Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013

Transcription

1 Versin: Mdified By: Date: Apprved By: Date: 1.0 Michael Hawkins Octber 29, 2013 Dan Bwden Nvember 2013 Rule 4-004E Payment Card Industry (PCI) Netwrk Security (prpsed) 01.1 Purpse The purpse f this Netwrk Security Rule is t ensure the effective management, peratin, integrity and security f the University f Utah ( University ) s infrmatin systems and netwrks invlved with string, prcessing, r transmitting PCI infrmatin Scpe The Netwrk Security Rule applies t all infrmatin systems, resurces and netwrks cnnected t the University s netwrk which stre, prcess, r transmit PCI Rule Statement University Infrmatin Technlgy ( UIT ) and Infrmatin Security shall implement a netwrk security prgram with netwrk perating prcedures and technical cntrls t manage the design, implementatin and maintenance f the University s PCI technlgy infrastructure Netwrk Access fr PCI Systems Use f Netwrk Services Well-defined cntrls and/r prcesses shall be fllwed when granting access t the University's netwrk services. [Ref: CS348, PCI] [Rules] The fllwing cntrls and/r prcesses shall be fllwed when granting access t the University's netwrk services: Cnnectins shall be authrized by the Infrmatin Security Office and Incme Accunting fr PCI. Any remte supprt services ffered by the netwrk service prviders shall cmply with University and/r PCI standards with regard t remte vendr supprt All netwrk services shall pass thrugh the University's firewall which will nly allw the defined prtcls and services required t prvide the functinality The functinality f defined prtcls and prts shall be analyzed as part f the risk assessment effrt during the initial firewall setup. Justificatin and dcumentatin shall be captured fr allwed risky prtcls including reasn fr use and security features

2 implemented. (Use f prtcls ffering a high degree f functinality that may pse a risk t the University's systems shall als be identified in the Risk Assessment Prcess) Apprpriate cntrls shall be put in place n the University's side f the netwrk t minimize the risk f unauthrized access r activity within PCI systems. When pssible, the cnnectin shall be initiated by the internal client t the netwrk service supplier Ensure that prper agreements are in place with infrmatin suppliers and held by Incme Accunting, the Privacy Office and the Office f General Cunsel. Firewalls will lg and mnitr all unauthrized activity Netwrk services prvided by third parties may have unique, cmplex security characteristics. Administrative units leveraging these netwrk services shall request detailed dcumentatin n the security attributes f all netwrk services prvided by third parties. [Ref: CS359] Inventry f Netwrk Access Pints All access pints t the University's netwrk shall be identified and dcumented by [UIT]. [Ref: CS350, PCI] [Rules] Netwrk access pints that shall be identified include: Wireless Ethernet Frame relay Dedicated lines Remte dial-up access Extranets Internet [UIT] shall als identify and dcument the applicatins and user grups that are accessed via the netwrk and map the internal and external cnnectivity between varius netwrk segments. The infrmatin shall be used by UIT in the design, cnfiguratin and maintenance f the University's netwrk Remte Diagnstic Prts Remte maintenance prts fr the University's infrmatin and cmmunicatin resurces shall be disabled until the specific time they are needed by a vendr wh has received prir

3 authrizatin by University persnnel. Audit lgs shall be reviewed fr all remte maintenance sessins and prts shall be disabled immediately after use. [Ref: CS351, PCI] An infrmatin system security plan shall address the installatin and use f remte diagnstic links. [Ref: CS582]

