Managed Network - Internet
This Service Description was last updated with effect from 10th October 2022.
1.1. Overview
Introduction
The Managed Network - Internet service provides an internet connection together with security services.
Features
The Managed Network - Internet service includes the following features:
- Internet Connection A single N4L internet connection of a specified bandwidth (see clause 1.2 Internet Connection).
- Safe and Secure Internet e.g. Web Filtering, Firewall, and DNS Threat Protection over your N4L-provided Internet Connection (see clause 1.2.4 Safe and Secure Internet). We recommend that you use this feature in conjunction with our Recommended Settings. However, you can choose not to use all Recommended Settings in accordance with clause 1.5 (Product Options).
- Cybersecurity Services: Proactive monitoring, reporting, support and guidance material across cybersecurity incidents, vulnerabilities and exposed services.
If you receive an Internet Connection from N4L, some of the services within Cybersecurity Services are required to help us to protect schools from Prohibited Use, as defined in our Acceptable Use Policy. Safe & Secure Internet and the full Cybersecurity Service is not required, though for a high level of cybersafety and cybersecurity protection, we strongly recommend that all Managed Network - Internet features and Recommended Settings are enabled.
Recommended Settings
RECOMMENDED SETTINGS FOR SAFE & SECURE INTERNET
N4L strongly recommends that Schools use the Safe & Secure Internet service with our Recommended Settings, in conjunction with endpoint protection and good security practices, to help protect users from objectionable content and online threats.
If we identify you have removed or opted-out of the Recommended Settings, we will endeavour to either work with you to correct this or record your decision to opt-out (in which case, your school will then be solely responsible for managing the safety and security of your Internet Connection and for ensuring that your School and Your Users comply with N4L’s Acceptable Use Policy).
You will automatically be deemed to have opted-out of our Recommended Settings if you remove any of the following components of the Safe & Secure Internet Service: Web filtering, Firewall or DNS Threat Protection.
For more information, see section 1.6 - Additional Information - Recommended Settings
1.2. Internet Connection
Standard Components
The standard components of the “Internet Connection” are:
- Uncapped national and international internet access to internet sites that are not directly connected to your Internet Connection. Use of the internet is subject to N4L’s Acceptable Use Policy.
- Bandwidth as specified in clauses 1.2.2 (Standard Internet Connection Allocation), or 1.2.3 (Upgrades to the Service).
- Managed Router that does not constrain reasonable use. We will monitor your Internet Connection and upgrade you to a more capable Managed Router when required.
- IP Address Management providing a range of fixed IP addresses to you.
- DNS Resolution providing a URL to IP address resolution service.
- Device and Access Management providing proactive (threshold monitoring, troubleshooting errors) and reactive (device/interface down scenarios) management of the Managed Router to ensure continued operations and availability of services.
- Bandwidth Management providing differing individual types of traffic or individual weights using a traffic scheduler and policies.
- Content Delivery Optimisation using technologies such as caching and CDNs.
Standard Internet Connection Allocation
We allocate a 1Gbps standard Internet Connection to you regardless of your size (or if you are a School, regardless of your roll size), provided:
- you are connected to a UFB or RBI Wholesale Access Service; and
- we can reasonably make the connection available (which is determined at our discretion).
Upgrades to the Service
At its discretion, N4L may upgrade the bandwidth of a School’s Internet Connection. For Schools, such upgrades may be implemented if considered appropriate based on the following considerations:
- a School’s bandwidth usage regularly approaches the maximum standard Internet Connection allocation;
- ensuring equity of provision for Schools with similar needs;
- maintaining quality connectivity for Schools to support teaching and learning;
- student needs and the achievement of learning outcomes (and the associated needs of teachers and support staff in Schools) not being limited by the size of the Internet Connection allocated; and
- ensuring efficient service delivery (for example by avoiding the need for a School to be revisited if a School’s roll is likely to expand in the short term).
Safe and Secure Internet
The standard components of “Safe and Secure Internet” are as follows:
- Web Filtering provides a level of control over all internet content, URL filtering, application filtering, file type filtering, safe-search, real-time scanning of search results for all http and (where you are using SSL Inspection) https traffic.
