Minimum Standards for Connecting to the UCLA Network

Size: px

Start display at page:

Download "Minimum Standards for Connecting to the UCLA Network"

Charlene McKinney
5 years ago
Views:

1 Minimum Standards for Connecting to the UCLA Network Last April, the CSG approved a set of minimum standards for connecting to the UCLA network that were based on a policy that had been developed by Berkeley. Since then, there have been lessons learned from SB1386 incidents both here at UCLA and also, in particular, the October SB1386 incident at Berkeley; also, similar policies are now in place at UC San Diego, UC Davis and UC Office of the President. At the time, the next step was to return to the ITPB with the standards in UCLA policy format. However, we are first proposing revisions reflecting SB1386 lessons learned, updated campus security needs and new policies of our sister campuses. Simultaneously, we are proposing an implementation timeline and an enforcement strategy. Proposed revisions to April 2004 CSG-approved standards A full comparison of the wording from April 2004 and the proposed revisions are attached. Changes have been highlighted. A summary of content changes from the April version: 1) Software patch updates Now applies to all devices, not just desktop computers. 2) Antivirus No content changes. 3) Host based firewall A new standard (for UCLA) that requires systems with a native firewall to have the firewall enabled. 4) Passwords Implement full Berkeley password complexity standards, excluding the requirement eight-character minimum, resulting in additional requirements for passwords. 5) Unencrypted authentication This is a new standard (for UCLA). The UCLA document was modified from the Berkeley standard to add the possibility to use secure authentication such as MD-5 or pass-cards recognizing that secure authentication may not depend upon encryption. Also the UCLA version dropped specifically replacing insecure services such as FTP recognizing that those protocols may be useful in situations where servers are supplying public information or data. 6) No unauthenticated relays Has been revised to recognize that authorized users may not be local and that machine-to-machine authentication provides adequate security in certain situations. 7) No unauthenticated proxy servers Relaxes the prohibition on unauthenticated proxy servers by allowing CTS review for exceptions. 8) Physical security This is a new standard (for UCLA) from Berkeley s policy. 9) Unnecessary services This is a new standard (for UCLA) from Berkeley s policy. 10) Exceptions clause Devices that may be unable to meet these standards but may be in common use and for which there are well-known alternate security arrangements (e.g., for printers with embedded web services, clusters, etc.) are recognized. Connectivity for visitors and others outside the UCLA community has been reworded for greater clarity. CSG February 22, 2005 Page 1 of 7

2 11) Departmental network devices This section has been removed as it refers to best practices rather than standards. Proposed implementation timeline All new equipment purchases/acquisitions shall immediately meet these minimum standards in order to connect to the campus network. All devices shall meet these minimum standards by October 1, Proposed enforcement (following full implementation) Systems may connect to the campus network only if they meet the minimum standards. If a system is causing disruption and does not meet the minimum standards, it will be disconnected from the campus network and not reconnected until both the cause of the disruptive behavior is addressed and the minimum standards are met. Systems containing personal information as defined by SB1386 shall follow UCLA Policy 420. If a connected system is found not to meet the minimum standards (e.g., during the course of a scan), it may be disconnected, and will not be reconnected until the minimum standards are met. Systems containing personal, sensitive or confidential data in this situation will be disconnected, and will not be reconnected until the minimum standards are met. CSG February 22, 2005 Page 2 of 7

