All external links into and out of this zone are monitored by the network IDS. New hosts that appear on this network but have not been vetted may be automatically or manually blocked at the border gateway until investigated and vetted. Network traffic entirely within this zone is unmonitored by the IDS, but netflows are collected.
While new systems are being built and configured in this zone and before they are fully vetted by security, they are firewalled in a subzone.
These systems must:
- Use secure non-default passwords.
- Be protected by a stateful, network firewall that only accepts connections from non-NCSA hosts on port 22.
NCSA Office & Wireless Zone
This zone includes all of the office and wireless networks that assign NCSA IP addresses. This includes offices in the NCSA building, NPCF and at least one wireless network, but does not include most Raised Access Floor (RAF) space
This defines a type of system-specific zone for systems that are physically located on the floor in 2020 NPCF, but which have not yet met all of the security requirements to be part of the High Performance DC Zone. In most cases, router ACLs would be sufficient for protecting these systems while they are brought online and secured before being moved into Zone 1. These connections will be limited to the extent than they can be monitored via temporary taps or SPAN ports.
Types of Systems:
Systems in this zone may be in the process of initial configuration, but have reached the point of requiring network access to download updates and additional software. As always, to be physically located in the NPCF, systems must be approved by the NPCF RAF Space Committee.
As the purpose of this zone is to provide network access to systems as they are being configured, it's unrealistic to expect them to have a full suite of security tools already configured and working. Packet filtering will allow minimal incoming services to help protect systems that may come with vulnerable software out of the box. These systems must:
- restrict network access until systems are vetted
- use secure, non-default passwords; and
- be hardened according to the requirements for Zone 1 as quickly as possible if the intent is to move the system to that network.
- Systems transitioning to Zone 1 must still be vetted by the Security Team
Zone 2: Testing
NPCF room 2016 is for testing and installing new systems and will reside behind a 1G Firewalled network link. Systems requiring more than 1G bandwidth, but unable to meet a sufficient level of system security to be moved to the High Performance Datacenter zone must provide and connect to the network through a firewall, which must be vetted by security. (In some cases, router ACLs or a NAT could be deemed sufficient.) The firewall(s) will limit traffic both in and out of the test zone and traffic from this network will be monitored. Requests for changes to any firewall configurations should be directed to networking and coordinated with the Security Team.
Types of Systems:
Systems in this zone may be in the process of initial configuration or semi-permanent test systems.
Systems in this zone have the same requirements as those in Zone 1b.
Zone 3a: NCSA Building
The NCSA Building houses the majority of NCSA staff, but also has several small server rooms. With staff and guests moving systems in and out, the networks within this zone are not highly trusted.
It is the goal of the Security Team to eventually be able to separate the NCSA Building into several sub-zones based on logically or physically separate networks. At this time those changes are not feasible and are beyond the scope of this document.
Types of Systems:
A large variety of systems includes staff laptops, workstations, test systems, and may include machines providing production services that, for whatever reason, do not merit or require placement in the NPCF data center.
This zone supports a variety of systems from desktops, laptops, portable devices and research systems with the most flexibility and fewest security controls. While firewalled subnets are encouraged by default, the only policies that apply broadly to every host are campus and NCSA employee security policies and the requirement to register hosts using an NCSA ID before accessing the network.
Systems in this network must:
- Follow all campus and NCSA employee policies regarding updating, virus scanning, data security, etc.
- Register with an NCSA ID to receive an IP address and give a point-of-contact for Security as part of the process.
- The default network type is firewalled, though users can opt-out
- Reregistration is required annually.
Traffic within this zone should be regarded with suspicion as these networks are only nominally more trusted than general Internet traffic. As a result, traffic between this zone and the others will be monitored. The Security Team provides assistance with hardening hosts and can provide additional monitoring if requested.
- Production systems (See definition above) in this zone must:
- adhere to security best practices including maintaining security patches, running minimal services, and removing unnecessary setuid binaries;
- provide the Security Team a list of running/listening services;
- maintain a regularly audited list of authorized administrators and/or users;
- use secure, non-default passwords or stronger authentication methods;
- forward syslogs to the central syslog server;
- use a host-based IDS when applicable;
- provide the Security Team with interactive logins to investigate security incidents;
- be located in one of the designated, locked server rooms; and
- must not have wireless network adapters, which could bridge zones, activated; and
- the Security Team will maintain an up-to-date list of these systems
- Goal: For servers and small cluster that may be in the NCSA Building, we want to prevent the currently common occurrence of security finding out about systems after-the-fact.
