VCU Security Policy Implementation Procedures (#2914)

Physical Security for Communications Equipment and Cabling

All network-related hardware shall be housed in secure locations with access limited to authorized network personnel. If access to the area must be granted to other people then the equipment and all connections must be enclosed in a locked cage.  In lieu of a locked cage, locked equipment cabinets may be installed.

 The thrust of this requirement is to prevent the insertion of non-secure hubs or other devices or making configuration changes that would allow the interception of network traffic and to control connection to secure VLANS.

 Access to the network rooms or closets in all buildings must be available to Network Services personnel 24 hours by 7 days a week in order to allow troubleshooting of network problems.

 Installations completed prior to July 1, 1998 are temporarily excused from this requirement and do not need to be immediately re-worked to come into compliance. However, any significant upgrade or addition to an existing location will require that all connections in that location be brought into compliance. This temporary exclusion does not remove any departmental security responsibilities. If a sensitive or critical server or application is active on a local network it is incumbent on the server or application owner to have the physical security of the communications link improved immediately. All other networked applications should be protected as soon as possible.

Security Requirements for Communications Electronics

No communications gear (ie, hubs, Ethernet switches, routers, wireless access points, cabling, etc) will be purchased unless permission is first granted by Network Services. In any case, all communications gear must be installed and operated by Network Services staff.

All equipment passwords and SNMP community strings must be changed from the factory default prior to installation.

Two exceptions exist to the requirement to install and operate network equipment:

1)     Equipment used to support clustered hosts (backend networks of locally attached hosts, such as Beowulf clusters) so long as the cluster appears to be a single device from the VCUnet perspective.

2)     Experimental networks not attached to VCUnet.

Departments planning to operate clusters or experimental networks should inform Network Services of their plans in order to improve support for your project and reduce miscommunications between staff.

Should the department running the cluster or experimental network desire to change the nature of the cluster (so that additional devices appear on VCUnet) or attach the experimental network to VCUnet then those installations must be tested and certified to meet all Network Services standards in effect at that time. The department requesting the change in connection status will be responsible for funding the testing and certification as well as any cost to bring the installation up to standards. Testing, certification, and upgrades will be done under the supervision of Network Services staff.

This article was updated: September 10, 2009

  • More Information

Go Up

 

What is Technology Services?

Technology Services is responsible for implementing and supporting the technology used around campus, such as the network, phones, enhanced classrooms, and Internet-based systems including myVCU, Blackboard, email, and more.