VCU Security Policy Implementation Procedures

General procedures for administering systems and networks, reporting, investigating, adjudicating and documenting violations of the VCU Security Policy are covered in these procedures. These procedures do not replace Virginia Commonwealth University's Rules and Procedures, the Virginia Department of Human Resources Classified Employee Standards of Conduct, other appropriate disciplinary procedures, or legal action, any of which may be used in cases of the most serious offenses. Because some violations of the Computer and Network Resources Use Policy may also be violations of local, state or Federal law, prosecution under these laws may be pursued independently of any University action.

Each department that maintains computing systems is responsible for complying with the requirements of the Virginia State Security Policy and Standard as well as VCU specific requirements. Administrators of business critical systems, hosts with proprietary, copyrighted, or other sensitive data need to be especially vigilant in this area, but all administrators have some degree of responsibility to secure their systems.

Departmental management should develop local security policy implementations. Help with developing a customized security policy implementation is available from the VCU Information Security Officer or any of the CERT members. As a minimum, the points in this document should be included in all security policy implementations.

Departments handling clinical or other patient identifiable data are subject to stringent federal regulations. Contact the Information Security Officer to discuss the impact of the Health Insurance Portability and Accountability Act (HIPPA) and steps you must take to meet federal requirements.

Other sensitive information may fall under federal and state mandates. For example, access to University financial records are regulated by the Gramm-Leach-Bliley Act of 1999, and student records by the Family Educational Rights and Privacy Act. Contact the Information Security Officer to discuss the type of data you control and if it needs additional protections.

In the absence of a more restrictive departmental implementation this document will serve as the departmental security policy implementation for all departments.

VCUnet Conditions of Use

Individuals and departments using VCUnet are implicitly agreeing to abide by the applicable State and University usage policies and standards. By making use of VCUnet you are also agreeing to abide by all security and usage requirements defined by the VCU Information Security policies, standards, and procedures.

Before connecting a device to the network review and apply the security recommendations that can be found on the VCU Information Security web pages. By attaching to VCUnet you are exposing your device to the Internet and VCU may be held liable for damages caused by misuse unless you have made reasonable efforts at configuring and maintaining security precautions.

Revised 6/16/00

Server Registry

All servers connected to the VCUnet must be registered in the central Server Registry Database. A server is any computer or device connected to the network that manages resources for other users. Examples include file, print, Web, application and database servers. Test and developmental servers as well as production servers must be registered before being connected to the network. The registry database will contain information about the device's physical location, hardware and operating systems configuration, application(s), system administrator and contact information. Server information must be kept current in the registry. The registry must be updated with any additions, deletions, or pertinent changes within 3 working days of the change.

Any server that will be accessible to the Internet (outside of the VCU domain) must be identified as public facing and comply with the security standards for public-facing web servers.

VCUnet staff and the VCU Information Security Officer will conduct periodic scans of the University's network. Presumed system administrators and administative officials (e.g. dean) in the unit will be notified of any unregistered servers discovered through this process. Any server not appropriately registered may be disconnected from the network after a 3 working day grace period until the system administrator complies with this requirement.

Approved: 3/04
Revised: 7/07

Privacy and Disclosure Policy

In general terms, VCUnet does not engage in blanket monitoring of communications. It does, however, reserve the right to monitor, access, retrieve, read, and/or disclose communications when there is reasonable cause to suspect criminal activity or policy violation, or monitoring is required by law, regulation, third-party agreement, or at management request as appropriate under federal and state privacy laws and regulations. Reasonable cause may be provided by a complaint of a policy violation or crime or as incidentally noticed while carrying out normal duties.

By making use of VCU systems, users consent to allow all information they store on or transmit over VCU systems to be divulged to law enforcement at the discretion of VCU management as appropriate under federal and state privacy laws and regulations.

Revised 6/16/00

Security Contacts

Every VCU multi-user computer system must have a designated security contact to facilitate a rapid response to security breeches, installation of patches and bug fixes and perform similar activities. The departmental contact information should be reported to the Information Security Officer.

All suspected information security incidents must be reported as quickly as possible through the VCU internal channels established by the VCU Computer Emergency Response Team (VCU CERT). Even if the incident is handled locally, reporting a minor incident will assist VCU CERT in determining if your local symptoms are actually a part of a larger attack pattern.

