Information Services IT Security Policies L. Network Management

Transcription

1 Information Services IT Security Policies L. Network Management Version 1.1 Last updated: 11th August 2010 Approved by Directorate: 2nd July 2009 Review date: 1st August 2011 Primary owner of security policy: Eoin Dunne Location on web: Table of Contents 1. Introduction Network configuration Controlling access Physical security and integrity Controls addressed in this document

2 1. Introduction The DIT network consists of an interconnection of more than 10,000 networked devices. These include computers, printers and other networking equipment. The Institute depends heavily upon its IT network for research, teaching and administrative activities. It is essential that the stability, integrity and security of the DIT network be safeguarded. This policy defines the Institute regulations regarding management of the DIT network. 1.1 Network management roles and responsibilities The Chief Information Officer (CIO) will have authority to develop, implement and enforce information security policy. The integrity of the DIT network, including the backbone, is the responsibility of Information Services. In order to fulfil this goal, the network service will have an IT Chief Technology Officer who should be assigned responsibility for ensuring the DIT network is appropriately designed, configured and managed in accordance with the business needs of the Institute All users have a responsibility to report promptly to Information Services any incidents which may have security significance to the Institute. 1.2 Background to this document This policy and other associated IT security policies form part of the Institute s IS organisational security policies. The Institute has adopted the UCISA Information Security Toolkit as the framework for its Information security policies. The toolkit draws heavily on the British Standard BS 7799 which was also the main source of the international standard ISO The tool kit comprises sixteen sections, of which this corresponds to Section L. The Institute will have a policy for each section adapted to its needs. Each policy will also refer to associated procedures and guidance notes that are relevant to the policy. 1.3 Intended audience This document is intended to be read by those Institute staff responsible for the management of the DIT network. 2

3 2. Network configuration The DIT network shall be adequately managed and controlled, in order to be protected from threats, and to maintain security for the systems and applications using the network, including information in transit. To provide this, the following measures should be considered: The network must be designed and configured to deliver high performance and reliability to meet the Institute s needs whilst providing a high degree of access control and a range of privilege restrictions An appropriately configured firewall shall be used to protect the network supporting the Institute s business systems 2.1 Connection to the DIT network All equipment connected to the DIT network must conform to the appropriate standards as set by Information Services and run only across the backbone using the supported protocols. Only Information Services or authorised Faculty IT support may connect devices to the DIT network. An exception to this is where Institute staff may connect portable Institute-owned devices to an preassigned data point Connection of wireless equipment Information Services are responsible for providing a secure and reliable campus network to support the mission of the Institute. Under this broad responsibility, the following wireless policies apply: All wireless access points shall be deployed and managed by Information Services. The IT Chief Technology Officer shall have authority to remove any unauthorised devices from the DIT network. Wireless areas are the only locations where users may attached their personally owned devices. Such access is covered by the regulations governing the use of computer resources. Installation of wireless access points for research purposes must be authorised in advance by the IT Chief Technology Officer Connection of servers The connection and use of a computer running a server operating system software or otherwise functioning as a server must be authorised by Information Services. All Servers must have a defined administrator who is responsible for: Server administration and maintenance Server security including but not limited to data backup, access control, operating system and application updates and security patches 3

4 Information Services reserves the right to bar access to servers containing material considered illegal or likely to bring the Institute into disrepute. The Institute also reserves the right to take disciplinary action in these circumstances. In the event that a server, or other device, is causing an unacceptable level of interference with the operation of the DIT network, Information Services reserve the right to disconnect the server from the network. 2.3 Segregation in networks Groups of users and information systems shall be segregated on separate logical networks. This should be done by configuring a number of Virtual Local Area Networks (VLANs) which are designed and deployed for security and performance reasons. VLANs commonly provided include but are not limited to: Data centres/server rooms Staff rooms Student labs/classrooms Wireless networks Routing controls shall be implemented for networks to ensure that computer connections and information flows do not breach the access control policy of the business applications. An updated list of VLANs in use will be maintained and reviewed regularly. Also, all network addresses; including IP addresses, must be allocated and administered by Information Services. Physical and logical access to diagnostic and configuration ports on network equipment shall be controlled. Moves, changes and other reconfigurations of users network access points will only be carried out by staff authorised by Information Services according to procedures laid down by them. 2.3 Change control procedures The implementation of new or upgraded software or firmware must be carefully planned and managed. Formal change control procedures, with audit trails, shall be used for all changes to critical systems or network components. All changes must be properly tested and authorised before moving to the live environment. 3. Controlling access 3.1 Policy on use of network services Procedures shall be established for all network services to ensure that access rights for users are adjusted appropriately, and in a timely manner, whenever there is a change in business need, staff change their role, or staff or students leave the Institute. All access rights should be reviewed at regular intervals. Access to all network services shall use a secure login process and access to the Institute s business applications shall also be limited by time of day or by the location of the initiating terminal or both. 4

