HOME   •   OVERVIEW   •      •   LOGIN  •   DOWNLOAD   •   CONTACTS
MODULES
RESOURCES
PUBLICATIONS
SPONSORED PROJECTS
MEMBERS
DCSL USER-GUIDES
FAQ

 

 
DCSL NETWORK SECURITY POLICIES

ASSET IDENTIFICATION

a.  Border router Cayman, Pix firewall 515e, Access Control Server, VPN concentrator, Switch catalyst 3550s, Cisco Access Point AP 350, Hub

b.   DMZ Windows2003 web-server, Windows 2003 file server.

c.    Pascal Linux Server, Alpha Linux Server, Galileo Windows2003 Server, Einstein Linux Server.

d.   5 student MS Windows workstations in D140 and MS Windows workstations in prototype network.

e.    30 student workstations in D158.

f.     Configuration files of network equipments.

g.    Administrator information such as username, password for servers and network equipments.

h.    Student accounts.

i.      Project documents in file server.

j.     Data in student workstations.

k.    Internet connectivity for web server, VPN server, Honeypots system and student workstations.

l.     Network connectivity for students.

Top
THREAT ASSESSMENT

a.      External threats:

i.      Unauthorized access to network resources or information

1.      Unauthorized access to network equipments such as routers, PIX, ACS, VPN server, Firewall and switches.

2.      Unauthorized access to servers such as Web, FTP server in DMZ

3.      Unauthorized access to other MS windows 2003 servers and Linux servers.

4.      Unauthorized access to student workstations.

ii.      Unauthorized manipulation and alternation of information on the network

1.      Malicious code threats including Computer viruses, worms, ad-ware.

2.      Password, data sneaker.

3.      emails containing viruses

 iii.      Denial of Service (Smurf, SYN attack, Distributed DOS..)

1.      Denial of service to internet connectivity.

2.      Denial of service to network connectivity.

3.      Denial of service of data server.

4.      Denial of service of DMZ web-server.

5.      Denial of service of other Servers.

b.      Internal threats:

i.      Unauthorized access to network resources or information

1.      Unauthorized access to the Internet.

ii.      Unauthorized manipulation and alternation of information on the network

1.      attacks may spill out of the DCSL network

2.      emails containing viruses (we do not support our own email server)

3.      Removable media: floppy diskettes, cd-rom, usb disks, etc.

iii.      Denial of Service (Smurf, SYN attack, Distributed DOS..)

Top

RISK ASSESSMENT

The main purpose of DCSL is education, servers and network equipments must be up most of the time for professor to conduct teaching and for students practicing and doing projects. The availability of the network is given top priority. However, database, project documents, admin passwords, configuration files also need confidentiality.

The file server needs confidentiality and data integrity. All the research documents and research result, work planning and word logging is also stored in this server. In the context of competition, this server needs highest confidentiality service.

DMZ web server needs data integrity. The web server is mainly used for dissemination purpose.

Table 1 is the result of assigning risk ratings to various assets identified in section 1. The rating goes from 1 (least important) to 5 (highest important).

Assets

Confidentiality

Integrity

Availability

Border router

4

3

4

VPN server

4

4

5

PIX firewall

4

4

5

ACS

5

5

5

switches

3

4

5

DMZ web server

3

4

4

Windows2003 File server

3

4

5

Linux servers

3

3

3

Windows2003 Galileo AD server

4

4

5

Honeypot system

4

4

5

Internet connectivity

3

3

4

Student project server

4

4

4

Administrator Information

5

5

5

Student account information

5

4

5

Data in student workstation

4

4

3

LAN connectivity

4

4

5

Table 1. Critical Asset Risk Rating for DCSL

Top

SECURITY POLICY

a.      Accountability Policy

All users (students) are accountable for their behaviors that result in network security concern. It is responsibility of all users to be familiar with the guidelines of using the service offered through DCSL network. It is also responsibility for every user to report to the system administrator suspected inappropriate use or malicious activity on the network.

b.      Acceptable Usage Policy

DCSL network is available for use by users anytime of the day and night for the sole purpose of study. Using network resources for any function over and above that is prohibited. DCSL may be allowed to be not available sometimes for maintenance and trouble shouting purposes.

c.       General Access Policy

Access will be strictly restricted. Access will be allowed by assuming that

ALL ACCESS IS DENIED UNLESS SPECIFICALLY REQUIRED.

Access to network resources is given on demand. Information assets are protected by giving access to specific groups and denying access to all others. The changes in access including increasing or decreasing privileges need approval from the manager of the LAB.

Wireless user or VPN client must have approval before access the resources of the LAB. Once connected, wireless user or VPN client will have equal rights as local user of the LAB network.

It is the responsibility of the remote users or VPN users to ensure their equipments are not used by unauthorized person to access the network resources.

d.      Internet Access Policy:

There are two types of ?Internet access?:

(i) type 1 - users using the Internet to access the assets in the DCSL network;

(ii) type 2 - users using the computers in the DCSL network to access the Internet.

Type 1 access should be available all the time for administrative and studying purposes.

Internet connection is used for VPN client to connect to the Lab network.

Internet connection is used for external access to DMZ web server.

Type 2 access should be available for HTTP traffic of student workstation.

e.      DMZ web-server, FTP server Access policy:

DMZ web-server is open to public. It has two areas: public area and private area.

Normal external users are encouraged to access to web-server public area for advertised information of education and security services.

Access to private area is restricted to authorized users only.

FTP is only for authorized users to upload/download files or update web pages.

f.        Authentication Policy:

All access to the network require authentication and will be logged for auditing and accounting purposes.

Wireless and VPN users must go through 2 layers of authentication:

First user will be authenticated by access server and second by individual resources on the network.

Authentication is carried out using Access Control Server. This server must be protected against attacks ands intrusions form both inside and outside network.

g.      Availability Statement:

Network is ready to use all the time. But there will be outages for various reasons such as system update, upgrade, installing new equipments, trouble shooting, and implementing new security rules. The availability of the network is the highest priority.

h.      Information Technology Systems and Network Maintenance Policy

All network equipment is managed by administrator appointed by Lab manager ? faculty staff.

Remote administration is allowed but connection must be first authenticated with access server and then encrypted.

All the administration sessions both inside and  outside must be encrypted

i.        Violations ad Security Incident Reporting and Handling Policy

Documented processes must be setup to identify when intrusions and network attacks happen.

The following steps need to be set up for incident reporting and handling:

-         A process must be invoked to inform administrator when attacks happen

-         A process need to be set up to identify all the information to track the attack and record it for later prosecution

-         A process must be in place to trace the attack in order to identify all vulnerability of the system so that future attacks can be avoided.

j.        Supporting Information

The LAB manager has ultimate responsibility for the security policy

The following table defines the responsibilities of people who are involved in LAB management

Title

Role

Responsibility

LAB manager

Defining and maintaining overall LAB security policy

-         Main contact for changes to security policy

-         Responsible for final approval of new network implementation that  will affect network security

-         Responsible for cross-faculty communication on security issues.

-         Administrative control over staff directly responsible for network security.

-         Main architect of network design and network security.

Network administrator

Managing the daily operation of the LAB network

-         Ensure the security is followed in all network  implementation

-         Involve in the design of network and network security.

-         Main contact for all network incidents

-         Settle all the network troubles and attacks

Secondary administrator

Assisting network administrator in network administration

-         Take the role of network administrator when main administrator is not available

-         Involve in all network implementation

 

Table 2. Roles and Responsibilities

Top

COPYRIGHT © 2007 University of Houston Clear Lake. ALL RIGHTS RESERVED.