4 Netwrk Segregatin Netwrks shall be segregated r divided int separate lgical dmains, s access between dmains can be cntrlled by means f secure devices. [Ref: CS352] Switched netwrk technlgy shall be utilized when pssible, t prevent eavesdrpping, sessin stealing r ther explits based n the accessibility f netwrk traffic. A firewall shall be installed at all cnnectins frm an internal t any ther internal r external netwrk. [Ref: CS353] Servers which access external netwrks r are accessed frm external netwrks shall be lgically islated frm the private Intranet. [Ref: CS354] Netwrk Cnnectins The Infrmatin Security Office shall explicitly authrize all new cnnectins t external public netwrks (e.g. extranets). If the new cnnectin is an additinal cnnectin t a previusly certified external cnnectin, and the cnnectin is made fllwing the same cnfiguratin, then n prir apprval frm the Infrmatin Security Office is required. [Ref: CS355] All external access frm untrusted systems r netwrks (e.g. extranets) t any University netwrk shall be cntrlled thrugh the implementatin f an apprved firewall. A listing f apprved firewall prducts can be accessed by cntacting the Directin f Cmmn Infrastructure Services [Ref: CS363, PCI] Persnal cmputers, wrkstatins, and servers shall nt be cnnected t mre than ne netwrk at a time by using unauthrized means f bridging tw netwrks. This may include inserting mre than ne Netwrk Interface Card (NIC) r using a mdem while cnnected t anther netwrk. Dual-hmed systems require apprval by the Infrmatin Security Office. [Ref: CS512] Denial f Service ( DS ) attacks are actins that are designed t prevent r impair the use f netwrks, systems r applicatins by stressing system resurces such as prcessing units r netwrk bandwidth. The University shall implement specific cntrls t prevent DS attacks. [Ref: CS879] [Rules] The fllwing cntrls shall be implemented t prevent DS attacks: The [technical manager] respnsible fr [netwrk management] shall establish cmmunicatin prtcls and preventin and respnse prcedures with all Internet Service Prviders ( ISPs ) in the case f a DS attack. Intrusin detectin devices deplyed shall be cnfigured t specifically identify pssible DS situatins. Netwrk management prcedures shall be in place t mnitr netwrk bandwidth and usage and alert when threshlds indicate a ptential issue.

5 Netwrk devices cnnected t public netwrks shall be cnfigured specifically t prevent DS attacks including: Blcking the usage f services, such as ech and chargen, which n lnger serve a legitimate purpse and are used in DS attacks. Perfrming egress and ingress filtering t blck bviusly spfed packets. Blcking traffic frm unassigned IP address ranges, knwn as bgn lists. Attack tls that spf IP addresses may use addresses that have nt yet been assigned fr Internet usage. Writing and sequencing firewall rules and ruter access cntrl lists t blck traffic prperly. Cnfiguring brder ruters nt t frward directed bradcasts. Limiting incming and utging ICMP traffic t nly the necessary types and cdes. Blcking utging cnnectins t cmmn IRC, peer-t-peer service and instant messaging prts if the usage f such services is nt permitted. [Rules] The University shall define specific prcedures t respnd t a DS attack including: Prtcls t ntify and wrk with Internet Service Prviders. Backup cpies f critical infrmatin (prcedures, call lists, etc.) that may nt be accessible due t the DS attack. Cntainment strategies r prcedures fr cmmn scenaris f DS attacks. Evidential prcedures fr the cllectin f data in the case f a pssible criminal attack Netwrk Ruting Shared netwrks that extend acrss rganizatinal bundaries shall incrprate ruting cntrls t ensure cmputer cnnectins and infrmatin d nt breach the access cntrls f the applicatin. [Ref: CS356, PCI] Ruting cntrls shall be based n a psitive surce and destinatin address-checking mechanism. Only authrized University resurce administratrs shall be allwed t have physical and lgical access t netwrk ruters. [Ref: CS357] Prprietary ruting infrmatin pertaining t the private Intranet shall nt be prpagated t any untrusted netwrk. [Ref: CS358] [Rules] The fllwing prprietary ruting infrmatin shall nt be prpagated t any untrusted netwrk:

6 Ruting tables Dmain Name Service ( DNS ) names IP addresses Netwrk Address Translatin ( NAT ) tables Access Cntrl Lists ( ACLs ) Limitatin f Cnnectin Time Fr applicatins that supprt infrmatin classified as Restricted r Sensitive, resurce administratrs shall cnsider placing restrictins n the cnnectin times during which cnnectins are allwed t cmputer services, thus reducing the windw f pprtunity fr unauthrized access. Limiting cnnectin times is especially imprtant fr infrmatin resurces that are lcated in public r external areas that are utside the University's dmain f cntrl [management]. [Ref: CS471] 01.5 Netwrk Security Cntrl Devices fr PCI Systems Use f Firewalls All external access frm untrusted systems r netwrks (e.g. extranets) t any University netwrk shall be cntrlled thrugh the implementatin f an apprved firewall. A listing f apprved firewall prducts can be accessed by cntacting the Directr f Cmmn Infrastructure Services [Ref: CS363, PCI] All rules within the firewall rule base shall be restricted t nly allw the apprpriate traffic thrugh the firewall. All rules defined within the firewall shall be dcumented with a clear descriptin and definitin fr the business purpse f the rule. Firewall/ruter rule sets shall be reviewed quarterly. [Ref: CS364, PCI] [Rules] The firewall rule base shall: Restrict surce and destinatin IP addresses, prtcls, prts and applicatins (e.g. utbund traffic frm payment card applicatins shall be restricted t Internet Prtcl (IP) addresses within the Demilitarized Zne ( DMZ )). Be cnfigured t deny and lg suspicius packets (e.g. packets that have suspicius surce and destinatin prts). In the event a firewall fails, and a standby firewall is used, all active sessins n the firewall shall be re-authenticated n the standby firewall. [Ref: CS477] The Infrmatin Security Office shall be respnsible fr creating and maintaining the University's Firewall Management Prcedures. The Firewall Management Prcedures shall state