5 Automatic equipment identification shall be considered as a means to authenticate connections from specific locations and equipment. Where such connections directly impede the service to the rest of the Institute, Information Services reserve the right to block the connection without prior warning. The designated administrator for such equipment must rectify any threats to Institute security before the connection can be re-established 3.2 User management for external connections External connections are connections to devices and services within the Institute from devices outside of DIT. This is commonly known as remote access and includes but is not limited to: Virtual Private Network (VPN) connections Connections directly across the Internet VPN connections are the recommended approach for DIT staff and third parties requiring remote access. Information Services are the sole providers of the Institute s VPN service. The service is intended for use on DIT computers only. It must be used from secure private locations and not from public locations such as Internet cafes. All connections via the VPN service will be logged. No other remote access service shall be installed or set up, including single modems connected to servers or workstations. Any active dial-in services found to be in existence will be removed from the network. For direct connections, the policy is default deny. Connections to devices and services within DIT from external devices will be not be allowed unless they have first been approved by Information Services. Requests must be signed by the line manager of the requestor and will be examined by the Network & Systems team to ascertain if the change poses any risk to integrity of the DIT network. Approval will be based on the following criteria: The connection is required for DIT business. The connection does not represent an unnecessary security risk to DIT. The connection does not use an insecure protocol where a more secure alternative exists. The connection does not involve unnecessary replication of functionality. The cost of implementing the exception is proportional to the benefit to DIT. Remote connections to any campus IT services are subject to the same rules and regulations, policies and practices just as if the users were physically on the campus. All DIT staff and external third parties who need remote access to DIT computing resources will be dealt with on an individual basis. Requests for access to specific applications will need to follow the procedures outlined in the User Access Setup and Review of User Accounts section in the A. Information Security policy. For further information please refer to the following documents: Staff VPN Support Agreement Acceptable usage policy for staff and students Internet usage policy 5

6 Remote access policy DIT Password Policy Declaration of Agreement to Comply with Internet Usage Firewall change request form 4. Physical security and integrity 4.1 Protecting against external and environmental threats Networking and communications facilities, including wiring closets, data centres and computer rooms, must have good physical security. These facilities should be housed in a secure areas, protected by a physical security perimeter with appropriate access control and hazard reduction mechanisms in place. To reduce the risk of services being disrupted, the following measures must be considered: Where possible, key facilities should be sited away from areas of public access or direct approach by public vehicles The facilities should also be in areas where there is a reduced risk of fire, flood, explosion and damage from neighbouring activities or natural disasters There should be no obvious signs identifying the presence of network equipment. Hazardous or combustible materials should not be stored within equipment rooms. Appropriate safety equipment should be installed, such as heat and smoke detectors with a procedure in place to monitor alerts Fire protection measures such as self closing fire resistant doors should be in place Any fire extinguishing equipment must be of the correct type and suitably located Doors should be locked when unattended. External protection should be considered if there are windows. The facility has to be periodically checked for hazards and unnecessary items must be removed. Unprotected diagnostic ports, out-of-band management ports and in-band access to diagnostic and management services (e.g. SNMP or web interfaces on routers) might all provide a means of unauthorised access. Where Institute staff require access to the networking and communications facilities, the following guidelines must be considered: Access to the secured area shall be limited to authorized personnel only and should be issued in accordance with formal procedures Personnel must be trained in emergency evacuation procedures and in the use of fire extinguishers 6

