Versions Compared

Old Version 51

changes.mady.by.user Unknown User (mgelman)

Saved on

compared with

New Version Current

changes.mady.by.user Douglas Fein

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Panel

Document Name: NCSA Network Security Policy
Version: 3.13
Accountable: Alex Withers James Eyrich
Authors: Adam Slagell & , Mike Dopheide, Douglas Fein

Reviewed: June 23Dec 8, 20212023
Approved: March 11, 2016Dec 14, 2023 by IIB


Table of Contents

Introduction

...

All external links in and out of this zone are monitored by the NIDS. New hosts that appear on this network but have not been vetted may be automatically or manually blocked at the border gateway until investigated and vetted. Network traffic entirely within this zone is unmonitored by the NIDS, but network flows are collected. Brute-force login attempts are automatically detected and the actor is blocked from NCSA networks.

Anchor
InstallationSubzone
InstallationSubzone
Installation Subzone

While new systems are being built and configured in this zone and before they are fully vetted by security, they are firewalled in a subzone.

Host Configuration Requirements:

These systems must:

  • Use secure, non-default passwords.
  • Be protected by a stateful, network firewall that only accepts connections for approved, secure remote access services.

...

Advanced Computational Health Enclave

...

  • The authorized set of administrators must all be workforce members of the NCSA Staff with ACHE Access, and this group's access must be automated by a process approved by the NCSA CISOLead of Trust, Compliance and Risk Management.
    • The security operations team is part of this group and must be able to access systems 24/7 in an emergency.
  • It is assumed that CUI, which is high risk data, is on these systems. These are not dual-use systems but are only for work related to research involving CUI. The NCSA CISO must be informed of any data Lead of Trust, Compliance and Risk Management must be informed of any data from new sources on these systems, especially when personally identifying information is recorded.
  • Approved (by the NCSA CISOLead for Trust, Compliance and Risk Management) vulnerability and patch management procedures must be in place.
  • Approved (by the NCSA CISOLead for Trust, Compliance and Risk Management) change control procedures must be implemented and documented.
  • Local and privileged account passwords are managed with the NCSA-provided, two-factor password management solution.

...

  • Cryptographic and security configurations will be consistent with UIUC policies and standards of practice.
  • These networks authenticate and authorize against the NCSA LDAP service, and are not used for guest access 
  • Like the default office subnets, the primary wireless network is firewalled or equivalently controlled to not allow servers for outside the NCSA IP space.
  • The security team must have the ability to readily map wireless IPs and timestamps to users for at least 90 days.
  • Only the NCSA and/or CITES networking UIUC Tech Services networking teams have the ability and authority to configure access points and networking hardware for the wireless networks NCSA buildings.

...

NCSA Radiant User Zone

Definition:

This zone includes all of the virtual hosts running with the Radiant subnet. This includes all hosted environments even those supported by NCSA administrators for testing or operations.

Types of Systems:

This zone supports a variety of systems including user-owned VMs and user created servers and hosts. 

Network Monitoring:

All links in and out of this zone are monitored by the NIDS. Network traffic entirely within this zone is unmonitored by the NIDS.

Informational & Procedural Requirements:

  • System owners must follow all campus and NCSA policies regarding software updating, virus scanning, data security, incident reporting, etc.

Host Configuration Requirements:

  • Systems do not bridge or create new NCSA subnets (wired or wireless) without approval from Networking & Security. 
  • Cryptographic and security configurations will be consistent with UIUC policies and standards of practice.


...

NCSA Management Network Zone

Definition:

This zone includes connections to the management interfaces and communication for NCSA systems.  All out-of-band management, power infrastructure and management interfaces must be placed on this network for systems within the NCSA and NCPF data centers.

Types of Systems:

This zone supports management interfaces for any systems. A firewall is in place to manage all connections in and out of this zone.

Informational & Procedural Requirements:

  • System owners must follow all campus and NCSA policies regarding software updating, virus scanning, data security, incident reporting, etc.
  • This network is not to be used for any user access or data transfer services.



...

VPN Zone

Definition

NCSA offers a VPN services with different authentication profiles. These can be used as more flexible bastions in conjunction with firewall rules, to access privately addressed subnets, or to reach other services that might be blocked at the border (e.g., mounting filesystems).

...

Systems connected to the NCSA VPN are monitored unencrypted on the internal side of the VPN with the NIDS. Authentication to the VPN requires the use of valid and authorized NCSA credentials.

...

Physical Security Zone

Definition:

This is an isolated zone only for the NPCF physical security systems.

Types of Systems:

All NPCF physical security systems, and only those systems, are part of this zone.  This includes the camera DVRs, badge readers, iris scanners, ACMS workstations (for badging, control and enrollment), and the ACMS database server.

Host Configuration Requirements:

  • Devices on this network can neither connect to the other networks or be connected to except for a single ACMS workstation that must connect with iCard systems elsewhere on campus.
    • This ACMS workstation can only be connected to via RDP from a single remote workstation run by Facilities & Services for troubleshooting and support.
  • All other remote connections, even if temporary for support, must be approved by the Security Office. 

...

Isolated Zones

Definition:

Sometimes there is a need for a special subnet that is treated no differently than an external network and does not route internally with NCSA systems. This could be because the systems on the subnet would not meet the requirements of this policy (e.g., they bring their own unmonitored WAN links or cannot be hardened sufficiently), it is actually an external network extruding into our physical infrastructure, or that external requirements or regulations require extra isolation.

...