3 CSG-approved UCLA Minimum Standards (April 2004): General Statement: Each device that connects to a network must meet minimum security standards. Standards must be reasonable and flexible to balance the requirements of people who use the network to conduct their duties with the responsibilities of those who protect the network and the devices connected to it. Standards must be broadly communicated, easily adaptable and widely accepted as reasonable. (Excerpted from the UCLA Security Resolutions document adopted by the ITPB March 2004.) 1.Software patch updates Campus owned desktops under management by IT departments shall keep the computers up-to-date and patched to the level of critical security patches. 2. Anti-virus software UCLA licenses, antivirus software for the UCLA campus. All members of the UCLA community shall install, activate and keep up-to-date antivirus software on all vulnerable computers including servers, gateways, desktop computers, laptop computers and home computers connecting to UCLA networks. While some systems may be immune from the effects of a virus, system administrators should recognize that each system can still send or transmit a virus to unsuspecting users. If a system cannot support anti-virus software or if the user has other methods of achieving the same level of anti-virus protection, alternative methods of protection are acceptable as an exception. Proposed final UCLA Minimum Standards: Each device that connects to a network must meet minimum security standards. Standards must be reasonable and flexible to balance the requirements of people who use the network to conduct their duties with the responsibilities of those who protect the network and the devices connected to it. Standards must be broadly communicated, easily adaptable and widely accepted as reasonable. (Excerpted from the UCLA Security Resolutions document adopted by the ITPB March 2004.) 1. Software patch updates Campus networked devices must run software for which security patches are made available in a timely fashion. They also must have all currently available security patches installed. Exceptions may be made for patches that compromise the usability of critical applications. 2. Anti-virus software Anti-virus software for any particular type of operating system currently listed on the Campus software distribution website must be running and up-to-date on every level of device, including clients, file servers, mail servers, and other types of campus networked devices. Exceptions may be made for anti-virus software that compromises the usability of critical applications. 3. Host-based firewall software 3. Host-Based firewall software Any computer system with a native firewall included in the operating Page 3 of 7 2/15/2005

4 system must be activated and configured. Exceptions may be made for firewall software that compromises the usability of critical applications. 4. Passwords UCLA campus information service providers must have a suitable process for authorizing any use of information services under their control. No campus electronic communications service user accounts shall exist without passwords or other secure authentication system, e.g. biometrics, Smart Cards. These measures must meet minimum complexity requirements: Contain at least eight characters, contain digits and punctuation characters as well as letters and not be a dictionary word. All default passwords for network-accessible device accounts must be modified. Passwords used for privileged access must not be the same as those used for non-privileged access. 4. Passwords Campus electronic communications systems or services must identify users and authorize access by means of passwords or other secure authentication processes (e.g., digital certificates, biometrics or Smart Cards). When passwords are used, they must meet the Minimum Password Complexity Standards. In addition, shared-access systems must enforce these standards whenever possible and appropriate and require that users change any pre-assigned passwords immediately upon initial access to the account. All default passwords for access to network-accessible devices must be modified. Passwords used by system administrators for their personal access to a service or device must not be the same as those used for privileged access to any service or device. 5. No unencrypted authentication 5. No unencrypted authentication Unencrypted device authentication mechanisms are only as secure as the network upon which they are used. Traffic across the Campus Network may be surreptitiously monitored, rendering these authentication mechanisms vulnerable to compromise. Therefore, all campus devices must use encrypted authentication mechanisms or use secure authentication mechanisms for example MD-5. Page 4 of 7 2/15/2005

5 6. No unauthenticated relays Campus devices must not provide an active SMTP service that allows unauthorized third parties to relay messages, i.e., to process an message where neither the sender nor the recipient is a local user. Before transmitting to a non-local address, the sender must authenticate with the SMTP service. Unless an unauthenticated relay service has been reviewed by CTS and approved as to configuration and appropriate use, it may not operate on the campus network. 6. No unauthenticated relays Campus devices must not provide an active SMTP service that allows unauthorized parties to relay messages. Before transmitting to a non-local address, the sender must authenticate with the SMTP service. Unless an unauthenticated relay service has been reviewed by CTS as to configuration and appropriate use, it may not operate on the Campus Network. 7. No unauthenticated proxy services Although properly configured proxy servers may be used for valid purposes, non-authenticated services commonly exist only as a result of inappropriate device configuration. Unauthenticated proxy servers may enable an attacker to execute malicious programs on the server in the context of an anonymous user account. Unauthenticated proxy servers are not allowed on the UCLA network. In particular, software program default settings in which proxy servers are automatically enabled must be identified by the system administrator and re-configured to prevent unauthenticated proxy services. For more information on the types of software typically used for proxy services see: 8. Physical security. 7. No unauthenticated proxy services Although properly configured unauthenticated proxy servers may be used for valid purposes, such services commonly exist only as a result of inappropriate device configuration. Unauthenticated proxy servers may enable an attacker to execute malicious programs on the server in the context of an anonymous user account. Therefore, unless an unauthenticated proxy server has been reviewed by CTS as to configuration and appropriate use, it is not allowed on the campus network. In particular, software program default settings in which proxy servers are automatically enabled must be identified by the system administrator and re-configured to prevent unauthenticated proxy services. 8. Physical security Unauthorized physical access to an unattended device can result in harmful or fraudulent modification of data, fraudulent use, or any number of other potentially dangerous situations. In light of this, where possible and appropriate, devices must be configured to "lock" and require a user to reauthenticate if left unattended for more than 20 minutes. 9. Unnecessary services 9. Unnecessary services Page 5 of 7 2/15/2005

