NYU IT NYU-NET Operational Principles
The following statements express many of the fundamental Principles governing the day-to-day operation and configuration of NYU-NET as managed by the Information Technology (NYU IT) Network Operations Center (NOC). The NOC has day-to-day responsibilities for NYU-NET and is the point of contact for many issues associated with these Principles. The NOC is staffed by members of the NYU IT Technology Operations Services (NYU IT TOS) division.
These Principles are followed so as to maintain the smooth and reliable operation of NYU-NET through careful adherence to widely-recognized, industry-standard approaches. Network configuration and management at the school or departmental level must be performed in conformance with these Principles.
If a topic of interest is not mentioned explicitly below, please consult the IT Service Desk (www.nyu.edu/it/servicedesk).
1. Network Infrastructure
a. Communications Cabling
Fiber-optic or twisted-pair copper network cabling, including data jacks and telecommunications closet terminations, may not be installed in any University building or department location. NYU IT TOS oversees the installation and repair of communications cables at all University facilities supported by NYU IT.
b. Radio Frequency (RF) Spectrum and Wireless Access Points
NYU IT deploys a variety of wireless services for use by the University community that utilize the radio frequency spectrum. To maintain the reliability of these services, it is necessary for NYU IT to coordinate the use of the wireless spectrum on University premises. With the exception of cellular phones, any device that is going to be installed or utilized on University premises that generates RF transmission signals must be approved by NYU IT. Installation of wireless access points for wireless data networking by non-NYU IT organizations is not permitted.
c. Network Equipment
The acquisition, installation, and management of all network electronics and communications infrastructure equipment at NYU-NET facilities is the sole responsibility of NYU IT TOS. The purchase and use of this class of equipment by any other entity is prohibited, unless NYU IT has formally delegated responsibility for this equipment and services to another school or division (See Management of NYU Network Infrastructure Resources Policy at www.nyu.edu/about/policies-guidelines-compliance/policies-and-guidelines/nyu-network-infrastruture.html). Examples of prohibited classes of equipment include, but are not limited to, the following:
- Network Switches
- Network Routers
- Network Firewalls
- Network Load Balancers
- VPN Appliances
- Wireless Access Points and WLAN Controllers
- SOHO "Wireless" Routers
- Virtualized Software-based instances of any of the above.
2. Network Management and Analysis
Network Monitoring and Management
The monitoring and management of all NYU-NET Infrastructure is the sole responsibility of NYU IT TOS. The purchase, installation or use of Network Management Systems to "probe" NYU-NET infrastructure or network servers is prohibited.
3. Network Naming and Addressing
a. Top-Level Domain Names (TLDs) within NYU.EDU
The University's DNS structure is architected to reflect the organizational hierarchy of the University, with each department's or division's hosts and services registered within their respective subdomains. Top-level domain names directly under NYU.EDU are allocated exclusively for centralized services offered to the entire University community (e.g., HOME.NYU.EDU, EMAIL.NYU.EDU) or when necessary for technical reasons. Contact firstname.lastname@example.org for more information.
b. Top-Level Domain Names (TLDs) with Non-Academic Extensions
NYU IT TOS provides hosting support for non-NYU.EDU domains or domains with non-academic extensions (e.g., .com, .org) on the University's central DNS servers in a limited number of cases. The request for DNS support of a non-NYU.EDU domain must meet the guidelines outlined in the Procedures for Registering and Managing Internet Domain Names Outside NYU.EDU: www.nyu.edu/about/policies-guidelines-compliance/policies-and-guidelines/domain-names-outside-nyuedu-policy.html. All non-NYU.EDU domains hosted by NYU IT will be registered by NYU IT TOS using our registrar. Contact email@example.com for more information.
c. Hosting NYU.EDU Domain Names on External Servers
Units within NYU that require an "external" resource to appear on the "NYU.EDU domain" must have a formal business agreement with the entity in question. This business agreement must include the following:
i. Limitations on NYU's liability for any content that appears on the site (and therefore looks like it is being published by NYU because of the name).
ii. A procedure in place to quickly remove any content on the site that has the potential to harm NYU.
The supporting documentation detailing the agreement must be provided to firstname.lastname@example.org so that NYU IT can review the information and determine if further consultation with University administration is necessary in order to approve the request. Under no circumstance should individuals register domains outside NYU.edu by themselves or with a third-party vendor or service. If off-site hosting is desired, parties are required to work with NYU Hostmaster to register an NYU.EDU domain and extend it to the hosting service.
d. IP Address Space
i. NYU IT TOS is the authority for the registration and management of all NYU-owned public IPv4 and IPv6 address space.
ii. NYU IT TOS is the authority and sole delegator of private IPv4 address space (RFC 1918 ranges) used on all NYU's campuses and sites supported by NYU IT.
Questions or concerns regarding existing IP address delegations on NYU-NET should be directed to email@example.com.
e. Network Access/Admission on NYU-NET
All devices connecting to NYU-NET must be registered and/or authenticated by the owner, primary user, or a responsible NYU-affiliated party. Devices connected to NYU-NET should be configured to obtain all of their TCP/IP settings automatically using DHCP. If a device cannot support this configuration, alternate arrangements, including the validation of static settings, must be coordinated with NYU IT TOS prior to the device's installation and connection to NYU-NET.