- Firewall provides malware filtering, virus filtering, intrusion prevention, and the ability to filter IP traffic that traverses the firewall, including traffic leaving your LAN to the internet and from the internet to your LAN. The traffic filtering is based on source IP address, destination IP address, protocol and ports used by applications and devices.
- DNS Threat Protection provides filtered DNS resolution to protect against access to online security threats via the Internet Connection, including but not limited to malware sites and botnet command and control servers.
- DDoS Protection that allows a school to continue to operate should anyone instigate a denial of service attack towards the school to interrupt internet services.
- SafeSearch filters explicit search results for major search providers
Safe and Secure Internet - Recommended Settings
Safe and Secure Internet with our Recommended Settings provides a strong level of protection against identifiable internet threats and objectionable content. Our Recommended Settings for Safe & Secure Internet are as follows:
- Web Filtering - Default Blocked Categories by default we block access to categories of websites that we believe could be harmful to your users, such as websites known for child abuse, pornography or illegal purposes.
- Web Filtering - Default Blocked Firewall Rules by default we block all inbound connections, and will monitor and flag any firewall rules which are likely to put school users or systems at unnecessary risk.
- DNS Threat Protection - On making use of N4L’s secure DNS servers for domain name resolution
See our webpage Safe and Secure Recommended Settings for full details.
N4L strongly recommends that Schools use the Safe and Secure Internet service with our Recommended Settings - refer to clause 1.1.3 above.
Removing or not making full use of all the components of Safe and Secure Internet, including our Recommended Settings, may significantly increase the risk of exposing your school network and users to objectionable content and online threats.
In any case, Schools must be aware that, while Safe and Secure Internet with our Recommended Settings provides a strong level of protection, due to the inherent nature of the internet, N4L cannot guarantee that the Safe and Secure Service provides complete protection against all internet threats and objectionable content. You must notify N4L immediately if you become aware of any actual or potential breach of security or unauthorised access or use of any part of our Services.
See clause 1.5 for further information relating to Safe & Secure Product Options
Service Boundary
The boundary of the Managed Network - Internet service ends at the Managed Router on your premises. That is to say, the service does not extend into your LAN infrastructure, end user devices, or other ICT infrastructure.
Prerequisites
The prerequisites for us to accept your order for the Managed Network - Internet service are:
- the availability of a Wholesale Access Service which is acceptable to us, to connect you to the service; and
- a suitable location for housing our Equipment at your premises, as per the specifications below.
Managed Router Housing Requirements
Each school must:
- ensure that the room housing its Managed Router has adequate air circulation;
- ensure that the room and/or rack housing its Managed Router has restricted access;
- allow clearance, around the rack housing its Managed Router, for maintenance; and
- ensure its Managed Router utilises a permanent ground connection, installed in a secure location.
Ordering
This Service may be ordered as follows:
- New Internet Connection – via an N4L Order Form.
- Moves, Adds or Changes – via:
- manual order form (where available); or
- call or email the N4L Helpdesk.
Term
The term of Your Managed Network - Internet service:
- commences on completion of its provisioning; and
- continues until terminated by us or your, on at least one month’s written notice to the other.
If you terminate the service as above, N4L may invoice the following additional Charges to the extent they are payable by N4L to its suppliers in relation to that termination:
- a $195 termination charge;
- any early termination charges from the Wholesale Access Service provider; and
- a pro-rata proportion of a $300 plus GST network connection provisioning charge that was waived by N4L’s network supplier, in respect of the period following termination and calculated over the first two years of the term.
Upon termination of this service:
- On our request, you will return our Equipment. We will arrange a suitable method to do this e.g arrange courier collection.
- If required by either party, both parties will work together in good faith to jointly develop and agree a plan to effect your disengagement from this service with minimum disruption to either party.
- We will give you all reasonable assistance, at reasonable rates, if you wish to transition to another service provider.
