Versions Compared

Old Version 7

changes.mady.by.user Unknown User (slagell)

Saved on

compared with

New Version 8

changes.mady.by.user Unknown User (slagell)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Use secure non-default passwords.
  • Be protected by a stateful, network firewall that only accepts connections from non-NCSA hosts on port 22.

...

NCSA Office & Wireless Zone

Definition:

This zone includes all of the office and wireless networks that assign NCSA IP addresses. This includes offices in the NCSA building, NPCF and at least one wireless network, but does not include most Raised Access Floor (RAF) space.

...

  • Follow all campus and NCSA employee policies regarding software updating, virus scanning, data security, incident reporting, etc.
  • Register with an NCSA ID to receive an IP address and give a point-of-contact for Security as part of the process.
    • The default network type is firewalled, though users can opt-out
    • Network registration is only for NCSA staff and should not be done for guests. Guest accounts and temporary registrations are available for these use cases.
    • Reregistration is required annually.
  • Do not bridge networks without approval from Networking & Security.
  • Business Office systems are administered and maintained by ITS, and the corresponding workstations and laptops on a firewalled subnet.

Requirements for NCSA wireless networks:

...

  • Enterprise WPA2 wireless protection will be used.
  • NCSA wireless networks are not for guest use, but instead should use a CITES provided wireless network.
  • These networks authenticate and authorize against the NCSA LDAP service. 
  • Only the NCSA and/or CITES network teams can configure access points and networking hardware for the wireless network -- there will be no rogue or unapproved wireless networks.
  • The security team must have the ability to quickly map wireless IPs and timestamps to users for at least 90 days.

Zone 3b: NPCF Offices

Definition

The NPCF building houses several offices whose traffic should be handled separately from that of the main datacenter zone. Command Center systems that are not dedicated CnC systems for Zone 1 machines, i.e., networked only to internal subnets, will be treated as members of Zone 3b.

Security Requirements

NPCF Office systems share the same security requirements as NCSA Building systems (Zone 3a) but are a separate sub zone because they will be physically monitored at separate points.

Zone 4a: Wireless

Definition

NCSA Wireless connectivity is available in all of our buildings (ACB, NCSA & NPCF). For campus wireless networks, all traffic is tunneled outside the NCSA and treated as external traffic. For this reason, they do not fall under any NCSA zone and are not explicitly addressed.

There are both NCSA and University provided wireless networks in the NCSA and the NPCF buildings. These wireless networks are split into multiple logical zones. These networks all have different authentication mechanisms, rules about guest accounts and may or may not utilize link-level encryption. The security requirement for NCSA wireless networks (those that are managed by NCSA or provide NCSA IP addresses) is simply that an adversary gains no additional benefit by physically locating themselves within wireless range of NCSA facilities. For example, by using the strong encryption and authentication technologies of WPA2 or VPNs, it can be reasonably assumed that an attacker already needs a valid Kerberos credential which would give them access to this zone through the VPN anyway.

It is strongly suggested that the UIUC-Guest network be made available in NCSA and NPCF for the use of the majority of visitors and guests. It is also strongly desired that we deprecate the NCSA-Portal network as it potentially gives adversaries additional advantages of proximity.

Types of Systems:

Generally, these systems will be laptops, tablets, and/or smart phones owned by NCSA employees or guests.

Security Requirements:

Guest laptops are likely candidates for victimization by malicious network traffic, email/web client attacks or viruses. Therefore, the preferred way for guests to obtain Internet access is through the EDURoam, UIUC Public Wifi (where available) or by getting a guest account on UIUCNet, which has good coverage all over campus. These networks are run by CITES and traffic is tunneled outside the NCSA network. Therefore, guest systems would not logically be a part of the NCSA network and would be treated as external Internet traffic.

Requirements that apply to ALL wireless networks in NCSA buildings (whether operated by NCSA or CITES) are:

  • wireless networks in NCSA buildings must not give an adversary without NCSA authentication credentials an advantage over simply attacking from the Internet;
  • only the NCSA and/or CITES network teams can configure access points and networking hardware for the wireless network -- there will be no rogue or unapproved wireless networks;
  • the Security Team will regularly audit/scan for rogue access points; and
  • use and configuration of the wireless networks must be compliant with all relevant NCSA and University policies.

