...
The leaders of ADS (Advanced Digital Services), ITS (Information Technology SystemsServices), and Security are responsible for application of this policy. These three groups are the service providers of infrastructure at NCSA and meet regularly to discuss security issues and strategy for providing better services.
...
The Security Team is responsible to ensure regular auditing of this policy and automates auditing such audits where possible. However, responsible does not always mean executing every audit on their own. This is a group endeavor among all the NCSA service providers and requires coordination and cooperation between ADS, ITS and Security.
...
The Security Office will review this policy annually with the leadership of ADS and ITS to see if changes are needed. It will also be updated as needed for new network environments that are neededcreated.
...
NCSA Network Zones
The following zones and their accompanied accompanying policies are described logically as specific subnets addresses are subject to change.
High Performance Datacenter (HPDC) Zone
Definition:
This is the zone (formerly called "Zone 1") for production systems in the data center and consists of most machines in 2020 NPCF. It includes both public and private networks.
...
- Until vetted, these machines are firewalled to only accept connections from NCSA hosts or to port 22 (SSH).
- A vulnerability and patch management plan must be in place.
- Disable any unnecessary service and accounts, and enforce with host-based firewalls where possible.
- Inform the security team if the list of services changes.
- Utilize the security team's host-based IDS if possible.
- Forward system logs to the security team's log collector.
- Utilize non-local accounts for remote access unless otherwise approved.
- Require two-factor bastions, jump-hosts or VPNs for access to administrative interfaces.
- Disable IP-forwarding and do not bridge networks without approval from Security & Networking.
- Maintain and enforce an up-to-date a list of authorized administrators, and keep records up-to-date so that the security team can quickly determine responsible parties for the system. At least one responsible party must be a full-time employee working at the NCSA.
- Provide the security team with accounts on the system or a way to quickly get access 24/7 for emergencies.
...
This zone supports a variety of systems including desktops, laptops, portable devices and research systems. This zone is the most flexible and has the fewest security controls. While firewalled subnets are encouraged by default, the only policies that apply broadly to every host are campus and NCSA employee security policies and the a requirement to register hosts using an NCSA ID before accessing the network.
...
- Follow all campus and NCSA employee policies regarding software updating, virus scanning, data security, incident reporting, etc.
- Register with an NCSA ID to receive an IP address and give a point-of-contact for Security as part of the process.
- The default network type is firewalled, though users can opt-out
- Network registration is only for NCSA staff and should not be done for guests. Guest accounts and temporary registrations are available for these use cases.
- Reregistration is required annually.
- Do not bridge networks without approval from Networking & Security.
- Business Office systems are administered and maintained by ITS, and the corresponding workstations and laptops are on a firewalled subnetnetwork.
Requirements for NCSA wireless networks:
The NCSA wireless networks (those giving public NCSA IP addresses) must not give an adversary without advantages they wouldn't already have with NCSA authentication credentials an advantage over simply attacking from the Internetand thus could execute from anywhere with VPN access.
- Enterprise WPA2 wireless protection will or equivalent will be used.
- NCSA wireless networks are not for guest use, but instead guests should use a CITES provided wireless network.
- These networks authenticate and authorize against the NCSA LDAP service.
- Only the NCSA and/or CITES network teams can configure access points and networking hardware for the wireless network -- ; there will be no rogue or unapproved wireless networks.
- The security team must have the ability to quickly map wireless IPs and timestamps to users for at least 90 days.
- Like the default office subnets, the primary wireless network is firewalled at or equivalently controlled to not allow servers for outside the NCSA borderIP space.
...
VPN Zone
Definition
NCSA offers a VPN services with different authentication profiles. These can be used as more flexible bastions in conjunction with firewall rules, to access privately addressed subnets, or to reach other services that might be blocked at the border (e.g., mounting filesystems).
...
Systems connected to the NCSA VPN are monitored unencrypted on the internal side of the VPN with the network IDSNIDS. Authentication to the VPN requires the use of valid and authorized NCSA credentials.
...
All NPCF physical security systems, and only those systems, are part of this zone. This includes the camera DVRs, the badge readers, the iris scanners, the ACMS workstations (for badging, control and enrollment), and the ACMS database server.
...
- Devices on this network can neither connect to the other networks or be connected to except for an a single ACMS workstation that must connect with iCard systems elsewhere on campus.
- This ACMS workstation can only be connected to via RDP from a single remote workstation run by Facilities & Services for troubleshooting and support.
- All other remote connections, even if temporary for support, must be approved by the Security Office.
...
Sometimes there is a need for a special subnet that is treated no differently than an external network and does not route internally with NCSA systems. This could be because the systems on the subnet would not meet the requirements of this policy (e.g., they bring their own unmonitored WAN links or cannot be hardened sufficiently), that it is actually an external network extruding into our physical infrastructure, or that external requirements or regulations require extra isolation.
...
- Connections to other NCSA hosts would not be allowed unless existing and entering again.exiting and reentering the NCSA network.
- The Security Office can approve limited exceptions to whitelist
- Limited exceptions whitelist access direct access to key NCSA services, such as DNS, can be approved by the Security Office and documented as an exceptionand these exceptions will be documented.
- Systems in an island zone are treated as external from a security perspective. They As such, they may not benefit from any of the security services or monitoring normally provided.