Panel |
---|
Document Name: NCSA Network Security Policy |
Introduction
NCSA logically divides its network into several different trust zones. Traffic between these zones is monitored by a Network Intrusion Detection System (NIDS), but traffic within a single zone may not be visible to the NIDS. Therefore, systems within a single zone must be trusted and hence hardened to a similar level.
...
- Disable any unnecessary services and accounts, and enforce with host-based firewalls where possible.
- Inform Security if the list of services changes.
- Enable host-based brute-force mitigations utilizing the security team's host-based IDS if possible.
- Forward system logs to the security team's log collector.
- Utilize non-local accounts for remote access unless otherwise approved.
- Require two-factor bastions, jump-hosts or VPNs for access to administrative interfaces.
- Routing, traffic forwarding, bridging subnets and other forms of internetwork traffic proxy is prohibited without expressed permission from Security & Networking.
...
- For production systems, use two-factor authentication for administrative remote access, or request an exemption from Security.
- Disable routing, traffic forwarding, bridging between subnets and other forms of internetwork traffic proxy through the host unless approved by Security & Networking.
- For production hosts, forward system logs to the NSCA syslog collector.
...