Revised 6/16/00

Disable Dangerous Services

Certain network protocols and services contain security flaws that cannot be corrected. These flaws are well known in the hacker community and thus are more likely to be exploited to gain access to systems. These dangerous services should be disabled on all servers unless there is good business reason to justify the use of these services. There are alternate authenticated protocols that can be substituted for these services. Note that many operating systems will automatically turn these services on when the operating system is installed and the system administrator must manually turn them off.

The list of dangerous services changes continually as new exploits are discovered. System administrators need to stay up to date by reviewing Carnegie Mellon CERT Coordination Center recommendations, SANS bulletins, and other authoritative sources.

Revised 4/16/04

Password requirements for network-attached equipment

All network-attached workstations, printers, and other equipment that can be configured to require a password for login should be so enabled.

Passwords and SNMP community strings must be changed from factory defaults. New passwords and strings should comply with recommendations for creating secure passwords.

Revised 6/16/00

Dial-up Connections: Security Requirements for Dial-in Modems and other Remote Access Solutions

A number of individuals and departments have a business need to access data on University PCs and servers from home or while on the road. A number of solutions exist to provide this access, including using the University dial-in lines, a departmental RAS server, or software such as PC Anywhere. While these solutions can facilitate your work efforts, care must be taken to ensure the integrity of your data and your privacy.

The first recommendation is to not set up any remote access solutions unless there is a legitimate business need that cannot be met any other way. The threat of a cyber-attack is very real and should be taken seriously. Consider the value of the data and machines that could be compromised (both the dial-in machine and the other PCs and hosts on the network are at risk) and the loss of productivity while a compromised machine is being rebuilt. Does the benefit of easy access outweigh the increased risk?

If you have decided that you must have remote access to your data, you will be responsible for setting up and maintaining appropriate security measures to protect your machines as well as other devices on VCUnet. You should enable the highest level of security that your equipment and application will support - encryption, dial-back services, etc. Of course, any access solution must be used in accordance with applicable VCU use and ethics policies.

Note that some programs are configured to not use any password at all when they are first installed. The user must manually configure the software to require IDs and passwords.

Remote access security can be divided up into two broad categories.

Network-based authentication

This is the type of security that will be used by most departmental and individual solutions. The remote access device authenticates the user via an ID and password challenge and then allows access to anywhere on the network. Minimum security requirements for this type of security include individual IDs and passwords for each user - no guest or shared accounts allowed. Ideally, the password exchange will be encrypted to prevent a hacker from sniffing (a form of electronic eavesdropping) your account information.

Host-based authentication

This type of security is used when access to only a few hosts are required. When a user dials in to a server using this type of security, the user is not challenged for an ID and password, but rather is presented with a menu of connection choices. The user can only get to the devices on the menu; the end host provides authentication via an ID and password challenge. The menu must be thoroughly tested to prevent a malicious user from breaking out of the menu and thus gaining unauthenticated access to the rest of the network. The dial-in server must also be configured to not interfere with the client-host exchange, part of which may be encrypted.

Before dial-up connections are turned on, the manager of the department making the installation must make sure that these standards have been followed. All deviations from these standards must be approved in advance by the Information Security Officer.

Revised 6/16/00

Network Impact

Computer users must not run or write any computer program or process that is likely to consume significant system or network resources or otherwise interfere with VCU business activities. Users should strive to create applications that make efficient use of available resources. If you expect to use higher than normal resources or are not sure, coordinate with VCUnet early in the process so that appropriate support and access can be arranged.

Revised 3/1/01

Hacking Tools

Unless specifically authorized in advance by your supervisor, users of VCU computing resources must not acquire, possess, trade, or use hardware or software tools that could be employed to evaluate or compromise information systems security. Examples of such tools include those that defeat software copy protection, discover secret passwords, identify security vulnerabilities, or decrypt encrypted files. Such tools should not be used against devices not under your responsibility without the express permission of the device manager.

