Unauthorized system scans pose a threat to the availability, integrity,
and confidentiality of University information resources. Unauthorized
scans can be a prelude to the disclosure of sensitive data, cause loss
of service, and loss of reputation in the global community. When used
properly and with the appropriate authority, scanning is recognized as
an excellent tool for protecting the University’s information resources.
This policy covers the guidelines for scanning the University’s
information systems infrastructure.
ISO: The Information Security Office is responsible for coordinating
computer security efforts within the University.
Network Port: A numeric identifier used to distinguish between different
network services (i.e., HTTP, Telnet, FTP) on the same computing system.
Although port numbers range from 0 to 65535, many well known services
have reserved port numbers between 0 and 1024 (e.g., HTTP uses port 80,
Telnet uses port 23, and FTP uses ports 20 and 21.) To establish a session
with a host, a network request must be sent to the appropriate port number
on the host (i.e. to establish an HTTP session with a web server, your
workstation software will send a request to port 80 of the web server).
Port Mapping: The process of sending data packets to selected service
port numbers (HTTP-80, Telnet-23, etc.) of a computing system with the
purpose of identifying available network services on that system. This
non-evasive process is helpful for troubleshooting system problems or
tightening system security. Network port scanning is an information gathering
process, and when performed by unknown individuals it is considered a
prelude to attack.
Scanning: The process of gathering information on computing systems,
which may be used for system maintenance, security assessment and investigation,
and for attack. This process includes port mapping and vulnerability scanning.
If used properly, scanning of this type is an excellent tool for protecting
University information resources. Unauthorized scans can be a prelude
to the disclosure of sensitive data, loss of service, and damage to the
University’s reputation in the global community.
Security Advisory Committee (SAC) - Was created by the Office of Information
Technology (OIT) to examine security issues that affect the University
of Tennessee and develop responses that meet the University’s operational
needs and the business objectives.
University: The University of Tennessee Knoxville Campus and all property
owned, operated and provided service to by UTK resources.
Vulnerability Scanning: The process of identifying known vulnerabilities
of computing systems on the network. This process goes a step beyond identifying
the available network services of a system as performed by a network port
scan. The vulnerability scan identifies specific weaknesses in the operating
system or application software, which can be used to compromise or crash
the system. The vulnerability scan is also an information gathering process,
and when performed by unknown individuals it is considered a prelude to
It is the policy of the University of Tennessee that no computer system
connected to the University’s network shall be used to perform port
mapping or vulnerability scanning of the University of Tennessee, Knoxville
information systems infrastructure, in its entirety, without prior written
consent of the Security Advisory Committee. Port mapping or vulnerability
scanning on any computer system (including internal and external systems)
shall only be performed under the following conditions:
1. The owner or system administrator of a system(s), may perform a port
map or vulnerability scan on that system(s).
2. A University employee may conduct a port map or vulnerability scan
on a system on behalf of another after mutual agreement between the owner
and/or system administrator of that system. The scanning process requires
prior approval by the owner or administrator of the system.
3. Approved LAN and Desktop Support and Network Services staff may conduct
a port map in an effort to resolve a service problem, as a part of normal
system operations and maintenance, or to enhance the security of University
4. The University Information Technology Security Group performs a port
map or scan to monitor compliance with University policy, to perform security
assessments, or to investigate security incidents.
5. Approved University support staff shall perform an unauthorized vulnerability
scan on a system in cases where directed by local, state, or federal authorities.