The use of computing and networking resources at the University of Colorado Denver|Anschutz (CU Denver/Anschutz)
is a privilege, and, like any other privilege, carries with it the responsibility for making use of
these resources in an efficient, ethical, and legal manner. CU Denver/Anschutz depends upon the spirit of mutual
respect and cooperative attitudes to ensure that everyone has equal privileges, privacy, and protection from
interference or harassment. The systems shall be used in a manner consistent with the instructional, research,
and administrative objectives of the University community in general and with the purpose for which such use was
intended. CU Denver/Anschutz reserves the right to examine users' stored information when investigating cases of
computing abuse or misrouted electronic mail. In addition, CU Denver/Anschutz may withdraw computing privileges
when violations have occurred.
As a condition of use of CU Denver/Anschutz computing facilities, the user agrees:
Campus computing policy does not allow home wireless users to connect to the university network via UC Denver's virtual private network (VPN) without vulnerability mitigation. The IT Services department has developed several best wireless security practices - that if used - would allow you to use your home wireless system to access university data. These practices are based on a defense in depth (DiD) strategy. DiD involves implementing a set of barriers between your data and potential eavesdroppers. The individual barriers are not in themselves daunting, but when presented en masse, they provide a significant challenge to eavesdroppers.
The IT Services department recommends the following six security layers for home wireless users:
Home wireless systems have different capabilities, configurations, and documentation. Furthermore, some systems may not support the entire list of DiD recommendations, so we will present them in priority order. The first three recommendations are mandatory if you want to access university data from your home wireless network. The other three recommendations are highly desirable, but some manufactures may not provide them.
Encrypt your home wireless network - mandatory. Many older home wireless systems use Wired Equivalent Privacy (WEP) for their encryption. Unfortunately, the WEP encryption technique has been compromised and is no longer useful in any wireless environment. We require that you use WEP's follow-on encryption method, which is known as WiFi Protected Access (WPA). WPA uses a longer key (up to 256 bits) that changes periodically (with a default of 50 minutes). This longer, changing key provides you adequate security against eavesdroppers. We recommend you use the pre-shared key (WPA-PSK) mode for your home wireless system.
Change the default password needed to access your wireless devices - mandatory. wireless access points and routers require passwords for initial configuration and maintenance. These devices have factory default passwords. You should change these default passwords when you setup your system. Make sure to choose a complex password so it will be harder to compromise. Your password should consist of a minimum of eight characters; selected from numbers, upper- and lower-case letters, and special characters.
Register your home wireless computers - mandatory. We require you to enable media access control (MAC) address registration on your home wireless network. The MAC address is a set of numbers and letters uniquely assigned to every networking device. That is, MAC addresses are universally unique. The benefit of MAC address registration and filtering is that wireless access is provided to only those computers you authorize.
Change the default home wireless network name - optional, but highly recommended. The name of your home wireless network is called its service set identification (SSID). The SSID can be set to anything you desire. Changing the SSID from the industry default name (which is how your wireless network will initially boot up) makes it slightly more difficult for casual users to see.
Disable the broadcasting of the home wireless network name - optional, but highly recommended. We recommend you set your SSID so that it does not broadcast its services. By default, most wireless networks are set to broadcast their presence, so anyone can easily join the wireless network. By disabling the broadcast SSID, you make it harder for uninvited guests to use your home wireless network.
Limit the number of simultaneous users - optional, but highly recommended. We recommend you set your home router to support only the number of computers you possess. That is, only issue enough IP addresses to support your home network. By limiting the number of IP addresses that you can simultaneously support, you mitigate the risk of an eavesdropper gaining access to your network.
Please also be aware that by extending the campus network to your home via the campus VPN, you may also be extending your HIPAA obligations to your premises. So you will also be required to ensure that PHI, intellectual property, and sensitive data are not available to others using your home computer that you use to connect to the university.
Technically intimidated? There are a number of local vendors who can help you select and setup your home wireless network so that it complies with these standards. Some vendors you may wish to contact include: Geeks on call, Geek Squad, Mile High PC Techs, Connect A Tech, Rocky Mountain Computer, or Continuous Technology Solutions.