This prohibition is meant to provide a tool to be used to stop individuals and groups involved in illegal or unsanctioned network activity. It is not meant to restrict the possession or use of software used for legitimate purposes, such as tools to decrypt e-mail or files that an individual is normally authorized to access. It is also not meant to apply to the VCU Information Security Officer (or designee) or to Audit and Management Services who are explicitly authorized to use such tools to perform tasks such as, but not limited to, network scanning for known vulnerabilities and testing for compliance with officially approved policies, standards, and procedures.

Revised 8/24/01

Server & Workstation Requirements

The University's computing and network resources are scanned, probed, and attacked constantly by hackers. While some protection is provided by the University firewall and other information security provisions, system administrators must do their part as well. The majority of successful attacks are based on well known flaws in software and are often propagated by viruses and worms; therefore the University has set certain standards for maintaining the systems under your care. Additionally, Technology Services is responsible for locating devices on VCUnet that have been compromised or are in danger of being compromised in an effort to stay one step ahead of the hackers. In order to accomplish this portion of our mission, administrators must allow a non-hostile scan of their hosts and workstations as indicated below. Information gathered during scanning will be held in confidence consistent with University policy.

All servers and workstations must have the latest software patches and security fixes applied prior to attaching to the network. Once attached, all devices must be maintained at current software revision and patch levels. Newly released patches and hot fixes should be applied as soon they are verified to be error-free. Devices found on the network to be below current level are subject to disconnection until the problem is resolved. The responsible administrator will be notified of the situation. Failure to comply due to incompatibility issues with other software will be handled on an individual basis. Repeated incidents will be reported to the administrator's management.

All servers and workstations must have a current copy of anti-virus software loaded and running at all times. Anti-virus definitions must be maintained at current levels. Devices found on the network to be below current level are subject to disconnection until the problem is resolved. The responsible administrator will be notified of the situation. Repeated incidents will be reported to the administrator's management.

Technology Services will make regular and ad hoc scans of all devices attached to the network. Devices must remain open to and respond to scans from the 128.172.3.xxx subnet. One purpose of these scans is IP address maintenance. If Technology Services does not receive a response on a specific IP address after a period of scanning then the address is considered to be available for re-issue. In order to avoid IP address conflicts and maintain the reliability of your systems, firewalls and other blocking mechanisms must be configured to allow scans from the specified subnet. Additionally, scans will be made periodically to look for hosts that have been compromised or are in danger of being compromised by hackers. Compromised devices will be disconnected from the network immediately and the administrator or owner notified. The administrator or owner of devices in danger of being compromised will be notified before they are disconnected. If the administrator or owner of the device cannot be contacted, or if the problem is not resolved in a reasonable period of time, the device will be disconnected and the incident will be reported to the management of the administrator or owner.

Review and implement the VCU recommendations for Windows, Mac, and UNIX workstations. All security problem-fix software, command scripts, and the like provided by operating system vendors, official computer emergency response teams (VCU CERT), and other trusted third parties must be promptly installed.

Be sure to keep current and secure backups as these are often the only way to recover from a compromise.

Revised 11/02/06

Electronic Mail Management

Electronic mail or E-Mail is considered an official method for communication at VCU because it delivers information in a convenient, timely, cost effective, and environmentally aware manner. It is a core part of the Information Technology Infrastructure for the University and as such must be secure and protected from viruses, Trojan horses, open mail relays, and other forms of mail attacks.

The E-Mail Services Policy ensures that only official mail servers are allowed to be addressed from outside the VCU network domain. Official mail servers are those managed by Technology Services as part of the Information Technology Infrastructure of the University or those approved as an exception by the Chief Information Officer.

All incoming mail addressed to an approved mail servers will be first processed by an anti-virus and anti-spam scanning gateway before forwarding on to the appropriate mail server. Mail directed to any other server in the VCU Domain will be rejected.

Requests for allowing mail servers other than those managed by Technology Services should be sent to the Chief Information Officer, Technology Services. Approved e-mail servers will have mandatory configuration requirements.

Effective Date 4/16/04

Firewall and Filtering Policy/ Firewall Installation and Management

All firewalls installed on VCUnet must be installed and managed by VCUnet.