Service Level Targets
N4L will use reasonable endeavours to meet the following service level targets for the Managed Network - Internet service. However, we will not be considered to have failed a target, to the extent the failure is due to:
- you not notifying us of the failure;
- any maintenance on or in relation to the service carried out within a planned maintenance window;
- any Wholesale Access Service outage;
- any breach by you of your agreement with N4L; or
- an Excusable Event for the purposes of clause 7.8 (Causes beyond our control) of our School General Terms or any other event or circumstances outside the reasonable control of N4L or its subcontractors (including a failure of or within your LAN infrastructure, end user devices or other ICT infrastructure).
Availability Description Definition The proportion of time the Internet Connection is: - functioning; and
- available to the School,
- meeting the latency service level target below.
Target Over a rolling 12 months: - UFB and RBI
>99.863% Metro
>99.817% Non-Metro
- Others: Best endeavours
- Remote Access >99.7%
Measurement Manually measured by historical unplanned downtime in relation to P1 and P2 Incidents recorded in the network provider’s systems. Downtime caused outside of the Network Boundary is excluded. Calculation Calculated by: Percentage Uptime = Uptime / (Uptime + Downtime) x 100
Where:
- Uptime is the total time in the period in which the service is operating as defined above.
- Downtime is the total time in the period that is not Uptime.
- The calculation is expressed as a percentage.
Data Source Network monitoring system Latency Description Definition The time taken between an IP packet being transmitted and received at an N4L defined endpoint. Target Best Effort - Average over a month:
UFB and RBI
200 byte packets: <215ms 1472 byte packets: <215ms
- Others: Best endeavours
Measurement Samples from a loopback address from the Managed Router at one site to the loopback address from the Managed Router, at another site nominated by N4L. Calculation Measured as an average on a monthly basis Data Source Network monitoring system Pricing - Fully Funded Schools
With the exceptions below, the Managed Network - Internet service is fully funded by the Ministry of Education for:
- State Schools
- State Integrated Schools
- Partnership Schools
- Health Schools
- The Correspondence School
- Activity Centres.
Full funding includes a reasonable volume of Moves, Adds and Changes (refer clause 4 of Service Description - Self Service). N4L will monitor the volume of MAC requests being made by Schools and will work with Schools to ensure that the efficiency of the MAC request process is optimised.
The only exceptions to full funding for these Schools are where:
- a School continues to require an unreasonable number of MACs after being fairly advised by N4L that its use is unreasonable; or
- there is a physical change at a School site that was not required by the Ministry. In that case N4L will invoice the School for N4L’s time and costs resulting from the physical change.
MAC Charges are payable in accordance with clause 1.2.15 (MAC Charges).
Pricing - Independent Schools
Independent Schools are not funded for the Managed Network - Internet service by the Ministry of Education. Accordingly:
- each Independent School’s Charges for their N4L-provided Internet Connection are as specified in its Order Form (a document titled “Managed Network Contract for Independent Schools”)
- MAC Charges are payable in accordance with clause 1.2.15 (MAC Charges).
Local Fibre Company Terms
Some Managed Network - Internet services are delivered over the Government’s ultra-fast broadband (UFB) initiative. The UFB network is provided by Local Fibre Companies (LFCs). A list of LFCs may be found at https://www.crowninfrastructure.govt.nz/ufb/who/.
Each LFC has LFC “End User Terms” relating to the supply, installation, ownership and use of the line (and any associated equipment and infrastructure) (the LFC End User Terms). You agree to comply with the LFC End User Terms of any LFC connected to your premises. LFC End User Terms are generally available on the website of your LFC. If that is not the case, then you should ask your LFC to provide you with a copy or a link to its End User Terms.
Safeguarding the Managed Network - Internet
So that our Services to you and other Customers are not disrupted, it is important that you help safeguard the service. It is your responsibility to take all reasonable:
- security precautions to protect the service including our Equipment at your premises;
- ensure you do not introduce any faults, viruses or other Disabling Code (and the like) into the service; and
- prevent interference with, or damage to, the service and our Equipment at your premises.
