Difference between revisions of "BX:Network Security Policy"

From CCGB
Jump to: navigation, search
(Firewall policy)
 
(2 intermediate revisions by the same user not shown)
Line 4: Line 4:
  
 
* To comply with University Policy, State and Federal Law, it must be possible for CCGB/BX IT staff to trace a ''Device'''s network activity to an individual user. In accordance with this, the following requirements must be satisfied based on the connection method:
 
* To comply with University Policy, State and Federal Law, it must be possible for CCGB/BX IT staff to trace a ''Device'''s network activity to an individual user. In accordance with this, the following requirements must be satisfied based on the connection method:
** 802.1x - If the device connects via 802.1x, the user credentials used to "log in" will be considered the "user of record" for all activity generated by the device during the time that it is connected.
+
** ''''802.1x'''' - If the device connects via 802.1x, the user credentials used to "log in" to the network will be considered the "user of record" for all activity generated by the device during the time that it is connected.
** MAC-based - If the ''Device'' is connected to an unauthenticated connection (based on its MAC address or other hardware address):
+
** '''MAC-based''' - If the ''Device'' is connected to an unauthenticated connection (based on its MAC address and using a DHCP or static IP address):
 
*** Users must be required to log in to the device with both a username and password.
 
*** Users must be required to log in to the device with both a username and password.
 
*** All users of the ''Device'' must have separate usernames/logins and passwords. Users must not share their userid and password with anyone.
 
*** All users of the ''Device'' must have separate usernames/logins and passwords. Users must not share their userid and password with anyone.
Line 29: Line 29:
 
= Firewall policy =
 
= Firewall policy =
 
* All inbound traffic to the unmanaged networks will be blocked when the source is outside our networks. Exceptions are for certain services that are not stateful (UDP) and cannot be associated with an existing outbound connection.
 
* All inbound traffic to the unmanaged networks will be blocked when the source is outside our networks. Exceptions are for certain services that are not stateful (UDP) and cannot be associated with an existing outbound connection.
* ICMP echo-request and SSH are allowed to the unmanaged from our other networks (with the quarantine and unauth networks as exceptions).
+
* ICMP echo-request and SSH are allowed to the unmanaged and 802.1x networks from our other networks (with the quarantine and unauth networks as exceptions).
 
* No inbound firewall exceptions will be allowed to any unmanaged Devices authenticating through 802.1x.
 
* No inbound firewall exceptions will be allowed to any unmanaged Devices authenticating through 802.1x.
 
* Inbound firewall exceptions to a Static/DHCP connection will be allowed under the following conditions:
 
* Inbound firewall exceptions to a Static/DHCP connection will be allowed under the following conditions:

Latest revision as of 13:12, 5 January 2011

This Network Security Policy applies to all Devices connected to any of the BX Networks.

Devices connected to The Center for Comparative Genomics and Bioinformatics (CCGB) network (BX) and the users of those Devices must be in compliance with University Policies AD-20, AD-23 and AD-53. In addition, The CCGB has the following policy regarding network Devices:

  • To comply with University Policy, State and Federal Law, it must be possible for CCGB/BX IT staff to trace a Device's network activity to an individual user. In accordance with this, the following requirements must be satisfied based on the connection method:
    • '802.1x' - If the device connects via 802.1x, the user credentials used to "log in" to the network will be considered the "user of record" for all activity generated by the device during the time that it is connected.
    • MAC-based - If the Device is connected to an unauthenticated connection (based on its MAC address and using a DHCP or static IP address):
      • Users must be required to log in to the device with both a username and password.
      • All users of the Device must have separate usernames/logins and passwords. Users must not share their userid and password with anyone.
      • Shared, or "Group" accounts are permitted only when in compliance with group account policy as specified in University Policy AD-20.
      • The Device must maintain a log of logins and logouts containing at least the username and date/time for a minimum of 1 year.
      • When the Device is registered with BX IT staff, contact information for the Primary User(s), Requestor, and/or Designated System Administrator for the Device must be provided along with the MAC address of the Device.
      • In the event of a security incident, if the Device's Designated System Administrator cannot produce the specified detailed usage information (logs of logins/logouts) upon demand, the Primary User's/Requestor's and System administrator's contact information will be provided to security investigators for the case and the Device will be permanently barred from connection to the BX Network. Additionally, other Devices under the care of the Designated System Administrator will be checked and barred if they are found to be out of compliance with this policy.
      • It is recommended, but not required, that the Device be integrated with the rest of the central BX infrastructure, where it will be properly and securely maintained in accordance with this policy.
  • Where applicable, the Device must have Anti-virus software installed and configured to obtain automatic updates. The Anti-virus software must also be enabled and active before it will be allowed to connect to any network.
  • Where applicable, the Device must be configured to obtain OS updates automatically.
  • AD-20 states that any Device connected to the BX network may be investigated for violations of University Policy or Law whether it is owned by the University or a Private Citizen. During an investigation, the CCGB or University may search and/or seize a Device regardless of ownership. Owners who object to this requirement are discouraged from connecting private Devices to the network.
  • Violations of these policies may result in any of the following without prior notice to the user:
    • Referral to Judicial Affairs or Human Resources
    • Limitation of access to some or all BX and University IT services.
    • Initiation of Legal action by the University.
    • Requirement of the violator to provide restitution for any improper use of service.
    • Disciplinary Sanctions, which may include dismissal.

Firewall policy

  • All inbound traffic to the unmanaged networks will be blocked when the source is outside our networks. Exceptions are for certain services that are not stateful (UDP) and cannot be associated with an existing outbound connection.
  • ICMP echo-request and SSH are allowed to the unmanaged and 802.1x networks from our other networks (with the quarantine and unauth networks as exceptions).
  • No inbound firewall exceptions will be allowed to any unmanaged Devices authenticating through 802.1x.
  • Inbound firewall exceptions to a Static/DHCP connection will be allowed under the following conditions:
    • The exception is absolutely necessary for the continued mission of the University or the CCGB
    • The service to be exposed has been properly secured where applicable
    • Logs of all connections and usage will be kept for a minimum of 1 year

BX Integration

BX IT Staff will ensure that all BX Integrated Devices (those under full central management) fully comply with the BX Network Security Policy. BX Integration is optional, and in those cases someone other than the BX IT Staff must be chosen as the Designated System Administrator. BX IT Staff will NOT assume the role of Designated System Administrator for those systems which are not fully integrated and centrally managed.