Secondary DMZ: DMZ (2)

Transcription

1 Secondary DMZ: DMZ (2) Demilitarized zone (DMZ): From a computer security perspective DMZ is a physical and/ or logical sub-network that resides on the perimeter network, facing an un-trusted network or in most cases the internet. This zone holds all services that need to be accessed from the un-trusted network. The purpose of having a DMZ is to add an additional layer of security to the institutions internal network (in our case it will be the University s production network). We currently have a DMZ (1) which is being populated with services that need to be accessed from the internet. However, there is a growing need for services that are tangentially connected to the university that reside at the university, as well as users other than IT administrators to be able to setup, test and/or deploy custom or proprietary applications, systems that are not supported by Information Technology (IT). In order satisfy this requirement we are creating a second DMZ, DMZ (2). The idea here is to facilitate and enhance the academic environment by providing a zone which could be used by non-it administrators while not putting the institutions internal infrastructure at risk. This zone will have systems and applications that are not entirely supported by IT. There will be two categories into which all systems and services in this zone will be grouped. Some of the systems will be provided hardware and software (OS level only, no application level support). The remainder are supported and maintained by respective data owners. The details with regards to groupings are given in the following sections of this document. All systems and services regardless of the owner must always comply with the University s Acceptable Use Policy. The University s Acceptable Use Policy states that IT reserves the right to shut down or turn off services if any of the systems or services is found to be in violation of the acceptable use policy. Similar action will be taken if any of the services or systems are suspected to be or found to be the cause of being a part of any malicious activity. 1

2 2

3 Mapping Systems to DMZ: Taxonomy of systems DMZ (2): This zone will have systems that fall in one of the two categories below. IT will monitor these systems to look for any suspicious activity. IT also reserves the right to shutdown any and all services and/ or systems that are suspected to be part of any malicious activity or are in violation of the acceptable use policy. A: Systems in this zone under category A are those that will have hardware and software (up to OS level, web server level) support from IT. The applications will have to be installed, setup, patched and maintained by the data owner. All systems in this category must be compliant with the policy on IT authorized services. There will be no rate limiting. B: Systems in this zone under category B are those that will have to be procured, setup and maintained by the data owners. The data owners will be responsible for securing funding for purchase of hardware, software (including OS) and applications. There will be a limitation on Bandwidth usage (rate limiting of internet bandwidth). All systems in the DMZ (2) must be patched and must have Anti Virus (AV) software installed with the latest updates. They must have internal firewalls (Windows, Red Hat etc.) turned on. This will be monitored by performing periodic scans and audits. If the systems are found without the latest OS level patches and AV updates then those systems will be quarantined or taken offline until the required patches and AV have been installed. All systems in DMZ (2A and 2B) which are running Microsoft OS must be patched by the 3 rd Friday of every month. Patches are released by Microsoft on the second Tuesday of every month. This gives sufficient time to apply the latest OS level patches. It is important to apply patches ASAP since systems without patches are an easy target for being exploited and this will put the BSU infrastructure at risk. All applications must be patched as soon as patches are made available by individual vendors. All university affiliated websites with static web content will be hosted under the DMZ (2A) category. If the content on the websites is dynamic then the server will be hosted under the DMZ (2B) category and DMZ (2B) rules apply. The IT supported OS for systems in DMZ (2A) are Windows and Red Hat. The user will not be given administrator level access to any system in DMZ (2A). Application level access may be provided to systems that are running Red Hat. Systems in DMZ (2B) will not put on the BSU domain. Local accounts: All local accounts on servers must be disabled or password protected in accordance with BSU s complex password policy. All guest and unused accounts must be disabled. The administrator account must be renamed. No default credentials should be in use. Remote administration: All users who wish to manage their systems remotely will have to go through a VPN to gain access for administration. 3

4 All servers in the secondary DMZ are required to be rack mountable and must have a UPS to accommodate any possible interruption of power. SUPPORT Admin Network, DMZ (2A) DMZ (2B) DMZ (1) Hardware IT IT: VMWARE User OS IT IT User Application install IT User User Patching (OS) IT IT User AV IT IT User Administration Account Application update and patching IT User, IT User IT User User Monitoring IT IT IT Backup IT Case by Case User Remote access SSL VPN with RSA token SSL VPN with RSA token SSL VPN Web Server support IT IT (Static content) User (Dynamic content) Firewall IT IT User Network Drive mapping Allowed Not allowed Not allowed Physical access IT administrators only Limited (Escorted access) Limited (Escorted access) The networking rules for systems in DMZ (2) are as below: Summary of access rules: No direct access (inbound or outbound) is allowed between the DMZ (2) and the DMZ (1) or between the DMZ (2) and the admin network, unless otherwise specified. Changes to the access rules and or services will be decided on a case by case basis. To request a change, a business request is required with 4

