You are on page 1of 5

Network Infrastructure Security Model Network Infrastructure Security Version: 1.0 Status: Approved; 04/20/05 Contact: Charles N.

Ponton PURPOSE Network and data security are two of the leading challenges for IT administrator s in higher education. This is due in part to the need to collect highly sensiti ve information regarding students, faculty, and staff as well as stiff resistanc e to implementing an effective security policy. This model establishes the basic framework for building an effective plan to secure the local campus network inf rastructure to include the local area network and supported information systems. SCOPE This model covers the campus or location network infrastructure, which includes the Internet connection, local network equipment, servers, desktop computers, wi reless access points, and all supported information systems. APPLICABILITY This standard applies to the twenty-three community colleges, System Office, and all VCCS ITS Enterprise Services locations. DEFINITION MODEL The Information Technology Services (ITS) office has been engaged in determining and developing security guidelines that will provide direction and a framework to VCCS colleges to effectively secure their local network infrastructure and in formation systems. The network backbone and Internet connectivity is provided by Network.Virginia and each individual campus has a separate DS3 connection to th e network. Because of this design, it has created 44 separate networks. Each col lege network infrastructure is independent of each other, which presents some di fficulty with respect to security. A campus may vary with regards to network equipment, applications, and services provided. As a result, each campus must be treated independently with regard to security. The following guidelines are structured to address those areas that ar e common to all campuses. Security does not stop at the edge router or with a fi rewall. Because of various security threats, such as hacking, viruses, worms, Tr ojan horses, and denial-of-service attacks, security must be applied throughout the network to the desktop computer level. These guidelines provide recommendati ons that will effectively minimize any potential security threats to the network infrastructure. The VCCS network security model will be outlined into three (3) security access levels. Those access levels are open access, controlled access, and secured acce ss. The security access levels define the potential impact on colleges or indivi duals should there be a breach of security (a loss of confidentiality, integrity or availability). Each security access level will be divided into four (4) func tional protection areas. These functional protection areas include firewall, rou ter, switch, and server protection. The functional protection areas define hardw are that is generally common to all campuses. The access security levels will di ctate how much security is required in each of the functional protection areas.

Secondly, the model will define separate guidelines for wireless infrastructures . A college will either use the general process described in this document, or m ust develop a tailored process that meets their specific needs as well as the ne eds and/or requirements specified in this model. In either case, it is recommend ed that colleges incorporate the associated IT security steps included in this m odel to aid in securing their infrastructure and information systems.

Each of the three rings of the diagram identifies a specific level of security p rovided for applications and services falling into its realm. The positioning of an application within the security structure will be determined by the sensitiv ity and criticality of its data. The Risk Analysis and Business Impact Analysis will provide the application owner the guidance needed to position their applica tion within the security structure. Open Access (Internet) - Applications and services which are located in the oute r circle are considered open to the public. They are afforded little protection. The World Wide Web Homepage established to publish public relations information is a good example of an application or service requiring this level of protecti on. Below are recommendations that apply to this security access level. Firewall Protection A hardware firewall for these applications and services is n ot necessarily required. These applications and services are meant to be availab le to the public. Listed below are firewall features, if one is chosen. Hardware Firewall Features Controlling access for internal systems Intrusion detection MAC address filtering URL blocking Custom rule creation Various content blocking features H.323-enabled with H.323 proxy Upgradeable to Gigabit Ethernet Router Protection Though theses applications and services are available to the p ublic, these security measures can be applied to the edge and gateway routers. T hese recommendations are applied if a hardware firewall is not selected. IDS network module - The IDS module is an interface card that can be installed i n a Cisco router. The module provides firewall/intrusion detection functionality at the router to detect possible attacks. The module is currently available for the Cisco 2600, 3600, and 3700 series routers. Cisco IOS Firewall The Cisco IOS firewall provides integrated firewall and intru sion detection functionality at the edge router. The features are embedded in th e IOS and would require upgrading your edge router to the appropriate IOS. Access Control Lists see VCCS Security Guidelines for Edge Devices Switch Protection No security measures required Server and Desktop Protection (Laptops) Listed are recommended security measures Maintaining backup files Redundant server Personal Firewall Window XP Internet Connection Firewall (ICF) ZoneAlarm Norton Personal Firewall Intrusion Detection Systems (IDS) Anti-Virus software Windows Security Patches ensuring security updates are kept current on a daily b asis. Application filtering filtering of streaming, pornographic, P2P, and gaming appl ications.