Exceptions to this rule are:

Personal firewall software installed on workstations for the protection of that workstation. Personal firewall software such as ZoneAlarm (http://www.zonelabs.com/), BlackICE Defender (http://www.networkice.com/), or similar products are allowed and encouraged.
Host based firewall software where the firewall protects only the host that runs the firewall software.
Firewall type services run as a part of a host cluster where the cluster appears as a single device on the network.

In all cases, VCUnet must control and coordinate all Network Address Translation (NAT) services. Additionally, personal and host based firewalls must be configured to allow network scans from the 128.172.3.xxx subnet. One purpose of these scans is IP address maintenance. If Technology Services does not receive a response on a specific IP address after a period of scanning then the address is considered to be available for re-issue. In order to avoid IP address conflicts and maintain the reliability of your systems, firewalls and other blocking mechanisms must be configured to allow scans from the specified subnet. Additionally, scans will be made periodically to look for hosts that have been compromised or are in danger of being compromised by hackers.

The details of what is blocked and what is allowed to pass through VCUnet firewalls and routers shall be treated as confidential since they could be used against VCU by hackers. Filter lists and access control lists shall be divulged on a need to know basis only.

Revised 9/13/02

External Firewalls

An appropriate firewall will be installed between VCUnet and all untrusted networks. Appropriate security recommendations made by the Carnegie Mellon CERT Coordination Center and other authoritative sources will be implemented on VCUnet. Recommendations will be reviewed by the VCU CERT members on an as-needed basis, but at least quarterly. VCU CERT decisions will be approved by the VCU Information Security Officer and documented at the Network Operations Center.

Interior Firewalls

Hosts and subnets requiring additional protection may be equipped with an appropriate firewall or access control list. The host administrator or the management responsible for end users on a subnet in consultation with VCUnet staff will define the overall security requirements. All implementations of internal firewalls shall be performed by VCUnet.

Firewall Configuration Change Requests

Deviations from established security measures must be approved by the VCU Information Security Officer and documented in writing at the Network Operations Center. The director of the unit requesting the changes should submit change requests in writing to the Information Security Officer. The written request should include justification for exposing VCU to increased risks and indicate what other transport methods have been considered. If approved, the original request will be maintained in a file at the Network Operations Center and the changes enacted.

The Information Security Officer or designee should make every effort to assist in finding an alternate mechanism to accomplish the goal of the requesting unit rather than opening the restricted ports.

Revised 6/14/00

Wireless Networking

Basic Access Point Requirements

Access points must adhere to IEEE 802.11b standards.802.11a and 802.11g access points are allowed in conjunction with 802.11b devices.
Access points must provide roaming.
Access points must be capable of accepting a common set of identifying alphanumeric characters (SSID field)
Access points must be capable of disabling broadcast SSID.
Access points must be capable of providing WEP 128 bit encryption or better security.
Access points must have flash upgradeable firmware.

Access Point Installation Requirements and Enforcement Procedures

Access Points may not be installed or operated by anyone other than VCUnet or others designated by VCUnet. Access Points are considered to be network equipment, similar to hubs and switches. As such, they fall under the VCU Information Security Policy and may be attached to the VCU network only by VCUnet staff or others designated by VCUnet. Any access point found improperly installed, as defined herein, is subject to removal from the network. Access points installed by unauthorized personnel, even if properly configured, will result in a disciplinary letter sent to the responsible party's management by Technology Services.
An area being considered for wireless LAN coverage will be site surveyed by VCUnet to determine placement of the access points and range of coverage. VCUNet will identify possible interference sources and the impact of the new access point on existing University and Health System environments. Should it appear that a new AP would interfere with an existing installation, VCUnet will attempt to reach a mutually agreeable resolution between the affected parties. If an agreement cannot be reached preference will be giving to the existing installation. The rejected installation request may be appealed to VCU senior management.
Wireless network transmissions must not interfere or impact any clinical activity or other mission critical operation. If it is discovered that a specific access point is associated with such interference or impact it will be disabled immediately.
All access points are to be connected to the special wireless infrastructure. Access points may not be connected to the normal wired infrastructure due to security concerns. Any access point discovered on the normal wired network after the transition period will be disabled immediately and the responsible departmental contact notified. Repeat offenders will be reported to their management and the access points physically removed until the situation is corrected.
Effective March 20, 2004, wireless users must be authenticated as official members of the VCU community by being entered into the enterprise directory. All wireless transmissions must be encrypted via VPN or equivalent services.
VCUnet will configure all access points with the following critical parameters:

Broadcast SSID must be disabled on all access points attached to the network.
Multi-domain roaming (Cisco) or Extended Roaming (3Com) must be enabled.
SIDD parameter will be set to the approved common VCU alphanumeric characters string.
The password on all equipment must be changed from the default to a strong password.