7 describe hw firewalls shall functin by establishing rules fr traffic cming int and ging ut f the security dmain, and fr hw the firewall will be managed and updated. [Ref: CS500, PCI] [Rules] The Firewall Management Prcedures shall address: Firewall tplgy and architecture (include applicatin firewalls in frnt f web-facing applicatins) Type f firewall(s) being used Physical placement t the firewall cmpnents Mnitring f firewall traffic Permissible traffic (generally based n the premise that all traffic nt expressly allwed is denied, detailing which applicatins can traverse the firewall and under what exact circumstances such activities can take place) Firewall updating Crdinatin with intrusin detectin and respnse mechanisms Respnsibility fr mnitring and enfrcing the Firewall Plicy Descriptin f grups, rles, and respnsibilities fr lgical management f netwrk cmpnents Prtcls and applicatins permitted Regular auditing f a firewall's cnfiguratin and testing f the firewall's effectiveness Cntingency planning Placement f firewalls within the netwrk architecture including n all cnnectins t public netwrks and between internal systems and perimeter devices such as wireless access pints r dial-in pints Use f Demilitarized Znes (DMZs) The University's Internet servers shall always be placed in a DMZ. By placing Internet servers and any ther servers in the DMZ, the University can reduce the ptential risk f unauthrized access t its infrmatin resurces. [Ref: CS356, PCI] Intrusin Detectin Sftware shall be implemented inside all DMZs t mnitr the firewall and t mnitr cmmunicatins allwed thrugh the firewall. [Ref: CS366, PCI] Packet Filter Cnfiguratin Well-defined cnfiguratin standards shall be applied t packet filters. [Ref: CS367, PCI]

8 [Rules] The fllwing standards shall be applied in relatin t packet filters: Cnfiguratin and cntrl f the packet filters shall be assumed internally and shall nly be pssible frm an internal interface All privileged prts, with the exceptin f explicitly required prts, shall be clsed All incming traffic t nn-privileged prts, except fr acknwledgement packets, shall be rejected. External packets with an internal surce IP address shall be identified and rejected, and an attacker alarm shall be triggered Internal packets with an external surce IP address shall be identified and rejected, and an attacker alarm shall be triggered Attacker alarms are defined as a ntificatin sent via r pager t supprt persnnel Ruter Cnfiguratin Well-defined ruter cnfiguratin standards shall be fllwed when cnfiguring ruters. The ruter cnfiguratin files shall be backed up and secured. [Ref: CS368, PCI] [Rules] The fllwing cnfiguratin standards shall be fllwed when cnfiguring ruters: Surce ruting shall be switched ff n the ruter External OSPF, RIP r ther ruting infrmatin prtcls shall be blcked Amngst the ICMP prtcls, nly ping may be accepted The TFTP prtcl shall be blcked SNMP traffic may nly be accepted by administratin wrkstatins and shall nt accept a public string At a minimum, the ruter shall lg rejected packets Remte access t the ruter requires strng authenticatin Remte access t the ruter shall be limited t internal wrkstatins Remte access t the ruter shall be limited t a static IP address Each administratr shall be identified with a persnal User ID All changes shall be dcumented IPv6 shuld be disabled unless it is apprved by the Directr f Cmmn Infrastructure Services

