Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Follow all campus and NCSA employee policies regarding software updating, virus scanning, data security, incident reporting, etc.
  • Register with an NCSA ID to receive an IP address and give a point-of-contact for Security as part of the process.
    • The default network type is firewalled, though users can opt-out
    • Network registration is only for NCSA staff and should not be done for guests. Guest accounts and temporary registrations are available for these use cases.
    • Reregistration is required annually.

 

  • Production systems (See definition above) in this zone must:
    • adhere to security best practices including maintaining security patches, running minimal services, and removing unnecessary setuid binaries;
    • provide the Security Team a list of running/listening services;
    • maintain a regularly audited list of authorized administrators and/or users;
    • use secure, non-default passwords or stronger authentication methods;
    • forward syslogs to the central syslog server;
    • use a host-based IDS when applicable;
    • provide the Security Team with interactive logins to investigate security incidents;
    • be located in one of the designated, locked server rooms; and
    • must not have wireless network adapters, which could bridge zones, activated; and
    • the Security Team will maintain an up-to-date list of these systems
      • Goal: For servers and small cluster that may be in the NCSA Building, we want to prevent the currently common occurrence of security finding out about systems after-the-fact.
  • Administrators of non-production systems, including workstations and laptops, should:
    • install security updates;
    • use secure, non-default passwords;
    • turn off unneeded services;
    • be registered in DNSWorks;
      • Goal: Individual workstations and laptops should be registered in order to prevent un-authenticated access to our networks.
    • report any suspicious activity to the Security Team; and
    • realize that the Security Team can revoke access of any user or system on which a compromise or malicious activity is detected.
  • Do not bridge networks without approval from Networking & Security.

Requirements for NCSA wireless networks:

The NCSA wireless networks (those giving public NCSA IP addresses) must not give an adversary without NCSA authentication credentials an advantage over simply attacking from the Internet. 

  • Enterprise WPA2 wireless protection will be used.
  • NCSA wireless networks are not for guest use, but instead should use a CITES provided wireless network.
  • These networks authenticate and authorize against the NCSA LDAP service. 
  • Only the NCSA and/or CITES network teams can configure access points and networking hardware for the wireless network -- there will be no rogue or unapproved wireless networks.
  • The security team must have the ability to quickly map wireless IPs and timestamps to users for at least 90 days.

Zone 3b: NPCF Offices

Definition

The NPCF building houses several offices whose traffic should be handled separately from that of the main datacenter zone. Command Center systems that are not dedicated CnC systems for Zone 1 machines, i.e., networked only to internal subnets, will be treated as members of Zone 3b.

...