Individual units will develop WLAN coverage maps for all buildings for which they are responsible. Coverage maps will be submitted to VCUNet.
Generally, these requirements are not meant to apply to standalone wireless installations where no device is attached to the University network. Departments are free to experiment in a non-connected environment. However, departments should consider the security needs of any devices attached to the standalone wireless network. The potential of an accidental cross connection with an attached wireless network cannot be ignored, so departments should still coordinate with VCUnet before energizing any access points.
Wired Equivalency Protocol (WEP) is the data encryption mechanism that is defined in the 802.11b standard. WEP provides for two levels of encryption: 64-bit or128-bit encryption. WEP has a number of flaws that make it vulnerable to snooping, and the current implementation of WEP is generally considered to be insecure. Additionally, there are reported problems with cross-vendor implementations of WEP. Accordingly, VCU will not use WEP until the manufacturers can correct these issues. The requirement for 128-bit WEP and flash upgradeable firmware when purchasing access points is in recognition that compatibility and security issues will in fact be corrected and VCU will then require that these features are enabled.

Revised 11/02/06

Domain Name System (DNS) Policy

All devices on the Internet require an entry in a Domain Name Server (DNS) system in order to facilitate connection requests. Connections between machines on the Internet are made using the machine's numeric IP address. DNS systems provide a translation from the text name of a host to the host's numeric address. DNS entries may refer to a specific web page, a host or workstation, or other Internet entity. Different naming conventions have been developed based on the business needs of the University. The following policy statements apply to all DNS naming conventions:

In order to reduce security risks associated with running DNS servers as well as providing a consistent naming structure for VCU, all DNS services must be provided by VCUnet. VCUnet staff shall maintain the DNS at the most current revision levels consistent with operational stability and recommendations of industry security experts.

To increase the visibility of the University on the Internet, all VCU related DNS entries must end in VCU.EDU. For-profit or non-VCU related entries must be served by a commercial ISP. The cost for this service is to be borne by the requesting department or individual.

All VCU related DNS entries (host names, web sites, workstations, etc) should conform to the VCU DNS Naming Conventions. Existing entries that do not conform to the Naming Conventions will continue to be supported, but all new requests will follow these formats.

In all cases, DNS entries should present VCU in a professional light. Requests for names that might be offensive or inappropriate should be avoided. VCUnet staff will attempt to negotiate a resolution agreeable to all parties. Unresolved requests for names deemed questionable by VCUnet staff will be referred to the Information Technology Coordinating Committee (ITCC) for final resolution.

In the event that two units request the same domain name or URL, VCUnet staff will attempt to negotiate a resolution agreeable to all parties. Requests will normally be honored on a first come-first served basis, but University business needs may prevail. Unresolved request conflicts will be referred to the ITCC.

General Machine Name Conventions

In order to reduce the possibility of duplicate names and facilitate identifying non-centrally controlled devices, it is important to logically subdivide the available name space through the use of third and fourth level domain names.

University-Level Hosts: Only University-level hosts use a three level domain name, taking the format:

DeviceName.VCU.EDU

Generally, University-level hosts are directly supported by Technology Services. Examples are:

SATURN.VCU.EDU

AMBER.VCU.EDU

Departmental Hosts: The majority of devices on the network are departmental level devices. Internet names for departmental level devices on VCUNet use a four level domain name in the format

DeviceName.DepartmentCode.VCU.EDU

where DepartmentCode is a three-letter abbreviation for the department. In the case where the department does not have an assigned abbreviation, VCUnet will create an appropriate three-letter abbreviation.

Departments have a fair amount of leeway in creating the DeviceName portion of the DNS entry. Names should be descriptive or functionally relevant, and most importantly, unique.

