...
These zones can vary significantly in how they are trusted: from networks trusted little more than the general Internet to networks that require stringent vetting and auditing. Most networks are public, but some are very isolated and not even routed. The common requirements across all zones are simply that systems follow University security policies and that the Security and Networking teams can quickly identify the location and responsible party for all hosts on our networks.
...
The leaders of ADS (Advanced Digital Services), ITS (Information Technology Services), and Security are responsible for application of this policy. These three groups are the service providers of infrastructure at NCSA and meet regularly to discuss security issues and strategy for providing better services.
Audit
The Security Team is responsible to ensure regular auditing of this policy and automates such audits where possible. However, responsible does not always mean executing every audit on their own. This is a group endeavor among all the NCSA service providers and requires coordination and cooperation between ADS, ITS and Security.
...
Violations of this policy may result in immediate disconnection of systems by the security teamSecurity, especially in critical and sensitive zones. Failure to obtain prior approval for installations based on zone policies or attempts to circumvent these policies will be reported to senior management at the NCSA.
...
For any rule or policy, exceptions may be needed. The Security Office will review requests for exceptions. Decisions will be made by the Security Office after appropriate consultation with ADS and ITS leadershipthe NCSA IT Operations Board. Appeals to decisions can be made to the Director's Office.
Policy Maintenance
The Security Office will review this policy annually with the leadership of ADS and ITS to see if changes are needed. It will also be updated as needed for new network environments that are created.
...
- Until vetted, these machines are firewalled as described in the installation subzone Installation Subzone.
- An accepted vulnerability and patch management plan must be in place.
- Disable any unnecessary services and accounts, and enforce with host-based firewalls where possible.
- Inform the security team Security if the list of services changes.
- Enable host-based brute-force mitigations utilizing the security team's host-based IDS if possible.
- Forward system logs to the security team's log collector.
- Utilize non-local accounts for remote access unless otherwise approved.
- Require two-factor bastions, jump-hosts or VPNs for access to administrative interfaces.
- Disable IP-forwarding and do not bridge networks without approval Routing, traffic forwarding, network bridging and other forms of network traffic proxy is prohibited without expressed permission from Security & Networking.
- Maintain and enforce a list of authorized administrators, and keep records up-to-date so that the security team Security can quickly determine responsible parties for the system. At least one responsible party must be a full-time employee working at the NCSA.
- Provide the security team Security with accounts on the system or a way to quickly get access 24/7 for emergencies.
- Notify the security team Security of any sensitive, confidential or regulated data expected to be on the system.
...
All external links in and out of this zone are monitored by the NIDS. New hosts that appear on this network but have not been vetted may be automatically or manually blocked at the border gateway until investigated and vetted. Network traffic entirely within this zone is unmonitored by the NIDS, but netflows network flows are collected.
| Anchor | ||||
|---|---|---|---|---|
|
While new systems are being built and configured in this zone and before they are fully vetted by security, they are firewalled in a subzone.
...
Definition:
This zone includes Raised Access Floor (RAF) space in the NCSA building as well as a logical extrusion into NPCF for redundancy. Most of this space maps physically to the 3rd floor server room, 3003 NCSA.
...
- Use two-factor authentication for administrative access or escalation, or request an exemption from the Security Office.
- Disable IP-forwarding and do not bridge networks without approval from routing, traffic forwarding, network bridging and other forms of network traffic proxy through the host unless approved by Security & Networking.
- Label systems in the rack and keep labels up-to-date.
- Maintain up-to-date (PLEASE CLARIFY) and provide the security team with:
- accounts on the system or a way to quickly get access 24/7 for emergencies
- purpose of the system and notification of any sensitive or confidential data
- a list of authorized administrators and a responsible full-time NCSA staff person
- a list of necessary services/ports open
- a plan for vulnerability and patch management
- Vetting? Scheduled?
Systems or their administrators should:
...
This zone includes all of the office and wireless networks that assign NCSA IP addresses. This includes offices in the NCSA building, NPCF and at least one wireless network, but does not include most Raised Access Floor (RAF) spaceRAF space.
Types of Systems:
This zone supports a variety of systems including desktops, laptops, portable devices and research systems. This zone is the most flexible and has the fewest security controls. While firewalled subnets are encouraged by default, the policies that apply broadly to every host are campus and NCSA employee security policies and a requirement to register hosts using an NCSA ID before accessing the network.
...
- Connections to other NCSA hosts would not be allowed unless exiting and reentering the NCSA network.
- The Security Office can approve limited exceptions to whitelist direct access to key NCSA services, such as DNS, and these exceptions will be documented.
- Systems in an island zone are treated as external from a security perspective. As such, they may not benefit from any of the security services or monitoring normally provided.