Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

ezproxycop-v0 2 - The University of Edinburgh

advertisement 
Use of The Information Services’ EZproxy Service
Code of Practice
Introduction
This code of practice is intended to support the Information Security Policy of the University and
should be read in conjunction with this document.
http://www.ed.ac.uk/schools-departments/information-services/about/policies-andregulations/security-policies/security-policy
This code of practice is also qualified by The University of Edinburgh computing regulations, found
at:
http://www.ed.ac.uk/schools-departments/information-services/about/policies-and-regulations
1.
Revision Date
Code of Practice Version
14/09/2012
20/10/2014
CoP
Version
0.1
0.2
QA Date
QA Process
17/09/2012
Review by Liz Stevenson
L&C
Review by David Anderson
ITI-Unix
Accepted by the IT
Security WP
Review by Liz
Stevenson L&UC
Review by David
Anderson ITIUnix
Submitted
to IT
Security WP
Agreed by ITC Sec
Working Gp
18/09/2012
14 Nov 2012
12 Nov 2014
13 Nov 2014
20 Nov 2014
15 Dec 2014
Template
Version
1.4
1.4
Suggested date for Revision of the CoP
Author
Notes
Colin Watt
Colin Watt
Initial version
Revised after Security Audit
Notes
Author
01/09/13
Colin Watt
01/07/2015 IS – L&UC EZproxy Code of Practice v0.2
1
2.
Revision Date
14/09/2012
20/10/2014 System description
System
Version
5.4.1 5.4.1, 5.7.42 Author
Colin Watt
Colin Watt Notes
Initial version
Revised 2.1
System name
EZproxy service.
2.2
Description of
System
The EZproxy platform is a web proxy service that provides access to
restricted websites that require authentication by IP address, such as
electronic resources to which the library subscribes.
2.3
Data
2.4
Components
2.5
System owner
2.6
User base
2.7
Criticality
2.8
Disaster recovery
status
The service works by dynamically altering the URLs within the web
pages provided by the vendor of each protected resource. The server
names within the URLs of these web pages are changed to reflect the
EZproxy server instead, causing users to return to the EZproxy server
as they access links on those web pages.
EZproxy does not store or pass on any high risk user data.
UUNs are stored in request logs.
The EZproxy service is provided by a redundant pair of virtual servers,
behind the centrally managed load balancing service.
The service is managed by the Collections Development and Access
Section within the Library & University Collections division of
Information Services. The primary contact is Liz Stevenson.
The EZproxy service provides valid university users with access to
restricted electronic resources via EASE (see EASE Code of Practice).
High
The EZproxy servers operate as a redundant pair, with separate
application server stacks installed on Virtual Machines at two distinct
sites. These operate behind the load balancing service as a live-live
pair, with traffic redirected if one fails. This process is well
documented by ITI and has been thoroughly tested.
EZproxy Code of Practice v0.2
2
3.
3.1
Data
3.2
Usernames and
passwords
3.3
Physical security
3.4
Remote/mobile
working
3.5
Downloads and
removal of data
from premises
Authorisation and
access control
3.6
3.7
User responsibilities
Competencies
There is no end-user access to the EZproxy servers.
No user data is stored on or passed to the EZproxy servers.
There are administrative accounts for a small number of IS staff
ITI Unix staff have access at the operating system and application
level.
CDA staff have access to the application via an admin
interface.
There is no end-user access to the EZproxy servers.
The EZproxy servers are installed on the centrally managed virtual
infrastructure within IS managed data centres.
Administrative access to the EZproxy servers is limited to a subset of
the local University of Edinburgh networks. Remote admin access to
the servers must be through these local networks.
The only data stored on Ezproxy servers are session cookies, and
UUNs in request logs.
A small number of IS staff within ITI-Unix have access to the EZproxy
server filesystem.
A small number of IS CDA staff have access to the
application config and the resource configuration list.
There is no end-user access to the EZproxy servers.
ITI-Unix have several years experience and knowledge managing load
balanced and virtual server platforms.
Library & University Collections staff have several years knowledge
and experience coordination and managing access to electronic
resources and in working with ITI to ensure these are made available
securely.
There is no end-user access to the EZproxy servers.
EZproxy Code of Practice v0.2
3
4.
System Owner Responsibilities
4.1
Competencies
4.2
Operations
L&UC’s CDA Staff own the EZproxy Service. It is one of this team’s
primary functions to specialise in providing access to the library’s
online resources and ensure team members have sufficient knowledge
and understanding of the concepts, tools, processes, internal operation
and security of service to deliver and support a EZproxy service that is
highly tailored to the University’s needs.