NT Server Name Conventions: NT Server names should be a three-letter department identifier followed by a dash and the letters NT; a sequential number starting with 1 for the first so that the type of server is easily identified. For example, the first Windows NT server installed in Animal Resources would be:

ANR-NT1.ANR.VCU.EDU

Workstation Name Conventions: It is recommended that workstations be identified by a three-letter department code followed by a dash, the letters PC and a sequential number. For example:

ANR-PC1.ANR.VCU.EDU

Using this format, rather than the PC owner's name or other information, eases the administrative burden of making changes when staffing changes.

Web Site Names

To accommodate business needs and ease of use, web site names use a different naming convention than individual Internet devices. Additionally, web sites hosted on departmental servers have different naming requirements than those hosted on official University web hosts. In all cases, web site names should be as simple and short as possible, start with WWW and end with VCU.EDU.

Web sites hosted on the University web server:

Sites hosted on the University web server may elect to have a shortened URL in the format:

WWW.SITENAME.VCU.EDU

Schools, departments, and institutes may elect to request a SITENAME that spells out the department name. For example, Technology Services could elect to name their web page:

WWW.TECHNOLOGYSERVICES.VCU.EDU

Rather than WWW.TS.VCU.EDU. However, decision makers should carefully consider which version of the web name really is more user friendly. The long version of the Technology Services name would be quite a lot to type; does having an English-language version of the name out-weigh the convenience of having an easy to type short name?

Sites on the University web server may also elect to have a URL in the format described below in the section on departmental web hosts.

Web sites hosted on departmental web servers:

Departmental or project based web sites hosted on departmental supported hosts will include the departmental three-letter identifier described in the naming conventions for devices. Generally, the DeviceName for web sites are WWW or descriptive of the specific project

Example:

WWW.DIVISION.DEP.VCU.EDU

WWW.PROJECT.DEP.VCU.EDU

VCU Health System DNS Conventions

VCUnet supports DNS entries for VCU Health System devices located on VCUnet. Generally, VCU Health System entries shall conform to VCU DNS conventions with the following exceptions:

The primary first and second level domains will be VCUHEALTH.ORG vice VCU.EDU

To support marketing efforts, other first and second level domains will be supported as defined in the OSA.

Central Virginia Community Online (CVCO) DNS and Web Page Conventions

DNS entries for CVCO web pages are supported by VCU. To qualify for inclusion in the CVCO DNS tables, entries must be for certified non-profit organizations and all related files must reside on the CVCO server. First and second level domains should be consistent with the non-profit nature and intent of the CVCO system.

Since CVCO is associated with VCU by virtue of our support, DNS entries should present a professional presence on the Internet.. Requests that might be offensive or inappropriate should be avoided. Requests for entries that are deemed questionable by VCUnet staff will be referred to the Information Technology Coordinating Committee (ITCC) for final resolution.

In the unlikely event that two organizations request the same domain name or URL, VCUnet staff will attempt to negotiate a resolution agreeable to all parties. Requests will normally be honored on a first come-first served basis. Unresolved request conflicts will be referred to the ITCC.

Revised 11/02/06

IP Addresses and DHCP Policy

The IP address space is a finite resource administered by VCUnet. Blocks of addresses may be assigned for use by other units to ease installation and change management. In these cases, the units must report back to VCUnet all assignments and changes so that the master IP database may be updated. Change reports should be provided monthly as needed.

Changes in technology, increases in bandwidth demands, and other factors may require a reconfiguration of the network resulting in a change of address assignments. VCUnet will make every effort to contact affected users prior to making plans for any changes.

IP addresses should be statically assigned unless there is a compelling business need for dynamically assigned addresses (lecture halls, laptop ports, etc).

Dynamic IP address assignments via DHCP is a very important service; for example, course delivery in technology enabled classrooms is dependent on reliable DHCP service. In order to provide a uniform level of service for all VCUnet users and help prevent addressing conflicts, all DHCP (and similar) services shall be provided by VCUnet only.

Revised 3/1/01

Physical Security for Communications Equipment and Cabling

All network-related hardware shall be housed in secure locations with access limited to authorized network personnel. If access to the area must be granted to other people then the equipment and all connections must be enclosed in a locked cage. In lieu of a locked cage, locked equipment cabinets may be installed.