Zone 4b: VPN

Definition

NCSA offers a VPN service for employees working remotely.

  • Like the default office subnets, the primary wireless network is firewalled at the NCSA border.

...

VPN Zone

Definition

NCSA offers a VPN services with different authentication profiles. These can be used as more flexible bastions in conjunction with firewall rules, to access privately addressed subnets, or to reach other services that might be blocked at the border (e.g., mounting filesystems).

Security Requirements

Systems connected to the NCSA VPN networks are treated as external systems with monitoring are monitored unencrypted on the NCSA internal side of the VPN tunnel.

Zone 5: Blue Waters Management VLANs

Sanitized from this copy

Zone 6: Blue Waters Service VLANs
Sanitized from this copy

...

the VPN with the network IDS. Authentication to the VPN requires the use of valid and authorized NCSA credentials.

...

Physical Security Zone

Definition:

This is an island isolated zone only for the NPCF physical security systems.

Types of Systems:

All NPCF physical security systems, and only those systems, are part of this zone.  This includes the camera DVRs, the badge readers, the iris scanners, the ACMS workstations (for badging, control and enrollment), and the ACMS database server.

Security Requirements:

  • Devices on this network are on their own physical network, but they are bridged-together private VLANs on shared routers and switches;
  • This VLAN is completely private and does not allow for access to or from the outside world, except for occasional VPN access into this zone that is provided to allow the physical security contractors (ITG) to perform maintenance. This VPN access is turned off unless maintenance is being performed; and
  • VPN access is also restricted to a small number of remote IP addresses and requires a strong authentication for access. 

It should be noted that there will hopefully be a way for alerts to be passed out of this network in the future, but this connection should be unidirectional.

Zone: Island / PSP (Private Sector Program)

Definition:

This defines a type of zone rather than a specific zone itself. An Island zone has its own, unmonitored external bandwidth either provided by a 3rd party or too large to be monitored by the border NIDS. The island may have an additional, smaller bandwidth connection directly into NPCF zones that will be monitored with the NIDS and treated as external traffic This includes site-to-site VPN traffic traversing NCSA's external links.  This traffic must not be routed inside the NCSA network without also being monitored by a NIDS, and it will be trusted no more than other Internet traffic.

Types of Systems:

These are systems (typically servers) for special projects or private sector partners that bring in their own systems to physically reside in NPCF, but that also require their own external connectivity. Other large systems that have their own pipes, but do not wish to pay for monitoring, can opt for an island zone.

Security Requirements:
  • can neither connect to the other networks or be connected to except for an ACMS workstation that must connect with iCard systems elsewhere on campus.
  • The ACMS workstation can only be connected to via RDP from a single remote workstation run by Facilities & Services for troubleshooting and support.
  • All other connections, even if temporary for support, must be approved by the Security Office. 

...

Island Zones

Definition:

Sometimes there is a need for special subnet that is treated no differently than an external network and does not route internally with NCSA systems. This could be because the systems on the subnet would not meet the requirements of this policy (e.g., they bring their own unmonitored WAN links or cannot be hardened sufficiently), that it is actually an external network extruding into our physical infrastructure, or that external requirements or regulations require extra isolation.

Security Requirements:

  • Connections to other NCSA hosts would not be allowed unless existing and entering again.
    • Limited exceptions whitelist access direct access to key NCSA services, such as DNS, can be approved by the Security Office and documented as an exception.
  • Systems in an island zone are treated as external from a security perspective. They may not benefit from any of the security services or monitoring normally provided
  • These zones have their own outside connectivity (preferably non-NCSA IPs), and no direct connection to our network. For the purposes of security monitoring they are treated as external systems;
  • If the owners/administrators of systems on this network require security monitoring beyond that provided if/when traffic from these systems crosses into an NCSA network, that monitoring must be coordinated with the Security Team and any additional costs of that monitoring borne by the owners/administrators of the systems.