Rules for the CZU SCIENCE network
DEFINITION OF THE CZU SCIENCE NETWORK
The Department of Information and Communication Technologies of the Czech University of Life Sciences in Prague (OIKT) establishes and operates a special type of data network with the designation of CZU SCIENCE.
The CZU SCIENCE Networks are generally designed to connect terminal equipment (PCs, laptops ...) and network infrastructure elements (IT equipment) that OIKT can not manage in a centralized manner or it is not suitable for the specified reasons, to connect to the CZU computer network and simultaneously there is a reasoned request for traffic within the IT infrastructure of the CZU.
Category of IT equipment suitable for connection to the CZU Science Network:
- Servers or PC stations for special scientific purposes owned by third parties
- Scientific IT facilities that are fully managed under a valid third-party service agreement
- Scientific IT equipment owned by the CZU working with a different OS than MS Windows is used for a specific research project and does not allow the use of Active Directory services from the CZU.CZ domain
IT equipment that does not meet any of the above categories must only be connected to the CZU operating environment and be subject to the 802.1X security rules applied to the CZU.
How to connect IT devices to the CZU SCIENCE network
IT equipment is connected to the CZU SCIENCE network on the basis of a request confirmed by the head of the relevant workplace / center that the IT equipment will operate. The application for connection of IT equipment to CZU SCIENCE must be sent by the Helpdesk application.
The OIKT Manager reserves the right to reject the application if the required IT equipment connection could cause problems in the operation of the entire CIS data network. In this case, the OIKT Manager or an OIKT Delegate will promptly contact the applicant and attempt to propose a substitute solution.
For each connected IT device, the responsible person from the CUL staff (hereinafter referred to as the owner) must be clearly defined and the head of the relevant workplace / center is responsible for updating this person in the event the employee concerned establishes the employment relationship with the CZU.
IT Device Traffic Policy in SCIENCE NETWORKS
- IT devices are fully managed and managed by the owner, and they are fully responsible for the operation of this IT device
- OIKT provides selected network services at the agreed interface (see below for a summary of the provided services for the CZU SCIENCE network) as specified and these services are delivered in a quality corresponding to the service contracts concluded by OIKT with the suppliers of the CZU
- OIKT assumes no liability for damages incurred on IT equipment connected to the CZU SCIENCE network or its operation, loss of data, etc. OIKT does not provide connection of these IT devices to the system of Central Backup and Data Archiving.
The identifying names of the end IT equipment must meet the naming convention in the form of the "owner-SN-XX login", where XX is the IT number of the device (eg NOVAK-SN-01). Allowed characters are letters, numbers, and the "-" character. Compliance with this naming convention is key to the proper functioning of DNS services and corresponds to their implementation in the CZU network. - IT equipment must at all times have a clearly defined owner who is an active employee of the CZU.
OIKT will provide the necessary co-operation if a third party carries out a service for the given IT equipment but does not guarantee the response time to deal with operational incidents on IT equipment at the CZU Science Network, except for the provided services (see below for the CZU SCIENCE Survey). - In the case of IT equipment owned by the CBA, OIKT reserves the right to install an inventory tool (for sw audit and physical inventory of IT equipment only). Installation will always be done in agreement with the owner. At the OIKT's request, the IT owner is obliged to provide the necessary cooperation with OIKT personnel as part of a software or hardware audit.
- If an IT device exhibits security threats, OIKT reserves the right to restrict access to the services provided in the CZU SCIENCE network for a period of time necessary, ie to de-facto access to the CMA data network. OIKT has to inform the owner about this event and to specify the next steps that will lead to the restoration of the normal operation of IT equipment in the CZU SCIENCE network.
Overview of provided services for the CIS SCIENCE network
The CZU SCIENCES networks are designed as an isolated indoor space for each faculty or a logical unit (eg the Rector's Office). Mutual isolation is designed to secure the entire CIA data network against intrusion from unknown devices and to isolate potential threats to one segment of the CZU NETWORK SCIENCE. This isolated space contains exceptions for additional services, such as DNS (polling only), e-mail, or network printing.
List of services in the CIS SCIENCE network
- access to the global Internet with IPS and SSL / TLS protection on the border element (IPS provides preventive protection against attacks from the outside, and SSL / TLS inspection prevents communication with servers that do not use trusted certificates - untrusted certificates may be expired or spoiled) protection are also logging and monitoring tools,
- use of internal and external DNS servers of the university (ICMP, DNS - polling only),
- access to the faculty network of printers (ICMP, TCP - 9100, UDP - 137, 161, 623). Network access to the faculty or logical unit's printers is enabled from the SCIENCE CMA network,
- access to university postal services:
- sending services via smtp.czu.cz: SMTPS (587, only STARTLS authenticated, instructions in https://helpdesk.czu.cz, Knowledgebase section / Guides and procedures / Access to CZU mail services for employees and PhD students). Relay is not allowed from the science network.
- Novell Groupwise Services: GWAVA Quarantine (49385)
- Exchange Services at email.czu.cz: ICMP, OWA (HTTPS)
- inventory LanDesk: TCP 5007 - server direction, TCP 9595 and UDP 38293 both directions
A request for change of services taken in the CZU SCIENCE network is provided by the owner of IT equipment in the Helpdesk system, OIKT will provide documentation of the modifications made and updating of the technical parameters in the operating documentation. The OIKT manager reserves the right to reject the service change request if the requested change could cause problems in the operation of the entire CMS data network. In this case, the OIKT Manager or an OIKT Delegate will promptly contact the applicant and attempt to propose a substitute solution.
Physical placement of IT equipment
Operating premises for the IT equipment connected to the CZU SCIENCE network are provided by the owner itself. OIKT will, as far as possible, provide a central substation / server room in the CZU buildings.
Service shutdowns of the IT infrastructure of the CZU (Approved Schedule)
IT devices connected to the CZU SCIENCE network are subject to a schedule of scheduled OIKT service shutdowns (see schedule at https://www.oikt.czu/, shutdown section). In planned downtime, some CZU SCIENCE networks may not be available, including power and cooling in the central substation / server.