6 If a service is not necessary for the intended purpose or operation of the device, that service shall not be running. 10) Exception Anyone who wishes to connect to the UCLA network, but cannot meet minimum connectivity standards, may demonstrate to the NC or IT dept. head, they can achieve the same goals as set out in the minimum connectivity standards using other means of security. Computers that are not institutionally owned or not part of the UCLA community such as visiting scholars represent an exception to these minimum standards and unit service providers may take necessary steps to secure departmental networks while allowing outside users. 11) Departmental network devices All campus connectivity points (where organizations connect with the Campus backbone) will be maintained with the most reasonably current functional recommended up-to date versions of operating systems and the security practices as defined by a best practices document updated according to changing technology and approved by CSG. Connectivity points will function as chokes or governors for securing campus traffic while introducing the least level of latency or brittleness. Network devices connecting to the campus backbone should be monitored for at a minimum, flow statistics. Departments must have the ability to identify sources of traffic and have the ability to control the flow of traffic from specific sources or disconnect specific sources. 10) Exception A device that cannot meet these minimum standards may still be connected to the Campus Network if (a) an alternate method of providing equal or greater security is documented in writing and (b) this alternate method is approved by the Connectivity Service Provider. Approved exceptions will be filed with CTS. Recognizing that some devices that cannot meet these standards may be relatively commonplace (e.g., printers with built-in web servers, grid computers, etc.), standard exceptions may be granted for these devices. Where there is a need to provide connectivity for visitors, outside scholars and conference attendees, unit service providers must take necessary steps to secure departmental networks while allowing outside users to access appropriate network resources. Dropped: Page 6 of 7 2/15/2005

7 Minimum Password Complexity Standards: All passwords employed to authorize access to Campus electronic communications systems or services must meet the following standards: The password MUST: Contain characters from at least two of the following three character classes: Alphabetic (e.g.: a-z, A-Z) Numeric (i.e. 0-9) Punctuation and other characters ~-=\`{}[]:";'<>?,./) The password MUST NOT be: A derivative of the username. A word found in a dictionary (English or foreign). Names of family, pets, friends, or co-workers. Computer terms and names, commands, sites, companies, hardware, or software. Birthdays or other personal information such as addresses or phone numbers. A set of characters in alphabetic or numeric order (e.g. abcdef), in a row on a keyboard (e.g. qwerty), or in a simple pattern (e.g ). Any of the above spelled backwards. Any of the above preceded or followed by a digit (e.g., qwerty1, 1qwerty) Your bank account pin. Page 7 of 7 2/15/2005

IMPLEMENTATION POLICY AND PROCEDURES FOR SECURING NETWORKED DEVICES

IMPLEMENTATION POLICY AND PROCEDURES FOR SECURING NETWORKED DEVICES UNIVERSITY OF CALIFORNIA, BERKELEY BERKELEY DAVIS IRVINE LOS ANGELES RIVERSIDE SAN DIEGO SAN FRANCISCO SANTA BARBARA SANTA CRUZ ECONOMETRICS LABORATORY Institute of Business and Economic Research ECONOMETRICS