Websense Surf Control Controlled Access (Intranet) - Applications located in the middle circle are for use by members of the VCCS community and do not contain restricted information. These applications need some level of protection, but security is not considere d critical. Access to these applications is limited to customers with a valid Cu stomer Id and password. Internal email and internal WWW Homepages for classes ar e examples of applications of this type. Below are the recommended security meas ures for this security access level. Firewall Protection Hardware firewall protection for these applications and serv ices may or may not be required for this access level. Though these applications and services are primarily used internally by the VCCS community, the informati on may not be sensitive enough to warrant a firewall. Listed below are firewall features if one is chosen. Hardware Firewall Features Controlling access for internal systems Intrusion detection MAC address filtering URL blocking Custom rule creation Various content blocking features H.323-enabled with H.323 proxy Upgradeable to Gigabit Ethernet Router Protection Listed below are recommendations if a hardware firewall is not implemented. IDS network module - The IDS module is and interface card that can be installed in a Cisco router. The module provides firewall/intrusion detection functionalit y at the router to detect possible attacks. The module is currently available fo r the Cisco 2600, 3600, and 3700 series routers. Cisco IOS Firewall The Cisco IOS firewall provides integrated firewall and intru sion detection functionality at the edge router. The features are IOS based and would require upgrading your edge router to the appropriate IOS. Access Control Lists see VCCS Security Guidelines for Edge Devices Switch Protection Listed are recommended security measures Access Control Lists access lists may be applied to the core switch to provide a nother level of security and filtering. VLANs configure vlans on the LAN switches to segregate network traffic. Server and Desktop Protection (Laptops) Listed are recommended security measures Personal Firewall Window XP Internet Connection Firewall (ICF) ZoneAlarm Norton Personal Firewall Intrusion Detection Systems (IDS) Anti-Virus software Windows Security Patches ensuring security updates are kept current on a daily b asis. Application filtering filtering of streaming, pornographic, P2P, and gaming appl ications. Websense Surf Control Secured Access - Applications and services located in the inner circle contain r estricted and in some cases sensitive/confidential information. Protection of ap plications and services located in the inner most circle is considered critical. One must have access to a valid Customer Id and password to access applications within this circle. In addition, each application will provide an additional le vel of access control internally. FRS and SIS are examples of applications of th is type. Below are the recommended security measures for this access security le vel. Firewall Protection Firewall protection for these applications and services is r equired for this access level. These applications are critical to the overall mi

ssion of the VCCS. The information contained on these systems is considered to b e sensitive. Below are recommended features when choosing a firewall. Hardware Firewall Features Controlling access for internal systems Intrusion detection MAC address filtering URL blocking Custom rule creation Various content blocking features H.323-enabled with H.323 proxy Upgradeable to Gigabit Ethernet Router Protection Listed below are recommendations if a hardware firewall is not implemented. IDS network module - The IDS module is and interface card that can be installed in a Cisco router. The module provides firewall/intrusion detection functionalit y at the router to detect possible attacks. The module is currently available fo r the Cisco 2600, 3600, and 3700 series routers. Cisco IOS Firewall The Cisco IOS firewall provides integrated firewall and intru sion detection functionality at the edge router. The features are IOS based and would require upgrading your edge router to the appropriate IOS. Access Control Lists see VCCS Security Guidelines for Edge Devices Switch Protection Listed are recommended security measures Access Control Lists access lists may be applied to the core switch to provide a nother level of security VLANs Configure vlans on the LAN switches to segregate network traffic. Server and Desktop Protection (Laptops) Listed are recommended security measures Personal Firewall Window XP Internet Connection Firewall (ICF) ZoneAlarm Norton Personal Firewall Intrusion Detection Systems (IDS) Anti-Virus software Windows Security Patches ensuring security updates are kept current on a daily b asis. Application filtering filtering of streaming, pornographic, P2P, and gaming appl ications. Websense Surf Control Call Managers Security Patches stay current with security patches Intrusion Detection System (IDS) Upgrade to Call Manger 3.3 Cisco Security Agent (CSA) Voice Mail Servers Security Patches stay current with security patches Wireless Infrastructure Security The following is a set of general security guid elines for wireless LAN implementation. However, colleges should exercise discre tion in assessing the feasibility of such implementations and if necessary, put in appropriate or equivalent measures to mitigate any security risks. Physical Security Ensure AP is within the physical boundaries of the building Prevention of resets on the AP ensure AP is physical located where someone canno t readily or easily access the reset button. The reset button sets the AP back t o the default configuration values. Proper AP configurations Operational and security settings on AP Change the default SSID Maximize the Beacon interval Disable broadcast SSID

Change default cryptographic key Configure MAC Access Control Lists Software patches and upgrades stay current with upgrades Authentication Intrusion Detection System (IDS) access control and intrusion detection mechanis ms should be installed on the wireless station (i.e., laptop, desktop) WEP Encryption set encryption for the strongest setting possible (128-bit)