocol is an authentication method that uses a one-way hashing function. Data Link Connection Identifier (DLCI) is a unique number assigned to a Permanent Virtual Circuit (PVC) end point in a frame relay network. DLCI identifies a particular PVC endpoint within a user's access channel in a frame relay network, and has local significance only to that channel.

Dial-in Modem           A peripheral device that connects computers to each other for sending communications via the telephone lines. The modem modulates the digital data of computers into analog signals to send over the telephone lines, then demodulates back into digital signals to be read by the computer on the other end; thus the name "modem" for modulator/demodulator.

Dual Homing              Having concurrent connectivity to more than one network from a computer or network device. Examples include: Being logged into the NHC network via a local Ethernet connection, and dialing into AOL or other Internet service provider (ISP). Being on a New Hanover County Government-provided Remote Access home network, and connecting to another network, such as a spouse's remote access. Configuring an ISDN router to dial into New Hanover County Government and an ISP, depending on packet destination.

DSL                            Digital Subscriber Line (DSL) is a form of high-speed Internet access competing with cable modems. DSL works over standard phone lines and supports data speeds of over 2 Mbps downstream (to the user) and slower speeds upstream (to the Internet).

Frame Relay              A method of communication that incrementally can go from the speed of an ISDN to the speed of a T1 line. Frame Relay has a flat-rate billing charge instead of a per time usage. Frame Relay connects via the telephone company's network.

ISDN                           There are two flavors of Integrated Services Digital Network or ISDN: Basic Rate    Interface (BRI) and Primary Rate Interface (PRI). BRI is used for home office/remote access. BRI has two "Bearer" (B) channels at 64kbit  (aggregate 128kb) and 1 D channel for signaling info.  PRI has 23 B channels with a single 64 Kbps D channel. 

Remote Access        Any access to New Hanover County Government's network through a non-New Hanover County Government controlled network, device, or medium.

Split-tunneling            Simultaneous direct access to a non-New Hanover County Government network (such as the Internet, or a home network) from a remote device (PC, PDA, WAP phone, etc.) while connected into New Hanover County Government's network via a VPN tunnel.  Virtual Private Network (VPN) is a method for accessing a remote network via "tunneling" through the Internet.

CHANGE HISTORY:

Version

Date

Author

Comments

A

3/19/02

SCT

Original Document

B

10/09/02

SCT

Revised per Director Comments