Internal Network Architecture Security Practices

University Technology Services - Network Communications Team

---

Scope:
This document describes Oakland University Internal Network Architecture Security Practices. These are executed in accordance with these policies:

• #850 Network Policy

• #880 Systems Administration Responsibilities

• #890 Use of University Information Technology Resources.

Where these practices relate to the user community, violation will result in the loss of network access and other sanctions as provided in the policies.

Administration Practices:

• Network configuration changes are defined as:
  • A verified, approved, or common business process (e.g. changing port VLANs, activating or de-activating a network port);
  • An architectural change documented, announced, and installed during a maintenance window; or
  • A configuration management project item recorded in Change Management.
• All changes are documented using the appropriate UTS documentation method (e.g. Footprints ticketing system, the Network Operations Manual, the UTS file share).
• Documentation (e.g. Visio diagram/spreadsheet/inventory management/IP address management system) is kept for network and configuration data, including IP number schema, current configurations, MAC addresses, user identification, and device locations. This information is kept electronically and is backed up regularly. This database reflects all moves/adds/changes/deletions of equipment to the network.
• Logs from any switching or routing gear are output to a UTS logging server for follow up on operational and security incidents. The logging guidelines can be found in Policy #880 Systems Administration Responsibilities.
• A software/hardware support contract or warranty with network equipment vendors or other similar arrangement is enforced over the entire life of the equipment to address security and other software problems and to provide for software upgrades. In the event that it becomes impossible to maintain this type of support agreement, the equipment will be prioritized for replacement.
• Security patches are applied on a regular basis. A mechanism for periodically updating and keeping current with security patches and software upgrades is in place.
• The network infrastructure is periodically scanned and tested (e.g. quarterly, annually or after significant changes depending upon equipment type).
• Physical access to network devices is restricted. Network equipment locations are accessible only to authorized personnel both during and after normal business hours. These physical locations are secured (lock, card key, etc.) to prevent unauthorized entry to the University network.
• All software configurations for network equipment are backed up on a regular cycle (e.g. daily or weekly) with periodic off-site storage of a backup copy.
• Physical or working copy of router or switch configurations are destroyed or disposed of in secure recycle bins after their intended purpose is complete.
• Strongly authenticated access paths to management functions are implemented. NO PASSWORDS remain as shipped from the manufacturer; all default passwords are changed. Periodic password control (employees leaving, etc.) or other methods such as Radius or TACACS are implemented.
• Services not needed on network hardware are removed (e.g. web server, SNMP, FTP, etc.). Remaining services are set up with strong passwords. SNMP community strings are the equivalent of passwords and are changed from the vendor-provided defaults. Access control lists are used to limit access to services needed.
• Access is restricted from unnecessary Internet and university network locations. Filters, access lists, or firewalls are used to limit access to the management interface and/or services available on the device. A recommended configuration is either to connect locally or through a bastion host using SSH.
• All management interfaces and/or traffic access lists are documented to state what was intended by the filters, the sunset time/date and who initiated the filter.
• Router and Switch configurations are configured and periodically reviewed for risk after consulting external best sources for security requirements. (e.g. SANS, CERT, equipment manufacturers).
• Network systems administration is performed in compliance with the following Oakland University policies:

  • #830 Information Technology

  • #850 Network Policy

  • #880 Systems Administration Responsibilities

  • #890 Use of University Information Technology Resources

• More detailed configuration requirements and recommendations may be periodically published by UTS to help ensure security and operational continuity.

Design Practices

• Network hardware is standardized in each campus location following cyclical upgrade plans.
• Network hardware, including but not limited to switches, wireless access points, and hubs are not permitted to be attached to the network without prior written authorization from UTS. The network will be periodically scanned or monitored for rogue devices. Any unauthorized device will be removed from the network.
• Devices meeting the criteria related to PCI:
  • will be attached to the network by physical connection (vs. wireless connection) at a connection point approved by UTS
  • will require firewall segmentation between wireless or other less secure networks and may use address ranges that are not accessible from other network clients or the Internet
• Local network servers or other devices offering DNS, DHCP, or other infrastructure services that conflict with those provided by UTS are not permitted.
• Only one computer or network device may be attached to a network jack/outlet without prior written authorization from UTS.
• Network registration or authentication systems are in operation that associate user IDs, hardware clients and IP addresses. Attempting to bypass or circumvent network authentication systems is prohibited.

---

For further help, please email <<MailTo([email protected])>>, visit us at 202 Kresge Library or call (248)370-4357 Monday-Friday, 8 am - 5 pm.