7 Access to ports on network equipment should be protected by appropriate security mechanism (e.g. a key lock, secure login, dial-back or limiting the locations that can gain access) Access to the secured area should be controlled by advanced locks (i.e. key pads, swipe cards) and periodically reviewed, to ensure that only appropriate individuals are allowed access Access must be revoked promptly when no longer needed (e.g. when authorized individuals change jobs). A policy prohibiting consumption of food and drink must be strictly enforced When access to secure areas is required by third parties, Institute staff are required to adhere to the standard operating procedure for the Management of Contractors issued by the Buildings Office. They should also bring it to the attention of the third party. In addition to the above, the following measures should also be applied: Visitors and third parties have to be supervised at all times. Visitors and third parties should wear visible means of identification. Employees have to be encouraged to challenge unescorted strangers or personnel with no visible identity For further information on measures to protect networking and communications facilities, please refer to the following policy documents: Physical and environmental security Server room access 4.2 Equipment siting and protection Networking and communications equipment outside of the secure areas such as wireless equipment also need protection from unauthorised access. The following security measures can be applied to reduce these risks: Wireless aerials should be positioned so that they are out of physical reach, and can be maintained only by authorised personnel. Power and network connections to the wireless units should be adequately protected. Wireless aerial power levels should be reduced to prevent the signal being broadcast beyond designated areas, while still providing coverage. Network and user access controls should be used to reduce the risk of the wireless network being used for unauthorised purposes. Wired network switches should be located in locked cabinets with access restricted to authorised personnel 7

8 Access to network equipment located on building roofs must first be approved by the IT Chief Technology Officer 4.3 Supporting utilities To reduce the risk of services being disrupted, supporting equipment such as climate control units and uninterruptible power supplies (UPS) should be correctly maintained to ensure the continued availability and integrity of critical networking and communications equipment The power supply to critical computer and communications equipment must be protected by UPS devices and backup generators, where necessary, to provide an alternative source of power in the event of extended power failure The installation of supporting equipment must be conducted by a qualified contractor certified to the appropriate Irish Standards Electrical equipment should have a clearly marked emergency power off button protected from accidental activation. The temperature and humidity of equipment and cabling rooms will be monitored and controlled. Air quality, lighting, temperature and humidity must be regulated in compliance with applicable Health and Safely legislation. 4.4 Cabling security Cables carrying data or supporting information services require protection from interception or damage. Cabling within buildings should be protected, by using conduit or by avoiding routes through public areas, and cables between buildings should be underground where possible (or subject to adequate alternative protection). Where cables form part of a loop, consideration should be given to using separate routes in order to reduce loss in the event of damage. Cabling in public areas (e.g. to wireless units) should be unobtrusive and out of physical reach Information Services must be informed of any proposed physical re-organisation to the network. This includes requests for extra cabling. All requests for physical connections to the DIT network backbone must be directed to the IS Support desk. Cabling must be installed to the requirements listed in the following documents so that Information Services are in a position to ensure the current and future delivery of the network service and satisfy quality and performance objectives. For further information on cabling standards, please refer to the following policy: Technical Cabling Standards Policy Cabling in wiring centres The cabling used in major server rooms and wiring centres should be reviewed on an annual basis to ensure that critical equipment remains accessible and to reduce the risk of hot spots from air vents 8

9 being blocked by inappropriate patching. During a cabling review, the following should be considered: Cabling to inactive ports on switches should be removed Cables should be of the correct length for patching between devices and patch panels Labelling of cables for critical devices should be applied Damaged cables or cables of the incorrect colour should be replaced Doors for cabling cabinets should remain closed and locked when not in use In addition to the above, a log book should be provided for each major server room and wiring centre so that events can be recorded along with any remedial action taken 4.5 Equipment maintenance Equipment should be correctly maintained to ensure its continued availability and integrity and servicing should only be performed by authorised personnel. Additional controls might include: Supporting equipment (e.g. UPS, back-up generators, climate control) should be tested and serviced in accordance with manufacturers' recommendations Measures should be taken to protect against dust if there is an excessive amount The air flow of climate control equipment must not be impeded by the incorrect placement of equipment (e.g. leaving servers out of their racks) A record of all faults or suspected faults should be kept in a log book 5. Controls addressed in this document Standard Objective no. Description BS 7799 / ISO Allocation of information security responsibilities BS 7799 / ISO Protecting against external and environmental threats BS 7799 / ISO Equipment siting and protection BS 7799 / ISO Supporting utilities BS 7799 / ISO Cabling security BS 7799 / ISO Equipment maintenance BS 7799 / ISO Network controls BS 7799 / ISO Security of network services BS 7799 / ISO Policy on use of network services BS 7799 / ISO User authentication for external connections 9

10 BS 7799 / ISO Equipment identification in networks BS 7799 / ISO Remote diagnostic and configuration port protection BS 7799 / ISO Segregation in networks BS 7799 / ISO Network connection control BS 7799 / ISO Network routing control BS 7799 / ISO Change control procedures 10