MAC Charges
Where MACs are payable, they will be invoiced in arrears, at the following rates:
Charge Amount Charge Description Onsite MAC POA Case by Case basis
Complex MAC requests normally require detailed investigation or design work to implementation
Simple MAC $150 Simple change that can be completed in less than 30 minutes 8:30am - 5.00pm local business days
Outside those hours incurs a charge of $380
Complex Remote MAC $220 Simple change that can be completed in less than 60 minutes 8:30am - 5.00pm local business days
Outside those hours incurs a charge of $500
IP Addresses
Depending on the Services you acquire from us, we will arrange for appropriate IP addresses to be allocated to you. Unless we have agreed otherwise with anybody else, all IP addresses allocated to you remain our property. You must not transfer or sell those IP addresses to anyone else. We may change any IP address that we allocated to you. We will always give you as much notice as we reasonably can before making these changes.
Terms relating to the Equipment
Your responsibilities
We remain the owner or licensee of our Equipment. Where our Equipment is at your premises, the Equipment will be at your risk and you will (and, where applicable, you will ensure that Your Users will):
- only use our Equipment for your own lawful business use and for the purposes for which we provide it;
- not change or interfere with our Equipment in any way, unless authorised by us and in accordance with our instructions;
- comply with our reasonable directions and restrictions regarding use of our Equipment;
- comply with any manufacturer’s terms of use for our Equipment;
- make sure nothing or no-one on property or premises under your control interferes with or damages any of our Equipment;
- if requested by us, insure our Equipment against loss or damage by fire, theft or otherwise, with a reputable insurer for its full replacement cost;
- let us know immediately if any of our Equipment is lost, stolen or damaged;
- not sell, dispose of, grant any security interest in or otherwise part with possession of, any of our Equipment; and
- pay our charges for repairing or replacing any of our Equipment which is lost or damaged (however caused) while at your premises, but there is no charge where damage occurs through normal wear and tear.
Our responsibilities
Where we provide Equipment (or any other goods) to you, we give you, except to the extent our Equipment is affected by any failure to meet your responsibilities in clause 1.2.17 above, our Equipment will:
- be safe, durable, substantially free from defects and in good working order;
- be fit for the purposes which we describe in writing and for which we are providing it to you;
- be as we describe in writing or demonstrate to you and will do everything we say in writing it will do; and
- be approved for connection to the Managed Network - Internet service at the time we provide it to you.
If our Equipment does not comply with the requirements set out in clause 1.2.17 above, we will replace or repair the Equipment (at our cost) as soon as reasonably practicable and such replacement or repair will be your sole and exclusive remedy in respect of any failure of the Equipment to comply with such requirements.
We will also:
- ensure that we have the right to provide our Equipment to you and it will be free from any undisclosed security; and
- not interfere with your possession of our Equipment except where both of us agree otherwise.
Risk of loss of Equipment
Each party will be responsible for the risk of loss of, and damage to, any Equipment (as the case may be), software, systems and other materials used in the provision of the Services under this Agreement, in its possession or under its control. Unless otherwise agreed in writing, risk of any loss of, or damage to Services will pass to N4L upon delivery to N4L’s premises, your premises or receipt by N4L.
Title
Where you purchase any Equipment from N4L, all rights, title and interest will pass to you when the Charges for such Equipment have been paid to N4L in full.
Access to your premises
Where required for us to provide our Services to you, you will provide us with reasonable access to your premises. This includes access to install, test, repair and carry out maintenance on our Equipment, and to remove any of our Equipment which is no longer required to provide our Services to you.