Servers are updated with appropriate operating system upgrades as part
of the centrally managed service, to ensure the security of the servers
and to protect the resources they access.
Application upgrades are carried out by ITI-Unix in consultation with
the L&UC Collections Development and Access (CDA) section.
Access to the configuration is restricted to administrator logins which
are password protected to which only a small number of ITI-Unix staff
have access.
4.3
4.4
4.5
System
documentation
Segregation of
Duties
Security incidents
4.6
Fault/problem
reporting
4.7
Systems
development
Procedural documentation is held within the ITI-Unix section and
L&UC CDA wikis.
System documentation is kept up to date by the application vendor
(OCLC) and made available on their web site.
- All operating system updates and security patches are carried out by
ITI-Unix
- All system backups are carried out by ITI-Unix
- All application upgrades are carried out by ITI-Unix
- All updates to target resources made available are made by
L&UC’s CDA section.
On discovery of a security incident the Electronic Resources Team
should be contacted via the team Unidesk queue, by logging with the
IS Helpline. The Electronic Resources Team will initially investigate
and will escalate as appropriate to the Incident Response Team and
ITI-Unix.
Any security incidents related to the EZproxy servers would be
referred to the IS IRT team, who would log the incident and aid with
investigation, escalating as appropriate to the ITI-Unix section head.
Faults and problem reporting related to end user services (eg electronic
journals) should be via the Electronic Resources team Unidesk queue,
by logging with the IS Helpline.
All systems development is carried out by the application’s vendor,
OCLC.
EZproxy Code of Practice v0.2
4
5.
5.1
5.2
System Management
User account
management
Access control
User accounts are managed by ITI-Unix.
ITI-Unix staff have access to the EZproxy administrative logins.
A small number of L&UC CDA Section staff have access to the
web based administrative views.
5.3
5.4
A small number of L&UC CDA Section staff have access to the
resource configuration file.
Access monitoring EASE logins are logged on a remote, independent system.
All other logins are logged locally.
Access to the EZproxy service is recorded via logs which are
monitored and investigated in the case of reported abuse of the service.
Change control
Changes are subject to L&UC Digital Library change
control procedures.
STEVENSON Elizabeth 12/11/2014 12:08
Comment [1]: Do we need this term, or should it be removed? Any major change to service would be agreed and scheduled with the
relevant stakeholder group
(stakeholders for resources impacted by major changes) and
communicated through the IS alerts system.
5.5
Systems clock
synchronisation
5.6
Network
management
5.7
5.8
Standard
configuration
changes aretomanaged
via Unidesk.
The
systems
clock is synchronised
UTC using
the NTP protocol.
There are no IP or visibility restrictions to the EZproxy service,
however there are restrictions to the server backends so that they can
only be accessed from the eucsoffices and library vlans.
The servers are protected by the central firewall.
Business continuity The EZproxy servers operate as a fully redundant live-live pair behind
the load balancing service – this function has been rigorously testing
during acceptance.
Security Control
The EZproxy servers each run applications on:
- EZproxy port 80
- Secure EZproxy port 80 (different ip address on server)
- Admin interface port 2050
- Ssh port 22
- SSL port 443
The loadbalancing service passes though ssl communications for
Ezproxy sessions. The loadbalancing service handles ssl traffic for
EASE based authentication communications.
Secure EZproxy communicates with EZproxy privately on each server.
Admin and SSH access is restricted to a small number of IS staff.
EZproxy Code of Practice v0.2
5
6.
Third Party
6.1
Outsourcing
N/A
6.2
N/A
6.3
Contracts and
Agreements
Compliance with
the university
security policy
N/A
6.4
Personal data
N/A
EZproxy Code of Practice v0.2
6
Related documents
EZproxy
EZproxy
1 Chicago Manual of Style The Chicago Manual of Style Online via
1 Chicago Manual of Style The Chicago Manual of Style Online via
CoP Template
CoP Template
EZproxy connects library users to e-content with a single
EZproxy connects library users to e-content with a single
EZproxy_hosted_questionnaire
EZproxy_hosted_questionnaire
Bibliography: textbooks on China and Japan in the IUN library
Bibliography: textbooks on China and Japan in the IUN library
Content Collection Template - Mixed ***Do not delete the orange
Content Collection Template - Mixed ***Do not delete the orange
EZproxy Hosted Frequently Asked Questions
EZproxy Hosted Frequently Asked Questions
Implementing the Shibboleth - EZproxy Hybrid
Implementing the Shibboleth - EZproxy Hybrid
Download
advertisement