- Administrators of non-production systems, including workstations and laptops, should:
- install security updates;
- use secure, non-default passwords;
- turn off unneeded services;
- be registered in DNSWorks;
- Goal: Individual workstations and laptops should be registered in order to prevent un-authenticated access to our networks.
- report any suspicious activity to the Security Team; and
- realize that the Security Team can revoke access of any user or system on which a compromise or malicious activity is detected.
Zone 3b: NPCF Offices
The NPCF building houses several offices whose traffic should be handled separately from that of the main datacenter zone. Command Center systems that are not dedicated CnC systems for Zone 1 machines, i.e., networked only to internal subnets, will be treated as members of Zone 3b.
NPCF Office systems share the same security requirements as NCSA Building systems (Zone 3a) but are a separate sub zone because they will be physically monitored at separate points.
Zone 4a: Wireless
NCSA Wireless connectivity is available in all of our buildings (ACB, NCSA & NPCF). For campus wireless networks, all traffic is tunneled outside the NCSA and treated as external traffic. For this reason, they do not fall under any NCSA zone and are not explicitly addressed.
Generally, these systems will be laptops, tablets, and/or smart phones owned by NCSA employees or guests.
Guest laptops are likely candidates for victimization by malicious network traffic, email/web client attacks or viruses. Therefore, the preferred way for guests to obtain Internet access is through the EDURoam, UIUC Public Wifi (where available) or by getting a guest account on UIUCNet, which has good coverage all over campus. These networks are run by CITES and traffic is tunneled outside the NCSA network. Therefore, guest systems would not logically be a part of the NCSA network and would be treated as external Internet traffic.
- wireless networks in NCSA buildings must not give an adversary without NCSA authentication credentials an advantage over simply attacking from the Internet;
- only the NCSA and/or CITES network teams can configure access points and networking hardware for the wireless network -- there will be no rogue or unapproved wireless networks;
- the Security Team will regularly audit/scan for rogue access points; and
- use and configuration of the wireless networks must be compliant with all relevant NCSA and University policies.
Zone 4b: VPN
NCSA offers a VPN service for employees working remotely.
Zone 7: Physical Security Systems
This is an island zone only for the NPCF physical security systems.
Types of Systems:
All NPCF physical security systems, and only those systems, are part of this zone. This includes the camera DVRs, the badge readers, the iris scanners, the ACMS workstations (for badging, control and enrollment), and the ACMS database server.
- Devices on this network are on their own physical network, but they are bridged-together private VLANs on shared routers and switches;
- This VLAN is completely private and does not allow for access to or from the outside world, except for occasional VPN access into this zone that is provided to allow the physical security contractors (ITG) to perform maintenance. This VPN access is turned off unless maintenance is being performed; and
- VPN access is also restricted to a small number of remote IP addresses and requires a strong authentication for access.
Zone: Island / PSP (Private Sector Program)
This defines a type of zone rather than a specific zone itself. An Island zone has its own, unmonitored external bandwidth either provided by a 3rd party or too large to be monitored by the border NIDS. The island may have an additional, smaller bandwidth connection directly into NPCF zones that will be monitored with the NIDS and treated as external traffic. This includes site-to-site VPN traffic traversing NCSA's external links. This traffic must not be routed inside the NCSA network without also being monitored by a NIDS, and it will be trusted no more than other Internet traffic.
Types of Systems:
These are systems (typically servers) for special projects or private sector partners that bring in their own systems to physically reside in NPCF, but that also require their own external connectivity. Other large systems that have their own pipes, but do not wish to pay for monitoring, can opt for an island zone.
- These zones have their own outside connectivity (preferably non-NCSA IPs), and no direct connection to our network. For the purposes of security monitoring they are treated as external systems;
- If the owners/administrators of systems on this network require security monitoring beyond that provided if/when traffic from these systems crosses into an NCSA network, that monitoring must be coordinated with the Security Team and any additional costs of that monitoring borne by the owners/administrators of the systems.