Versions Compared

Old Version 26

changes.mady.by.user Adam Slagell

Saved on

compared with

New Version 27

changes.mady.by.user Adam Slagell

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Reorganized

...

Systems requiring high availability, physical security and high performance networking are hosted here. This includes not just supercomputers, but core storage, security, networking equipment, and more. These systems are first built in a firewalled subzone until fully vetted by the security team, which is responsible for regular auditing of systems against the security requirements below.

...

Installation Requirements:

Informational Requirements:

 

  • Maintain and enforce a list of authorized administrators, and keep records up-to-date so that Security can quickly determine responsible parties for the system. At least one responsible party must be a full-time employee working at the NCSA.
  • Provide Security with accounts on the system or a way to quickly get access 24/7 for emergencies.
  • Notify Security of any sensitive, confidential or regulated data expected to be on the system.
  • An accepted vulnerability and patch management plan must be in place.

Host Configuration Requirements:

  • Disable any unnecessary services and accounts, and enforce with host-based firewalls where possible.
    • Inform Security if the list of services changes.
  • Enable host-based brute-force mitigations utilizing the security team's host-based IDS if possible.
  • Forward system logs to the security team's log collector.
  • Utilize non-local accounts for remote access unless otherwise approved.
  • Require two-factor bastions, jump-hosts or VPNs for access to administrative interfaces.
  • Routing, traffic forwarding, bridging subnets and other forms of internetwork traffic proxy is prohibited without expressed permission from Security & Networking.
  • Maintain and enforce a list of authorized administrators, and keep records up-to-date so that Security can quickly determine responsible parties for the system. At least one responsible party must be a full-time employee working at the NCSA.
  • Provide Security with accounts on the system or a way to quickly get access 24/7 for emergencies.
  • Notify Security of any sensitive, confidential or regulated data expected to be on the system.

Network Monitoring:

All external links in and out of this zone are monitored by the NIDS. New hosts that appear on this network but have not been vetted may be automatically or manually blocked at the border gateway until investigated and vetted. Network traffic entirely within this zone is unmonitored by the NIDS, but network flows are collected.

...

While new systems are being built and configured in this zone and before they are fully vetted by security, they are firewalled in a subzone.

...

Host Configuration Requirements:

These systems must:

  • Use secure, non-default passwords.
  • Be protected by a stateful, network firewall that only accepts connections for approved, secure remote access services.

...

This zone is for servers supporting R&D projects and internal services at NCSA. The ITS director determines which systems are placed in this zone based on space, power, cooling and usage considerations together with ADS and Security. Systems in this zone do not have the same 24/7 level of service, uptime requirements, network bandwidth and security services available to them as those in the HPDC zone.

...

Servers, whether supporting internal NCSA services or NCSA projects and their customers, are important, and their compromise can have a significant effect NCSA productivity and reputation. Whether or not they are even considered production servers, the impact can be significant if the data on the systems is exposed due to privacy considerations, regulatory & legal requirements, or confidentiality agreements. Therefore, certain accountability is required of all these systems.

Informational Requirements:

Systems or their administrators must:

  • Use two-factor authentication for administrative access or escalation, or request an exemption from Security.
  • Disable routing, traffic forwarding, bridging between subnets and other forms of internetwork traffic proxy through the host unless approved by Security & Networking.
  • Label systems in the rack and keep labels up-to-date.
  • Maintain and provide the security team with:
    • accounts on the system or a way to quickly get access 24/7 for emergencies
    • purpose of the system and notification of any high risk or confidential data (as defined by UIUC policy).
    • a list of authorized administrators and a responsible full-time NCSA staff person
    • a list of necessary services/ports open
    • a plan for vulnerability and patch management

It is important that changes in the information initially provided to the security team are kept up-to-date, and system owners will need to update this annually. Changes to include high risk or confidential data need to be updated as soon as possible by contacting Security.

