Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Network and Security Policy

advertisement 
Network Security Policy
1. Asset Identification
a. Border router Cayman, Pix firewall 515e, Access Control Server, VPN
concentrator, Switch catalyst 3550s, Cisco Access Point AP 350, Hub
b. DMZ Windows2003 web-server, Windows 2003 file server.
c. Pascal Linux Server, Alpha Linux Server, Galileo Windows2003 Server,
Einstein Linux Server.
d. 5 student MS Windows workstations in D140 and MS Windows
workstations in prototype network.
e. 30 student workstations in D158.
f. Configuration files of network equipments.
g. Administrator information such as username, password for servers and
network equipments.
h. Student accounts.
i. Project documents in file server.
j. Data in student workstations.
k. Internet connectivity for web server, VPN server, Honeypots system and
student workstations.
l. Network connectivity for students.
2. Threat Assessment
a. External threats:
i. Unauthorized access to network resources or information
1. Unauthorized access to network equipments such as
routers, PIX, ACS, VPN server, Firewall and switches.
2. Unauthorized access to servers such as Web, FTP server in
DMZ
3. Unauthorized access to other MS windows 2003 servers
and Linux servers.
4. Unauthorized access to student workstations.
ii. Unauthorized manipulation and alternation of information on the
network
1
1. Malicious code threats including Computer viruses, worms,
ad-ware.
2. Password, data sneaker.
3. emails containing viruses
iii. Denial of Service (Smurf, SYN attack, Distributed DOS..)
1. Denial of service to internet connectivity.
2. Denial of service to network connectivity.
3. Denial of service of data server.
4. Denial of service of DMZ web-server.
5. Denial of service of other Servers.
b. Internal threats:
i. Unauthorized access to network resources or information
1. Unauthorized access to the Internet.
ii. Unauthorized manipulation and alternation of information on the
network
1. attacks may spill out of the DCSL network
2. emails containing viruses (we do not support our own email
server)
3. Removable media: floppy diskettes, cd-rom, usb disks, etc.
iii. Denial of Service (Smurf, SYN attack, Distributed DOS..)
3. Risk Assessment
The main purpose of DCSL is education, servers and network equipments must be
up most of the time for professor to conduct teaching and for students practicing
and doing projects. The availability of the network is given top priority. However,
database, project documents, admin passwords, configuration files also need
confidentiality.
The file server needs confidentiality and data integrity. All the research
documents and research result, work planning and word logging is also stored in
this server. In the context of competition, this server needs highest confidentiality
service.
2
DMZ web server needs data integrity. The web server is mainly used for
dissemination purpose.
Table 1 is the result of assigning risk ratings to various assets identified in section
1. The rating goes from 1 (least important) to 5 (highest important).
Assets
Confidentiality
Integrity
Availability
Border router
4
3
4
VPN server
4
4
5
PIX firewall
4
4
5
ACS
5
5
5
switches
3
4
5
DMZ web server
3
4
4
Windows2003 File
3
4
5
Linux servers
3
3
3
Windows2003 Galileo
4
4
5
Honeypot system
4
4
5
Internet connectivity
3
3
4
Student project server
4
4
4
Administrator
5
5
5
5
4
5
4
4
3
4
4
5
server
AD server
Information
Student account
information
Data in student
workstation
LAN connectivity
Table 1. Critical Asset Risk Rating for DCSL
3
4. Security Policy
a. Accountability Policy
All users (students) are accountable fro their behaviors that result in network
security concern. It is responsibility of all users to be familiar with the
guidelines of using the service offered through DCSL network. It is also
responsibility for every user to report to the system administrator suspected
inappropriate use or malicious activity on the network.
b. Acceptable Usage Policy
DCSL network is available for use by users anytime of the day and night for
the sole purpose of study. Using network resources for any function over and
above that is prohibited.
c. General Access Policy
Access will be strictly restricted. Access will be allowed by assuming that
ALL ACCESS IS DENIED UNLESS SPECIFICALLY REQUIRED.