The thrust of this requirement is to prevent the insertion of non-secure hubs or other devices or making configuration changes that would allow the interception of network traffic. Physical security is the foundation of all other security measures.

Access to the network rooms or closets in all buildings must be available to VCUnet personnel 24 hours by 7 days a week in order to allow troubleshooting of network problems.

Critical locations may require remote environmental monitoring; temperature, power conditions, and intrusion alarms should be considered if mission-critical applications are supported from that location.

Installations completed prior to July 1, 1998 are temporarily excused from this requirement and do not need to be immediately re-worked to come into compliance. However, any significant upgrade or addition to an existing location will require that all connections in that location be brought into compliance. This temporary exclusion does not remove any departmental security responsibilities. If a sensitive or critical server or application (as defined by the State security policy) is active on a local network it is incumbent on the server or application owner to have the physical security of your communications link improved immediately. All other networked applications should be protected as soon as possible.

Revised 3/1/01

Security Requirements for Communications Electronics

No communications gear (ie, hubs, Ethernet switches, routers, wireless access points, cabling, etc) will be purchased unless permission is first granted by VCUnet. In any case, all communications gear must be installed and operated by VCUnet staff.

All newly installed Ethernet hubs must be SNMP managed and provide an Eavesdrop Prevention security feature. Eavesdrop Prevention will cause the hub to learn the first MAC address that appears on a port and allow free access to that address only. Packets addressed to any other address will have the data field scrambled. The Eavesdrop Prevention feature will be controlled separately from Intruder Prevention, which will disable the port if a MAC address change is detected.

Ethernet switches provide the same or better security features as secure hubs and are the device of choice at this time. The current University standard for data equipment is the Cisco Catalyst series of switches.

Installations completed prior to July 1, 1998 are temporarily excused from this requirement and do not need to be immediately replaced to come into compliance. However, as equipment is upgraded, replaced, or added the new equipment must conform to these standards. Non-compliant equipment removed from service may not be re-installed in another location. This temporary exclusion does not remove any departmental security responsibilities. If a sensitive or critical server or application (as defined by the State security policy) is active on a local network it is incumbent on the server or application owner to have the security of your communications link improved immediately. All other networked applications should be protected as soon as possible.

All equipment passwords and SNMP community strings must be changed from the factory default prior to installation.

All network equipment shall be managed from the University Network Operations Center (NOC) only.

Two exceptions exist to the requirement to install and operate network equipment:

1) Equipment used to support clustered hosts (backend networks of locally attached hosts, such as Beowulf clusters) so long as the cluster appears to be a single device from the VCUnet perspective.

2) Experimental networks not attached to VCUnet.

Departments planning to operate clusters or experimental networks should inform VCUnet of their plans in order to improve support for your project and reduce miscommunications between staff.

Should the department running the cluster or experimental network desire to change the nature of the cluster (so that additional devices appear on VCUnet) or attach the experimental network to VCUnet then those installations must be tested and certified to meet all VCUnet standards in effect at that time. The department requesting the change in connection status will be responsible for funding the testing and certification as well as any cost to bring the installation up to standards. Testing, certification, and upgrades will be done under the supervision of VCUnet staff.

Revised 3/1/01

Virtual Private Networks

Virtual Private Networks (VPN) can provide an added degree of security to transmissions over a network. VPNs can provide data encryption and multi-level authentication when it is needed to secure highly sensitive information.

Administrative Systems (Banner Applications)

Access to administrative applications from within VCUnet (excluding wireless connections) does not require VPN protection. However, when accessing those applications from the Internet additional protection is required. Users will be assigned to one of two levels of protection based upon the level of access required:

Users with significant change authority are required to use a VPN client and two-factor authentication when accessing administrative applications from the Internet. Significant change authority is defined as the ability to access control tables and processes, super-user accounts, or access to multiple departmental accounts.

Users with limited change authority will require a VPN client for encryption and a strong VPN ID and Password combination in addition to their normal logon ID and Password. Two-factor authentication is not required, but may be requested if desired.

The Director of Administrative Systems has the authority to define which functional positions require two-factor authentication.

Effective date 11/02/06