Introduction

NCSA logically divides its network into several different trust zones. Traffic between these zones is monitored by a Network Intrusion Detection System (NIDS), but traffic within a single zone may not be visible to the NIDS. Therefore, systems within a single zone must be trusted and hence hardened to a similar level.

...

• Disable any unnecessary services and accounts, and enforce with host-based firewalls where possible.
  
  • Inform Security if the list of services changes.
• Enable host-based brute-force mitigations utilizing the security team's host-based IDS if possible.
• Forward system logs to the security team's log collector.
• Utilize non-local accounts for remote access unless otherwise approved.
• Require two-factor bastions, jump-hosts or VPNs for access to administrative interfaces.
• Routing, traffic forwarding, bridging subnets and other forms of internetwork traffic proxy is prohibited without expressed permission from Security & Networking.

...

• For production systems, use two-factor authentication for administrative remote access, or request an exemption from Security.
• Disable routing, traffic forwarding, bridging between subnets and other forms of internetwork traffic proxy through the host unless approved by Security & Networking.
• For production hosts, forward system logs to the NSCA syslog collector.

...