Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.

Document Name: NCSA Network Security Policy
Version: 2.0
Accountable: Adam Slagell
Authors: Adam Slagell, Joerg Heintz, & Mike Dopheide
Approved: Aug. 816, 2014



NCSA logically divides its network into several different trust zones. Traffic between these zones is monitored by a Network Intrusion Detection System (NIDS), but traffic within a single zone may not be visible to the NIDS. Therefore, systems within a single zone must be trusted and hence hardened to a similar level.


  • Disable any unnecessary services and accounts, and enforce with host-based firewalls where possible.
    • Inform Security if the list of services changes.
  • Enable host-based brute-force mitigations utilizing the security team's host-based IDS if possible.
  • Forward system logs to the security team's log collector.
  • Utilize non-local accounts for remote access unless otherwise approved.
  • Require two-factor bastions, jump-hosts or VPNs for access to administrative interfaces.
  • Routing, traffic forwarding, bridging subnets and other forms of internetwork traffic proxy is prohibited without expressed permission from Security & Networking.


  • For production systems, use two-factor authentication for administrative remote access, or request an exemption from Security.
  • Disable routing, traffic forwarding, bridging between subnets and other forms of internetwork traffic proxy through the host unless approved by Security & Networking.
  • For production hosts, forward system logs to the NSCA syslog collector.