Versions Compared

Old Version 11

changes.mady.by.user Adam Slagell

Saved on

compared with

New Version 12

changes.mady.by.user Adam Slagell

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Until vetted, these machines are firewalled to only accept connections from NCSA hosts or to port 22 (SSH).
  • A vulnerability and patch management plan must be in place.
  • Disable any unnecessary service and accounts, and enforce with host-based firewalls where possible.
    • Inform the security team if the list of services changes.
  • Utilize the security team's host-based IDS if possible.
  • Forward system logs to the security team's log collector.
  • Utilize non-local accounts for remote access unless otherwise approved.
  • Require two-factor bastions, jump-hosts or VPNs for access to administrative interfaces.
  • Disable IP-forwarding and do not bridge networks without approval from Security & Networking.
  • Maintain and enforce a list of authorized administrators, and keep records up-to-date so that the security team can quickly determine responsible parties for the system. At least one responsible party must be a full-time employee working at the NCSA.
  • Provide the security team with accounts on the system or a way to quickly get access 24/7 for emergencies.
  • Notify the security team of any sensitive, confidential or regulated data expected to be on the system.

Monitoring:

All external links in and out of this zone are monitored by the NIDS. New hosts that appear on this network but have not been vetted may be automatically or manually blocked at the border gateway until investigated and vetted. Network traffic entirely within this zone is unmonitored by the NIDS, but netflows are collected.

...

  • Use secure, non-default passwords.
  • Be protected by a stateful, network firewall that only accepts connections from non-NCSA hosts on port 22.

...

Research & Internal Services Zone

Definition:

This zone includes RAF space in the NCSA building as well as a logical extrusion into NPCF for redundancy. Most of this space maps physically to the 3rd floor server room, 3003 NCSA.

Types of Systems:

This zone is for servers supporting R&D projects and internal services at NCSA. The ITS director determines which systems are placed in this zone based on space, power, cooling and usage considerations together with ADS and Security.

Security Requirements:

Servers, whether supporting internal NCSA services or NCSA projects and their customers, are important, and their compromise can have a significant effect NCSA productivity and reputation. Whether or not they are even considered production servers, the impact can be significant if the data on the systems is exposed due to privacy considerations, regulatory & legal requirements, or confidentiality agreements. Therefore, certain accountability is required of all these systems.

Systems or their administrators must:

  • Use two-factor authentication for administrative access or escalation, or request an exemption from the Security Office.
  • Disable IP-forwarding and do not bridge networks without approval from Security & Networking.
  • Label systems in the rack and keep labels up-to-date.
  • Update the security team when information they provided has changed
  • Provide the security team with:
    • accounts on the system or a way to quickly get access 24/7 for emergencies
    • purpose of the system and notification of any sensitive or confidential data
    • a list of authorized administrators and a responsible full-time NCSA staff person
    • a list of necessary services/ports open
    • a plan for vulnerability and patch management

Systems or their administrators should:

  • Utilize the security team's host-based IDS if possible.
  • Forward system logs to the security team's log collector.
  • Use the NCSA LDAP for authorization and an NCSA centralized authentication service.
  • Use host-based firewalls to enforce list of services running.

...

NCSA Office & Wireless Zone

Definition:

This zone includes all of the office and wireless networks that assign NCSA IP addresses. This includes offices in the NCSA building, NPCF and at least one wireless network, but does not include most Raised Access Floor (RAF) space.

Types of Systems:

This zone supports a variety of systems including desktops, laptops, portable devices and research systems. This zone is the most flexible and has the fewest security controls. While firewalled subnets are encouraged by default, the policies that apply broadly to every host are campus and NCSA employee security policies and a requirement to register hosts using an NCSA ID before accessing the network.

Security Requirements:

Systems in this network zone must:

  • Follow all campus and NCSA employee policies regarding software updating, virus scanning, data security, incident reporting, etc.
  • Register with an NCSA ID to receive an IP address and give a point-of-contact for Security as part of the process.
    • The default network type is firewalled, though users can opt-out
    • Network registration is only for NCSA staff and should not be done for guests. Guest accounts and temporary registrations are available for these use cases.
    • Reregistration is required annually.
  • Do not bridge networks without approval from Networking & Security.
  • Business Office systems are administered and maintained by ITS, and the corresponding workstations and laptops are on a firewalled network.

...

Systems connected to the NCSA VPN are monitored unencrypted on the internal side of the VPN with the NIDS. Authentication to the VPN requires the use of valid and authorized NCSA credentials.

...

Physical Security Zone

Definition:

This is an isolated zone only for the NPCF physical security systems.

Types of Systems:

All NPCF physical security systems, and only those systems, are part of this zone.  This includes the camera DVRs, badge readers, iris scanners, ACMS workstations (for badging, control and enrollment), and the ACMS database server.

Security Requirements:

  • Devices on this network can neither connect to the other networks or be connected to except for a single ACMS workstation that must connect with iCard systems elsewhere on campus.
    • This ACMS workstation can only be connected to via RDP from a single remote workstation run by Facilities & Services for troubleshooting and support.
  • All other remote connections, even if temporary for support, must be approved by the Security Office. 

...

Island Zones

Definition:

Sometimes there is a need for a special subnet that is treated no differently than an external network and does not route internally with NCSA systems. This could be because the systems on the subnet would not meet the requirements of this policy (e.g., they bring their own unmonitored WAN links or cannot be hardened sufficiently), it is actually an external network extruding into our physical infrastructure, or that external requirements or regulations require extra isolation.

Security Requirements:

  • Connections to other NCSA hosts would not be allowed unless exiting and reentering the NCSA network.
    • The Security Office can approve limited exceptions to whitelist direct access to key NCSA services, such as DNS, and these exceptions will be documented.
  • Systems in an island zone are treated as external from a security perspective. As such, they may not benefit from any of the security services or monitoring normally provided.