1.3. Moves, Adds and Changes (MACs)
N4L will perform, or will enable you to perform, the following MACs:
Managed Network - Internet
Internet Connection
MAC Transaction MAC Type Description Managed Router upgrade / downgrade Onsite MAC Upgrade or downgrade of a Managed Router Access speed upgrade / downgrade Complex Remote MAC Change to the access speed within profiles and within the capability of the Managed Router IP Address
add / remove / change
Complex Remote MAC Changes to IP Addressing IPsec VPN
add / remove / change
Complex Remote MAC Change to a VPN defined within the network VLAN
add / remove / change
Complex Remote MAC Change to a VLAN defined within the network Security zone
add / remove / change
Complex Remote MAC Change to a security zone defined within the network QoS traffic
add / remove / change
Simple MAC Change to the QoS traffic classification Pre-approved Firewall rule
add / remove / change
Simple MAC Change to a pre-approved firewall rule on the Managed Router Customised Firewall rule
add / remove / change
Complex Remote MAC Change to any other firewall rule on the Manager Router DHCP
add / remove / change
Complex Remote MAC Change to the DHCP settings on the Managed Router Relinquish Product Onsite MAC Relinquishment of a Managed Network Service Site to site VPN
add / remove / change
Complex Remote MAC Change to site to site VPN routing for a School Safe and Secure Internet
MAC Transaction MAC Type Description Web Filtering rule change Simple MAC Change to a filter rule within the “Web Filtering” Service Remote Access
MAC Transaction MAC Type Description Remote VPN
add / remove / change
Complex Remote MAC Change remote VPN access for a School Remote access
user add / remove / change
Simple Remote MAC Change remote access for a user
1.4. Cybersecurity Services
The service areas of our Cybersecurity Services are as follows:
-
Support: we will support schools with the following services, regardless of how issues are discovered.
- Cybersecurity Incident Management: we will provide coordination, guidance and management across cybersecurity incidents at your school.
- Vulnerability Management: we will support schools to remediate vulnerabilities and exposed services.
-
Proactive Monitoring and Notification: we will proactively monitor school networks and (by agreement) selected school systems, notifying schools of any issues in the following service areas:
- Cybersecurity Incident Management: we will monitor cybersecurity incidents, including: phishing, business email compromise, unusual remote traffic and active exploits.
- Vulnerability Management: we will monitor for vulnerabilities and exposed services.
-
Cybersecurity Information: we will provide guidance material and vulnerability advisories to help schools improve their cybersecurity posture.
- Reporting: we will provide schools with reporting regarding any issues that are detected via our security operations team
- Advice: we will provide schools with cybersecurity advice, with a specific focus on how it relates to your use of N4L’s Services.
1.5. Product Options
The optional features of Managed Network - Internet are:
Internet Connection
The Internet Connection does not require any other N4L services or features to be enabled in order to operate, though many other features and services are dependent on it to operate.
Prerequisites Description Wholesale Access Service The availability of a Wholesale Access Service which is acceptable to us, to connect you to the service A location to house our Equipment A suitable location for housing our Equipment at your premises, as per the specifications below. Safe & Secure Internet
The Safe & Secure Internet components are foundational to a number of key N4L Services, including our Reporting App and Filtering Portal.
Prerequisites Description Internet Connection Requires our Internet Connection Safe & Secure Internet - Recommended Settings
Prerequisites Description Internet Connection Requires our Internet Connection Safe & Secure Internet Requires Safe & Secure Internet (as described in clause 1.2.5 (Safe & Secure Internet - Recommended Settings)):
Recommended Settings are enabled by default when your School initially joins the N4L Managed Network.
N4L recommends that you do not remove/opt-out of the Recommended Settings as these provide your School with a strong level of protection from identifiable online threats and inappropriate content.
Cybersecurity Services
Prerequisites Description Internet Connection Strongly Recommended - The Proactive Monitoring & Reporting service area will not be available if you don’t use our Internet Connection with Safe & Secure Internet. Safe & Secure Internet Safe & Secure Internet - Recommended Settings Strongly Recommended - These settings form part of the recommendations of the Cybersecurity Services Service Features Description Support Cybersecurity incident support will always be available to you, regardless of whether you are a customer of our Cybersecurity Services. However, the efficacy of this support may be severely limited if you are not a fully-fledged customer of this service. Proactive Monitoring & Reporting In accordance with our Acceptable Use Policy and Privacy Statement, we will proactively monitor the network for Prohibited Use, including Cybersecurity Events. If such an event is discovered, we will generally notify you and depending on the severity, may also notify other agencies and/or the police.