General purpose computing devices that require wired Ethernet access on NYU-NET must be registered by a given department or school's IT group or technical staff, or whoever is responsible for installing, configuring, and/or maintaining the device(s). In addition, at many locations, including Residential spaces ("ResNet"), wired laptops and desktops may be self-registered by clients on an individual basis (using their NYU NetID) through the NYU-NET Computer Self-Registration system. If a University department or unit does not have an IT group or technical staff of any kind, the device's owner must contact firstname.lastname@example.org to register the device. Devices connecting to NYU-NET through NYURoam wireless service require NYU NetID-based authentication at the time of access (see www.nyu.edu/it/wireless/ for more information and instructions).
4. Acceptable Use
a. Commercial Activities
Commercial services of any type may not be offered on NYU-NET, nor may anyone use an NYU-NET connection or resource for unauthorized commercial purposes.
b. Multi-user/Shared Access Devices
Unauthenticated access to NYU-NET or connected networks is not permitted. A department requiring a computing lab should work with NYU IT to ensure that the configuration and registration of multi-user devices is consistent with the above Network Access/Admission policy.
5. Remote Access and External Network Connections
a. Connections to Outside Networks or Service Providers while on-campus
Devices on-campus that are connected to NYU-NET via the wired or wireless service may not simultaneously establish a connection to another network (e.g., public Wi-Fi) in parallel service.
NYU IT TOS is solely responsible for the procurement and installation of communications circuits on University premises by telecommunications carriers or Internet service providers. Individual departments or schools are not authorized to procure external connectivity services except if authorized by NYU IT TOS.
b. Fixed Site-to-Site and Remote Access VPN Tunnel Connections
Site-to-site VPN tunnels ("LAN Extension" VPN) between a NYU-NET host and another host or network infrastructure component on another network are not permitted. Doing so exposes NYU-NET to security risks by circumventing access controls already in place to protect NYU-NET from attacks. For information about NYU IT External Vendor Site-to-Site VPN service, please contact email@example.com.
The function of the centrally managed Remote Access VPN service is to provide client-based connectivity to NYU-NET resources for individual users physically located off campus. The supported hardware of the off campus client are general purpose operating systems and mobile devices. The use of an external router or other network device to act as remote access VPN client is not a supported or intended configuration for the service.
6. Network Services
a. Non-IP Protocols
The NOC currently operates NYU-NET as an IP-only network supporting both IPv4 and IPv6. Support for IPX and AppleTalk has been deprecated and is no longer supported by the NOC. All applications must support and utilize TCP/IP connectivity to function on NYU-NET. In addition, all applications must be able to function in an enterprise network environment with more than one network segment or LAN. Applications should not rely on legacy communication methodologies such as all hosts broadcast for communications.
b. Domain Name Service
NYU-NET supports the IETF/Internet host naming scheme called the Domain Name Service (DNS). Due to significant incompatibilities with this standard, the legacy Microsoft naming scheme, WINS, is not supported. Microsoft Active Directory domain name services should be deployed in conjunction with the University's central DNS. The namespace for Active Directory domains must be delegated through NYU IT Hostmaster to ensure compatibility with the University's central DNS as well as prevent overlap with other AD domains already delegated for use on NYU-NET.
c. DHCP and Recursive DNS Services
NYU IT TOS maintains highly available fault tolerant clusters of DHCP and recursive DNS servers at each NYU campus with NYU-NET service. These servers ensure the uninterrupted and reliable assignment and registration of IP addresses for all hosts on NYU-NET. Individual departments may not run such servers of their own, except under special arrangement with the NOC. These servers include the use of Net/PXE Booting. The NOC sets the standards for all network services in DNS services and servers. NOC grants exceptions to DHCP services for those departments that utilize Net/PXE Booting.
NYU-NET fully supports the use of IPv4 multicast applications. Because of the ability of misconfigured multicast sources to affect the overall reliability of NYU-NET, all servers or devices acting as multicast sources must first be approved by NYU IT TOS. NOC must be contacted in order for any end host to be able to source multicast traffic on NYU-NET. By design, in most cases any "client" host may connect to a multicast stream (i.e., join a multicast group) without NOC's intervention.
e. Network Port- Security Settings
NOC implements several network protection mechanisms to ensure the reliability of NYU-NET services. These include, but are not limited to, the traffic storm suppression, network loop prevention, rogue DHCP server prevention, ARP Inspection, and others. These mechanisms may be automatically triggered, disabling one or more hosts' access to protect the overall stability of NYU-NET.
f. Proxy Servers
NYU IT runs an HTTP/HTTPS web proxy server for specific use cases. Application proxy servers can consume a large amount of bandwidth on the network and pose a security risk to NYU-NET unless extremely carefully managed. Departments that have a business case that requires the installation of a proxy server must first contact NYU IT to develop a solution that does not adversely impact NYU-NET.
g. FTP and Web Server Appropriate Use
FTP or web servers for the intention of distributing copyrighted or pirated software on NYU-NET or the Internet are illegal and not permitted on NYU-NET. Any group wishing to establish an FTP or web server for distribution of large amounts of data should contact NYU IT for guidance. Such activity impacts traffic flows on the network and has a direct impact on performance of NYU-NET at large.
You may not run any services (FTP services, listservers, publish MP3s using files sharing sites, etc.) via a ResNet (residence hall) connection except http servers. Web servers are allowed on the wired ResNet network, but must follow guidelines on the legal and policy requirements for the use of copyrighted materials at NYU, including the Educational and Research Uses of Copyrighted Materials Policy Statement.
h. High-bandwidth Network Applications
High-bandwidth projects or activities, including streaming video, videoconferencing, and backup services, should be planned and conducted in coordination with NYU IT TOS. In particular, projects that require the use of the University's external connections, such as Internet connections and Research and Education connections, must be coordinated with NYU IT TOS, since these connections are shared among all members of the NYU community.