Return to: U of M Home

STANDARDS & GUIDELINES

STANDARD—

University Network Standards for Network Security & Operational Continuity (Appendix E)

Responsible Office: Office of Information Technology
Responsible Officer: Chief Information Officer

STANDARD
A standard is a level of quality that requires conformity.

Introduction

The University network supports the missions of the University in teaching, research, and outreach. It consists of about 55,000 nodes/jacks, of which 30-35,000 are active on a typical day, all connected to a high-speed backbone. The majority of the network is run centrally by Networking and Telecommunications Services (NTS), but for those departments with certain specialized needs, non-NTS local networks are allowed to connect to the campus backbone network.

Such local networks are generally called “private local area networks” (Private LANs) in common University terminology. A Private LAN is a local area network in which the financing, operation and maintenance of the network, including the infrastructure such as the wiring and switches, is primarily the responsibility (with a few exceptions) of a department or college. It should be noted that although coordinate campus networks are in a separate category not specifically addressed below, their relevant practices (where applicable) should be consistent.

To function, the elements of the network, including both the NTS and private LAN infrastructure equipment, must have an implicit trust arrangement with each other. Therefore all network infrastructure (i.e. specialized network equipment such as routers and switches), whether on NTS or private networks must be secured to a high level. One insecure link could compromise the security of the entire network.

To allow the overall network to function seamlessly, and to protect all the data on the network, standards are increasingly necessary. The standards below address the expertise of network management staff as well as the technical capability of software and equipment such as routers, switches, and wire that are critical elements in the operation of the University network.

The following requirements define a minimum level of capability required of private networks to connect to the University backbone network. Additional future requirements may be necessary to comply with federal and state regulations. More detailed supplemental information including detailed configuration requirements and operational capabilities will be provided at a later date to support the next-generation network upgrade.

Staffing levels and capabilities:

• Technical support staff for private networks must be available via phone or pager day or night (7x24x365) to respond to security and general business continuity issues that occur. Assigned responsibility for maintaining the network infrastructure must include a plan for coverage in case of illness, vacation, holiday weekends, etc. The contact information for these individuals both during work and off hours must be documented and communicated to NTS and OIT Security.
• Private network administrators need at least an intermediate level of knowledge or competency in networking as well as on the specific equipment in use. This knowledge is necessary to run a private network. If staff do not possess the requisite knowledge level, additional training may be required at departmental expense. Periodic refresher training and especially training on new network equipment in use is an important professional responsibility that should be budgeted.

Configuration and operational requirements:

• Only authorized departments and units may operate a private network. Newly proposed private networks (with the exception of wireless networks addressed below) must be approved by the relevant Vice President as well as the Chief Information Officer before they will be allowed to connect to the University backbone network.
• A private network may not be connected off a single NTS-provided etherjack using a NAT, router, etc. without the specific approval of NTS, with the exception of the very short-term conference use of a wireless router/access point. Wireless access points plugged into the NTS supported campus network must register with NTS and provide a contact name via a web form.
• Any wireless networks connected to a private network must be configured to meet or exceed the wireless standards and guidelines published by OIT (see separate standards).
• A documented data base (e.g. spreadsheet) must be kept for private network data such as IP numbers, mac addresses, user identification, locations and jack to etherswitch bindings.  This information must be kept electronically and must be backed up regularly. This data base should reflect all moves/adds/changes/deletions of users and equipment to the network. In the event of an incident during off-hours, OIT Security staff will expect this data to be readily available to the private network support staff.
• Logs from any private network DHCP or other user/machine binding must be available for 90 days to follow up on security incidents.
• A software support contract with network equipment vendors or other arrangement must be in place over the entire life of the equipment to address security and other software problems and to provide for software upgrades.
• All security patches must be applied on a regular basis (see patching standard for further requirements). A mechanism for periodically updating and keeping current with security patches and software upgrades must be in place.
• Network infrastructure must be periodically scanned (e.g. quarterly or after significant changes) for known vulnerabilities by OIT Security & Assurance with their vulnerability scanning software.
• Physical access to network devices must be restricted. All physical locations where network equipment is located must be accessible only to authorized personnel both during and after normal business hours. These physical locations must be secured (lock, card key, etc.) to prevent unauthorized entry to the University network.
• All software configurations for network equipment must be backed up on a regular cycle (e.g. daily or weekly) with periodic off-site storage of a backup copy.
• Strongly authenticated access to management functions within network equipment must be implemented. NO PASSWORDS can remain as shipped from the manufacturer.   Periodic password control (employees leaving, etc.) or other methods such as Radius or TACACS must be implemented.
• Services not needed must be removed (e.g. web server, SNMP, FTP, etc.). Remaining services need to be set up with strong passwords (SNMP community strings are the equivalent of passwords and must be changed from the vendor-provided defaults). Access control lists must be used to limit access to services needed.
• Access must be restricted from internet and university network locations not needed. Filters, access lists, or firewalls must be used to limit access to the management interface and/or services available on the device. A recommended configuration is either to connect locally or through a bastion host using SSH.
• All management interfaces and/or traffic access lists must be documented to state what was intended by the filters, along with sunset time/date and who initiated the filter.
• More detailed configuration requirements and recommendations may be periodically published by OIT to help ensure security and operational continuity.

Resources and Links:

• NTS information: http://www.umn.edu/nts/
• OIT Security information: http://www.umn.edu/oit/security/
• Policy links: http://www.umn.edu /oit/policies/index.html