If you wish to reduce the frequency of cybersecurity reporting, N4L can work with you to understand your requirements, though baseline reporting will remain in place.
Cybersecurity Information If you prefer not to receive cybersecurity information from N4L (e.g. in circumstances where you receive a similar service from a 3rd party), we can turn this feature off.
1.6. Additional Information - Recommended Settings
If we identify you have removed the Recommended Settings, we will endeavour to either work with you to correct this or record your decision to opt-out of our Recommended Settings. By opting out of our Recommended Settings you accept that:
- your School (and not N4L) will be solely responsible for managing the safety and security of your N4L-provided Internet Connection
- your School must ensure that it complies with N4L’s Acceptable Use Policy (for example, to ensure that Your Users do not use the Managed Network for any Illegal Uses)
If in future you wish to re-enable our Recommended Settings, N4L will work with you to do so.
Opting-out of Recommended Settings for Safe & Secure Internet
Your school may elect to opt-out of our Recommended Settings by notifying us (please note that we do not recommend this).
If you remove our Recommended Settings, the Safe & Secure Internet feature will continue to operate. However, in doing so you may significantly reduce the effectiveness of your protection against identifiable internet threats and objectionable content, and will still be required to meet our Acceptable Use Policy.
Your school will also automatically be deemed to have opted-out of our Recommended Settings if any of the following components are identified as having been removed:
Web Filtering
- This component is considered to be removed if you allow any of our Default Blocked Categories through a change request or via self-service.
- By removing this component, you acknowledge that:
- we will not be taking any action to stop or warn against access to websites in our Default Blocked Categories, and you are taking full responsibility for determining what level of filtering is appropriate for your school;
- although we won’t filter the Default Blocked Categories, we will retain records of your filtering settings, who requested them, and of websites your users visit, in accordance with our Service Descriptions and Privacy Statement; and
- if you have allowed any of the Default Blocked Categories, the Default Blocked Categories are not automatically reset by N4L at any time and you are solely responsible for updating your filtering settings if changes you have made do not reflect your preferences in the future. However, we may contact you from time to time to understand why you set your filtering settings as you did and whether the settings remain appropriate in light of your preferences and the risks that our Default Blocked Categories are intended to protect against.
Firewall
- This component is considered to be removed if you allow any of our Default Blocked Firewall Rules through a change request or via self-service.
- By removing this component, you acknowledge that:
- you are taking full responsibility for all firewall features and for the external access that any parties have to your LAN, services within that LAN, and to any public facing internet services you operate;
- we will not be able to provide advice on the firewall rules that you establish, nor will we be able to assist with the implementation of those rules; and,
- we will not be taking any action to stop traffic flowing either to or from your Managed Router; you are responsible for all the effects that traffic has on both your internal LAN, our Managed Network, and the networks of any other sites connected to our Managed Network that are impacted by any inappropriate traffic originating from your network, such as but not limited to malware, viruses Trojans or other Disabling Code.
DNS Threat Protection
- This component is considered to be removed if we identify that this service is not in use, or has been removed at your request.
- By removing this component, you acknowledge that we will not be taking any action to stop or warn against DNS resolution requests to access online security threats via the Internet Connection, including but not limited to malware sites and botnet command and control servers.
RECOMMENDED SETTINGS FOR SAFE & SECURE INTERNET
Each school acknowledges that it will automatically be deemed to have removed our Recommended Settings if any of the components outlined above are identified as having been removed.
If you remove our Recommended Settings for Safe & Secure Internet, your school will be solely responsible for managing the safety and security of your Internet Connection and for ensuring that your School and Your Users comply with N4L’s Acceptable Use Policy
1.7. Additional Safety & Security Solutions
Mail Relay
Provides a basic SPAM and AV scanning service over SMTP for email from on-site mail servers, providing:
- outbound SPAM and AV/Malware filtering
- the ability to send bulk emails from school email servers.
Mail Relay is not enabled by default.
Remote Access
This lets specific users remotely connect to your LAN and any services hosted by you. Examples of users who may benefit from remote access include teachers, administration staff, and Third Party support providers.
Remote Access is not enabled by default.