Host Configuration Requirements:

 

Systems or their administrators must:

 

  • Use two-factor authentication for administrative access or escalation, or request an exemption from Security.
  • Disable routing, traffic forwarding, bridging between subnets and other forms of internetwork traffic proxy through the host unless approved by Security & Networking.

Additional  Configuration Recommendations:

Systems or their administrators should:

...

This zone supports a variety of systems including desktops, laptops, portable devices and research systems. This zone is the most flexible and has the fewest security controls. While firewalled subnets are encouraged by default, the policies that apply broadly to every host are campus and NCSA employee security policies and a requirement to register hosts using an NCSA ID before accessing the network.

...

Informational & Procedural Requirements:

Systems in this zone must:

  • Follow System owners must follow all campus and NCSA employee policies regarding software updating, virus scanning, data security, incident reporting, etc.
  • Register New systems must be registered with an NCSA ID to receive an IP address and if different from the NCSA ID, give a point-of-contact for Security.
    • The default network type is firewalled, though users can opt-out
    • Network registration is only for NCSA staff and should not be done for guests. Guest accounts and temporary registrations are available for these use cases.
    • Reregistration is required annually.
  • Do not bridge subnets without approval from Networking & Security.
  • Business Office systems are administered and maintained by ITS, and the corresponding workstations and laptops are on a firewalled network.

...

Host Configuration Requirements:

  • Systems do not bridge or create new NCSA subnets (wired or wireless) without approval from Networking & Security.

Network Configuration Requirements for NCSA wireless networks:

The NCSA wireless networks (those giving public NCSA IP addresses) must not give an adversary advantages they wouldn't already have with NCSA authentication credentials and thus could execute from anywhere with VPN access. 

  • Cryptographic and security configurations will be consistent with UIUC policies and standards of practice.
  • NCSA wireless networks are not for guest use, but instead guests should use a CITES provided wireless network.
  • These networks authenticate and authorize against the NCSA LDAP service., and are not used for guest access 
  • Only the NCSA and/or CITES network teams can configure access points and networking hardware for the wireless network; there will be no rogue or unapproved wireless networksLike the default office subnets, the primary wireless network is firewalled or equivalently controlled to not allow servers for outside the NCSA IP space.
  • The security team must have the ability to quickly readily map wireless IPs and timestamps to users for at least 90 days.
  • Like the default office subnets, the primary wireless network is firewalled or equivalently controlled to not allow servers for outside the NCSA IP spaceOnly the NCSA and/or CITES networking teams have the ability and authority to configure access points and networking hardware for the wireless networks NCSA buildings.

...

VPN Zone

Definition

NCSA offers a VPN services with different authentication profiles. These can be used as more flexible bastions in conjunction with firewall rules, to access privately addressed subnets, or to reach other services that might be blocked at the border (e.g., mounting filesystems).

...

All NPCF physical security systems, and only those systems, are part of this zone.  This includes the camera DVRs, badge readers, iris scanners, ACMS workstations (for badging, control and enrollment), and the ACMS database server.

...

Host Configuration Requirements:

  • Devices on this network can neither connect to the other networks or be connected to except for a single ACMS workstation that must connect with iCard systems elsewhere on campus.
    • This ACMS workstation can only be connected to via RDP from a single remote workstation run by Facilities & Services for troubleshooting and support.
  • All other remote connections, even if temporary for support, must be approved by the Security Office. 

...

Sometimes there is a need for a special subnet that is treated no differently than an external network and does not route internally with NCSA systems. This could be because the systems on the subnet would not meet the requirements of this policy (e.g., they bring their own unmonitored WAN links or cannot be hardened sufficiently), it is actually an external network extruding into our physical infrastructure, or that external requirements or regulations require extra isolation.

...

Network Configuration Requirements:

  • Connections to other NCSA hosts would not be allowed unless exiting and reentering the NCSA network.
    • Security can approve limited exceptions to whitelist direct access to key NCSA services, such as DNS, and these exceptions will be documented.
  • Systems in an isolated zone are treated as external from a security perspective. As such, they may not benefit from any of the security services or monitoring normally provided.