9 Running and startup cnfiguratin files shall be synchrnized Hst Cnfiguratin The cnfiguratin f the firewall perating system shall fllw well-defined security requirements in additin t the relevant baseline security cnfiguratin standard (e.g. UNIX, NT, etc.). [Ref: CS369] [Rules] The cnfiguratin f the firewall perating system shall satisfy the fllwing requirements: Packet frwarding shall be switched ff Remte access t the hst can nly be permitted frm specific internal hsts and requires strng authenticatin Each administratr shall be identified with a persnal User ID All unnecessary netwrk services shall be switched ff The "Berkeley r" prtcls shall be blcked NFS shall nt be used Neither cmpilers nr debuggers can be installed All changes shall be dcumented The perating system errr mde shall be set in such a manner that packets cannt pass thrugh if the firewall sftware crashes The firewall sftware shall be started befre the interfaces Apart frm the administratrs, n user is permitted t access the firewall cmputer It shall be ensured that vendr security patches are installed Regular basis integrity checks (e.g. at least nce a day) shall be cmpleted File Transfer Prtcl (FTP) Cnfiguratin standards shall be defined fr File Transfer Prtcls ( FTP ) used with untrusted systems. [Ref: CS372] [Rules] The fllwing standards fr FTP are applicable t use with untrusted systems: Incming file transfers shall be treated as external cnnectins and require apprval Incming annymus file transfer is nt permitted FTP cnfiguratin shall implement cntrls fr prtecting data channels

10 Outging file transfers (e.g. t an external server) are t be handled in accrdance with the University's Internet Security Plicy Hyper Text Transfer Prtcl (HTTP) Cnfiguratin standards shall be defined fr HTTP used with untrusted systems. [Ref: CS373] [Rules] The fllwing standards fr HTTP are applicable t use with untrusted systems: Prt 80 shall be blcked against external access Alternative prts such as 8080 shall be prtected against external access All HTTP servers that can be accessed externally shall be in a DMZ Prxying and/r stateful inspectin shall be used fr all cnnectins t and frm the public Internet and ther untrusted netwrks Rules f the University's Internet Security Plicy apply when accessing internal bjects Nn-Essential Services Cnfiguratin standards shall be defined fr services used with untrusted systems. [Ref: CS376] [Rules] The fllwing standards are applicable t services used with untrusted systems: All nn-ip prtcls shall be blcked by the firewall. SNMP traffic shall be blcked in bth directins NTP traffic is nly permitted t a central, internal timeserver The use f "Berkeley r" prtcls by the firewall is generally frbidden The firewall shall prevent the fllwing prtcls frm entering: NFS RPC prtmapper NIS TFTP X11 Finger UDP packets are nly permitted in cnjunctin with a "status-creating" prxy

11 All unused netwrk services (e.g. Telnet) and unnecessary shells and interpreters (e.g. Perl) shall be disabled n all WWW hst machines Dmain Name Server Cnfiguratin standards shall be defined fr DNS used with untrusted systems. [Ref: CS378] [Rules] The fllwing DNS standards are applicable t use with untrusted systems: Internal hst names and IP addresses are classified as "internal" and shall nt be visible externally Queries t nn-existent hst names shall be lgged and rejected A split DNS cnfiguratin shall be used External DNS entries are limited t servers externally accessible N queries may be frwarded t internal DNS services frm external DNS services Requirements fr Netwrk Traffic Filtering Filtering f netwrk traffic t cntrl and restrict access acrss the University's netwrk perimeter shall be utilized. [Ref: CS382, PCI] [Rules] This filtering f netwrk traffic shall include: Destinatin and surce IP addresses Prts Applicatins Prtcls Any nn-business justified traffic that is prhibited by the University's infrmatin security plicies Prprietary Ruting Infrmatin Methds shall be utilized t prevent prprietary ruting infrmatin frm being prpagated. [Ref: CS383, PCI] [Rules] Methds t bscure prprietary ruting infrmatin may include: Netwrk Address Translatin ( NAT ) Placing servers cntaining cardhlder data behind prxy servers/firewalls r cntent caches

12 Remval r filtering f rute advertisements fr private netwrks that emply registered addressing Internal use f RFC1918 address space instead f registered addresses 01.6 Cntacts A. Rule Owner: Questins abut this rule shuld be directed t the CISO, IT_plicy@utah.edu B. Plicy Officer: Only the CIO, , has the authrity t grant exceptins t this rule.

13 01.7 References A. Plicy 4-002: Infrmatin Resurces Plicy B. Plicy 4-004: University f Utah Infrmatin Security Plicy C Plicy Meta-Data A. Plicy Owner B. Audience C. Status D. Published Date E. Effective Date F. Next Review Date 01.9 Revisin Histry