Versions Compared

Old Version 22

changes.mady.by.user Adam Slagell

Saved on

compared with

New Version 23

changes.mady.by.user Adam Slagell

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: bridging clarification

...

  • Until vetted, these machines are firewalled as described in the Installation Subzone.
  • An accepted vulnerability and patch management plan must be in place.
  • Disable any unnecessary services and accounts, and enforce with host-based firewalls where possible.
    • Inform Security if the list of services changes.
  • Enable host-based brute-force mitigations utilizing the security team's host-based IDS if possible.
  • Forward system logs to the security team's log collector.
  • Utilize non-local accounts for remote access unless otherwise approved.
  • Require two-factor bastions, jump-hosts or VPNs for access to administrative interfaces.
  • Routing, traffic forwarding, network bridging  bridging subnets and other forms of network internetwork traffic proxy is prohibited without expressed permission from Security & Networking.
  • Maintain and enforce a list of authorized administrators, and keep records up-to-date so that Security can quickly determine responsible parties for the system. At least one responsible party must be a full-time employee working at the NCSA.
  • Provide Security with accounts on the system or a way to quickly get access 24/7 for emergencies.
  • Notify Security of any sensitive, confidential or regulated data expected to be on the system.

...

  • Use two-factor authentication for administrative access or escalation, or request an exemption from Security.
  • Disable routing, traffic forwarding, network bridging  bridging between subnets and other forms of network internetwork traffic proxy through the host unless approved by Security & Networking.
  • Label systems in the rack and keep labels up-to-date.
  • Maintain and provide the security team with:
    • accounts on the system or a way to quickly get access 24/7 for emergencies
    • purpose of the system and notification of any sensitive or confidential data
    • a list of authorized administrators and a responsible full-time NCSA staff person
    • a list of necessary services/ports open
    • a plan for vulnerability and patch management

...

  • Follow all campus and NCSA employee policies regarding software updating, virus scanning, data security, incident reporting, etc.
  • Register with an NCSA ID to receive an IP address and give a point-of-contact for Security as part of the process.
    • The default network type is firewalled, though users can opt-out
    • Network registration is only for NCSA staff and should not be done for guests. Guest accounts and temporary registrations are available for these use cases.
    • Reregistration is required annually.
  • Do not bridge networks subnets without approval from Networking & Security.
  • Business Office systems are administered and maintained by ITS, and the corresponding workstations and laptops are on a firewalled network.

...