5 sufficient justification. After submission of the change request a review process will be initiated by IT. Any change thus made must be in accordance with the acceptable use policy. From Internet to DMZ (2) Access to be given on a need to use/ request to use basis. A request has to be made by the user asking for the ports and services to be opened that they need. They will also have to justify the request by providing information on how and for what the requested ports and services will be used for. From DMZ (2) to internet Access to be given on a need to use/ request to use basis. A request has to be made by the user asking for the ports and services to be opened that they need. They will also have to justify the request by providing information on how and for what the requested ports and services will be used for. From Admin Network to DMZ (2) No direct access. There will be no services or ports available for traffic flow directly from admin network to the DMZ (2). If a system in the admin network needs to connect to a system in the DMZ (2), it will have to leave the perimeter firewall and re-enter as if coming from the internet. From DMZ (2) to Admin network No direct access. There will be no services or ports available for traffic flow from admin network to the DMZ (2). If a system in the DMZ (2) needs to connect to a system in the admin network, it will have to leave the perimeter firewall and re-enter as if coming from the internet. It will also have to conform to the firewall rules set by the firewall protecting the admin network. From DMZ (1) to DMZ (2) No direct access. There should be no services or ports available for traffic flow from admin network to the DMZ (2). If a system in the DMZ (1) needs to connect to a system in the DMZ (2), it will have to leave the perimeter firewall and re-enter as if coming from the internet From DMZ (2) to DMZ (1) No direct access. There should be no services or ports available for traffic flow from admin network to the DMZ (2). 5

6 If a system in the DMZ (2) needs to connect to a system in the DMZ (1), it will have to leave the perimeter firewall and re-enter as if coming from the internet. It will also have to conform to all inbound firewall rules. Physical access to all systems in the secondary DMZ Physical access to systems in the secondary DMZ is limited. System owners for servers in the secondary DMZ will have escorted physical access. Requests will have to be made in advance for gaining physical access. System owners will have to provide IT in advance a list of users who manage servers and who may need escorted access to the servers. Monitoring and violations: Data owners agree and understand that all systems and services within BSU infrastructure are monitored both actively and passively. This is required to maintain security of BSU infrastructure and for compliance purposes. All systems must be patched and must have Anti Virus installed with the latest updates. They must have internal firewalls (Windows server 2003 and later) turned on. All applications installed on these systems must also be patched with the latest updates that are made available by respective vendors. If systems are found to be lacking the latest application and OS level patches and AV updates then those systems will be quarantined or taken offline until the required patches and AV have been installed. Local accounts with default access credentials (username and password) are prohibited. IT reserves the right to power off or disable access to a system or server if found to be in violation of the acceptable use policy is detected. If a violation is detected due to necessary patches not being applied, a forty eight hour notice will be provided prior to disabling access or shutting a service off. However, immediate action will be taken if the malicious activity is detected. However, this is not guaranteed in some cases where we see malicious activity. The server (s) may be turned off and all services terminated if any incident or chances for the occurrence of an incident are detected. An incident is defined as harm or intent to cause harm to the interests of the institution or the institution s infrastructure. The owner will be notified after these actions have been completed. There is an appeal process for services to be re-instated. Service Level Agreement: I agree to perform the following functions to maintain the integrity of the servers in the secondary DMZ: 1) to comply with the University s Acceptable User Policy 2) to comply with the University s Confidential Data policy 3) to patch the OS on these servers on time, latest by the second Friday of every month 4) to make sure that all applications installed are patched up-to-date 5) make sure that there is a host based firewall installed and enabled 6) make sure anti-virus installed, enabled and up-to-date with the latest definitions 7) make sure that no confidential data, as defined by the Data Classification standard is stored and or used on servers in the secondary DMZ 6

7 8) be responsible for maintaining and administering the servers in secondary DMZ as listed below including but not limited to backing up, restoring and any and all other modifications to the servers 9) that I will have to submit a request to IT to open ports and services at the firewall, each time I need a change or need a new service I am also aware that IT will monitor network activity in the secondary DMZ and IT has the right to shutdown servers and services if it detects any malicious activity. I will fully cooperate with IT in case there is an investigation. By signing below I take full responsibility of the content and usage of the servers I manage in the secondary DMZ. I also acknowledge that I have read the Secondary DMZ document and agree to abide by the rules mentioned herein. I also release IT of any responsibility towards the maintenance and functioning of the systems mentioned below: Server Names: 1) NAME in DMZ(2B) (Signature) Printed Name: Date: 7