Access to network resources is given on demand. Information assets are
protected by giving access to specific groups and denying access to all others.
The changes in access including increasing or decreasing privileges need
approval from the manager of the LAB.
Wireless user or VPN client must have approval before access the resources of
the LAB. Once connected, wireless user or VPN client will have equal rights
as local user of the LAB network.
It is the responsibility of the remote users or VPN users to ensure their
equipments are not used by unauthorized person to access the network
resources.
d. Internet Access Policy:
There are two types of ‘Internet access’: (i) type 1 - users using the Internet to
access the assets in the DCSL network; (ii) type 2 - users using the computers
in the DCSL network to access the Internet.
Type 1 access should be available all the time for administrative and studying
purposes.
4
Internet connection is used for VPN client to connect to the Lab network.
Internet connection is used for external access to DMZ web server.
Type 2 access should be available for HTTP traffic of student workstation.
e. DMZ web-server, FTP server Access policy:
DMZ web-server is open to public. It has two areas: public area and private
area.
Normal external users are encouraged to access to web-server public area for
advertised information of education and security services.
Access to private area is restricted to authorized users only.
FTP is only for authorized users to upload/download files or update web
pages.
f. Authentication Policy:
All access to the network require authentication and will be logged for
auditing and accounting purposes.
Wireless and VPN users must go through 2 layers of authentication:
First user will be authenticated by access server and second by individual
resources on the network.
Authentication is carried out using Access Control Server. This server must be
protected against attacks ands intrusions form both inside and outside
network.
g. Availability Statement:
Network is ready to use all the time. But there will be outages for various
reasons such as system update, upgrade, installing new equipments, trouble
shooting, and implementing new security rules. The availability of the
network is the highest priority.
h. Information Technology Systems and Network Maintenance Policy
All network equipment is managed by administrator appointed by Lab
manager – faculty staff.
5
Remote administration is allowed but connection must be first authenticated
with access server and then encrypted.
All the administration sessions both inside and outside must be encrypted
i. Violations ad Security Incident Reporting and Handling Policy
Documented processes must be setup to identify when intrusions and network
attacks happen.
The following steps need to be set up for incident reporting and handling:
-
A process must be invoked to inform administrator when attacks happen
-
A process need to be set up to identify all the information to track the
attack and record it for later prosecution
-
A process must be in place to trace the attack in order to identify all
vulnerability of the system so that future attacks can be avoided.
j. Supporting Information
The LAB manager has ultimate responsibility for the security policy
The following table define the responsibilities of people who are involved in
LAB management
Title
Role
LAB manager
Defining and maintaining
Responsibility
-
overall LAB security policy
Main contact for changes to
security policy
-
Responsible for final approval
of new network implementation
that will affect network security
-
Responsible for cross-faculty
communication on security
issues.
-
Administrative control over
staff directly responsible for
network security.
-
6
Main architect of network
design and network security.
Network
Managing the daily operation
administrator
of the LAB network
-
Ensure the security is followed
in all network implementation
-
Involve in the design of network
and network security.
-
Main contact for all network
incidents
-
Settle all the network troubles
and attacks
Secondary
Assisting network
-
administrator
administrator in network
administrator when main
administration
administrator is not available
-
Take the role of network
Involve in all network
implementation
Table 2. Roles and Responsibilities
7
Related documents
Peplink SpeedFusion
Peplink SpeedFusion
Phase III: Individualized Professional Development
Phase III: Individualized Professional Development
D-BP01-Employee Communications and Levels of Authority
D-BP01-Employee Communications and Levels of Authority
Legal Issues in the Classroom (PowerPoint)
Legal Issues in the Classroom (PowerPoint)
Technology Infrastructure Use Policy
Technology Infrastructure Use Policy
Sample No Cost Extension Letter
Sample No Cost Extension Letter
Elementary General Music
Elementary General Music
Patient Renewal Leaflet - Oxford Health NHS Foundation Trust
Patient Renewal Leaflet - Oxford Health NHS Foundation Trust
Download
advertisement