Document Name: NCSA Network Security Policy
Version: 3.0
Accountable: Adam Slagell
Authors: Adam Slagell & Mike Dopheide
Approved: March 11, 2016

 

Introduction

NCSA logically divides its network into several different trust zones. Traffic between these zones is monitored by a Network Intrusion Detection System (NIDS), but traffic within a single zone may not be visible to the NIDS. Therefore, systems within a single zone must be trusted and hence hardened to a similar level.

These zones can vary significantly in how they are trusted: from networks trusted little more than the general Internet to networks that require stringent vetting and auditing. Most networks are public, but some are very isolated and not even routed. The common requirements across all zones are simply that systems follow University security policies and that the Security and Networking teams can quickly identify the location and responsible party for all hosts on our networks.


Governance

Policy Application

For the purposes of this document, production systems are defined as any system, to include allocated systems, intended to provide reliable computational and/or data services to a networked constituency. These systems include not only “customer facing” hosts, such as web servers, file servers, login nodes, etc., but also the infrastructure required to support these systems, such as backend database servers, backup and storage systems, authentication servers, etc.

NCSA Information Infrastructure Board (IIB)

The leaders of ADS (Advanced Digital Services), ITS (Information Technology Services), and Security are responsible for application of this policy. These three groups are the service providers of infrastructure at NCSA and meet regularly to discuss security issues and strategy for providing better services.

Audit

Security is responsible to ensure regular auditing of this policy and automates such audits where possible. However, responsible does not always mean executing every audit on their own. This is a group endeavor among all the NCSA service providers and requires coordination and cooperation between ADS, ITS and Security.

Violation

Violations of this policy may result in immediate network disconnection of systems by Security. System owners will have to demonstrate compliance before regaining complete network access. Repeat violators or active attempts to circumvent these policies will be reported to senior management at the NCSA, and could result in more severe prohibitions.

Exceptions Process

For any rule or policy, exceptions may be needed. Security will review requests for exceptions. Decisions will be made by Security after appropriate consultation with the NCSA IIB. Appeals to decisions can be made to the Director's Office.

Policy Maintenance

Security will review this policy annually with the leadership of ADS and ITS to see if changes are needed. It will also be updated as needed for new network environments that are created.


NCSA Network Zones

The following zones and their accompanying policies are described logically as specific addresses are subject to change.

High Performance Datacenter (HPDC) Zone

Definition:

This is the zone (formerly called "Zone 1") for production systems in the data center and consists of most machines in 2020 NPCF. It includes both public and private networks.

Types of Systems:

Systems requiring high availability, physical security and high performance networking are hosted here. This includes not just supercomputers, but core storage, security, networking equipment, and more. These systems are first built in a firewalled subzone until fully vetted by the security team, which is responsible for regular auditing of systems against the security requirements below.

Installation Requirements:

Informational Requirements:

Host Configuration Requirements:

Network Monitoring:

All external links in and out of this zone are monitored by the NIDS. New hosts that appear on this network but have not been vetted may be automatically or manually blocked at the border gateway until investigated and vetted. Network traffic entirely within this zone is unmonitored by the NIDS, but network flows are collected.

Installation Subzone

While new systems are being built and configured in this zone and before they are fully vetted by security, they are firewalled in a subzone.

Host Configuration Requirements:

These systems must:


Advanced Computational Health Enclave

Definition:

The Advanced Computational Health Enclave (ACHE) is a physically and virtually segmented zone used exclusively for processing and storing electronic Protected Health Information (ePHI). 

Types of Systems:

ACHE is the only approved space for storing and processing ePHI, and both physical and electronic access is restricted to  covered entity workforce members with approved access. These systems often have high-availability needs, and hence this zone has a separate UPS backup system. Like the HPDC zone, these systems are first built in a firewalled subzone until fully vetted by the security team, which is responsible for the regular auditing of the systems against the additional security requirements below.

ACHE is a separately monitored zone that inherits all of the requirements of systems in the HPDC, plus additional host configuration requirements.

Installation Requirements:

Informational Requirements:

Host Configuration Requirements:

Network Monitoring:

All external links in and out of this zone are monitored by the NIDS. New hosts that appear on this network that have not been vetted and approved may be automatically or manually blocked at the border gateway until investigated and vetted. Network traffic entirely within this zone is unmonitored by the NIDS, but network flows are collected.

Installation Subzone

While new systems are being built and configured in this zone and before they are fully vetted by security, they are firewalled in a subzone.

Host Configuration Requirements:

These systems must:

Research & Internal Services Zone

Definition:

This zone includes all Raised Access Floor (RAF) space in the NCSA building, as well as a logical zone in the NPCF data center. 

Types of Systems:

This zone is for servers supporting R&D projects and internal services at NCSA. The IIB determines which systems are placed in this zone based on space, power, cooling, security and networking considerations together with ADS and Security. Systems in this zone do not have the same baseline service level guarantees as those in the HPDC zone, including security services provided.

Servers, whether supporting internal NCSA services or NCSA projects and their customers, are important, and their compromise can have a significant effect on NCSA productivity and reputation. Whether or not they are even considered production servers, the impact can be significant if the data on the systems is exposed due to privacy considerations, regulatory & legal requirements, or confidentiality agreements. Therefore, certain accountability is still required of all these systems.

Informational Requirements:

Systems or their administrators must:

It is important that changes in the information initially provided to the security team are kept up-to-date, and system owners will need to update this annually. Changes to include high risk or confidential data need to be updated as soon as possible by contacting Security.

Host Configuration Requirements:

Systems or their administrators must:

Additional  Configuration Recommendations:

Systems or their administrators should:


NCSA Office & Wireless Zone

Definition:

This zone includes all of the office and wireless networks that assign NCSA IP addresses. This includes offices in the NCSA building, NPCF and at least one wireless network, but does not include most RAF space.

Types of Systems:

This zone supports a variety of systems including desktops, laptops, portable devices and research systems. This zone is the most flexible and has the fewest security controls. While firewalled subnets are encouraged by default, the policies that apply broadly to every host are campus and NCSA employee security policies and a requirement to register hosts using an NCSA ID before accessing the network.

Informational & Procedural Requirements:

Host Configuration Requirements:

Network Configuration Requirements for NCSA wireless networks:

The NCSA wireless networks (those giving public NCSA IP addresses) must not give an adversary advantages they wouldn't already have with NCSA authentication credentials and thus could execute from anywhere with VPN access. 


VPN Zone

Definition

NCSA offers a VPN services with different authentication profiles. These can be used as more flexible bastions in conjunction with firewall rules, to access privately addressed subnets, or to reach other services that might be blocked at the border (e.g., mounting filesystems).

Security Requirements

Systems connected to the NCSA VPN are monitored unencrypted on the internal side of the VPN with the NIDS. Authentication to the VPN requires the use of valid and authorized NCSA credentials.


Physical Security Zone

Definition:

This is an isolated zone only for the NPCF physical security systems.

Types of Systems:

All NPCF physical security systems, and only those systems, are part of this zone.  This includes the camera DVRs, badge readers, iris scanners, ACMS workstations (for badging, control and enrollment), and the ACMS database server.

Host Configuration Requirements:


Isolated Zones

Definition:

Sometimes there is a need for a special subnet that is treated no differently than an external network and does not route internally with NCSA systems. This could be because the systems on the subnet would not meet the requirements of this policy (e.g., they bring their own unmonitored WAN links or cannot be hardened sufficiently), it is actually an external network extruding into our physical infrastructure, or that external requirements or regulations require extra isolation.

Network Configuration Requirements: