OLD DOMINION UNIVERSITY 4.3.4.2 - Router-Switch Best Practices. (last updated : 20080305 )



Similar documents
CMS Operational Policy for Firewall Administration

Approved 12/14/11. FIREWALL POLICY INTERNAL USE ONLY Page 2

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Recommended IP Telephony Architecture

MONITORING AND VULNERABILITY MANAGEMENT PCI COMPLIANCE JUNE 2014

IT Security Standard: Network Device Configuration and Management

8. Firewall Design & Implementation

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

U06 IT Infrastructure Policy

SonicWALL PCI 1.1 Implementation Guide

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

The Cisco IOS Firewall feature set is supported on the following platforms: Cisco 2600 series Cisco 3600 series

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

ΕΠΛ 674: Εργαστήριο 5 Firewalls

The Bomgar Appliance in the Network

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

TABLE OF CONTENT. Page 2 of 9 INTERNET FIREWALL POLICY

Introduction of Intrusion Detection Systems

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

CMPT 471 Networking II

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Network Security Policy

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Achieving PCI-Compliance through Cyberoam

1 Purpose Scope Roles and Responsibilities Physical & Environmental Security Access Control to the Network...

Cisco PIX vs. Checkpoint Firewall

SECURITY ADVISORY FROM PATTON ELECTRONICS

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Chapter 8 Router and Network Management

FIREWALL POLICY November 2006 TNS POL - 008

Network Security Guidelines. e-governance

GregSowell.com. Mikrotik Security

UMHLABUYALINGANA MUNICIPALITY FIREWALL MANAGEMENT POLICY

March

Architecture Overview

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Digi Connect WAN Application Helper NAT, GRE, ESP and TCP/UPD Forwarding and IP Filtering

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

Security Policy for External Customers

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Designing a security policy to protect your automation solution

74% 96 Action Items. Compliance

- Introduction to PIX/ASA Firewalls -

Firewalls & Intrusion Detection

Firewall and Router Policy


Firewalls. Chapter 3

8 steps to protect your Cisco router

FIREWALLS & CBAC. philip.heimer@hh.se

Securing Networks with PIX and ASA

Using Ranch Networks for Internal LAN Security

IBM. Vulnerability scanning and best practices

NEW YORK INSTITUTE OF TECHNOLOGY School of Engineering and Technology Department of Computer Science Old Westbury Campus

IPv6 SECURITY. May The Government of the Hong Kong Special Administrative Region

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

Central Agency for Information Technology

CISCO IOS NETWORK SECURITY (IINS)

Security Technology: Firewalls and VPNs

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Classic IOS Firewall using CBACs Cisco and/or its affiliates. All rights reserved. 1

ADM:49 DPS POLICY MANUAL Page 1 of 5

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Security Policies Tekenen? Florian Buijs

Firewall Defaults and Some Basic Rules

Cisco Secure PIX Firewall with Two Routers Configuration Example

SIP Trunking with Microsoft Office Communication Server 2007 R2

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

HANDBOOK 8 NETWORK SECURITY Version 1.0

Considerations In Developing Firewall Selection Criteria. Adeptech Systems, Inc.

SERVICE LEVEL AGREEMENT

Networking for Caribbean Development

LogRhythm and PCI Compliance

Overview. Firewall Security. Perimeter Security Devices. Routers

About Firewall Protection

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

DDoS Overview and Incident Response Guide. July 2014

CMS Operational Policy for Infrastructure Router Security

Don t skip these expert tips for making your firewall airtight, bulletproof and fail-safe. 10 Tips to Make Sure Your Firewall is Really Secure

REDSEAL NETWORKS SOLUTION BRIEF. Proactive Network Intelligence Solutions For PCI DSS Compliance

Deploying ACLs to Manage Network Security

Introduction Installation firewall analyzer step by step installation Startup Syslog and SNMP setup on firewall side firewall analyzer startup

How to Choose the Right Industrial Firewall: The Top 7 Considerations. Li Peng Product Manager

Internet Security Firewalls

Firewall Design Principles

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Table of Contents. Configuring IP Access Lists

Using Skybox Solutions to Achieve PCI Compliance

Transcription:

OLD DOMINION UNIVERSITY 4.3.4.2 - Router-Switch Best Practices (last updated: 20080303) Introduction One of the information techlogy priorities for Old Dominion University (ODU) is to provide and maintain a safe secure computing environment. The Office of Computing and Communications Services (OCCS) manages multiple perimeter firewalls between its Internet connections and the University campus network providing the first level of defense against security threats to the University's network and information techlogy resources. OCCS maintains routers and switches that provide a robust and redundant network environment for academic, administrative, and research University communities. Purpose The purpose of this standard is to establish an understanding of the function that a router or switch plays in the overall security of ODU's network in documenting the configuration, maintenance, and monitoring of enterprise-wide router techlogy used to safeguard the University's information techlogy resources. O ld D o m in io n U n iv e rs ity R o u te r/s w itc h E n v iro n m e n t (last updated : 20080305 ) In te rn e t B o rd e r B o rd e r Forew all(s ) C o re V P N D is trib u tio n F a r m D istribution F ir e w a ll(s ) F a rm F ire w a ll(s ) O th e r p a rts o f c a m p u s A c c e s s S w itc h e s F a rm D is trib u tio n N e ts 1

Standard Statement All OCCS managed routers and switches at ODU must follow this standard. Departures from this standard will be permitted only if approved in advance and in writing by the Assistant Director of Communications Services. Conceptually, ODU's enterprise network techlogy divides the campus network into multiple layers. Each layer represents a different level of trust/protection. By enforcing a degree of separation between the layers, the firewalls and routers help prevent unauthorized access from a less trusted layer to a more trusted layer. From the inner most to the outer most, the layers are: core layer distribution layer access layer Border routers are used to provide security between the Internet and the University; access and distribution layer routers provide connectivity to the end stations. The core and distribution routers must have a redundant failover unit to provide service continuity should the primary unit fail. The router access control lists enforce specific security or business requirements. Access to the University's perimeter and/or internal network(s) will be based on parameters such as (but t limited to): Application/service use such as public, administrative, student only, internet only, etc IP address and port Outbound connections (more trusted to less trusted layer) are generally permitted by default Inbound connections (less trusted to more trusted layer) are denied by default. Given the nature of the University s academic environment, the border routers cant be configured to typical industry accepted standards (i.e. complete deny by default posture). ODU s border routers do t constrict all unnecessary traffic; it is open to all traffic and denies as needed Due to the requirements of high bandwidth and reduced latency, core routers do t inspect network traffic via access control lists. Distribution routers are utilized for specific traffic filtering and quality of service bandwidth management Access layer switches provide layer two connectivity from end-stations to the distribution layer and are t utilized for any security filtering. Due to individual security needs, depending on the type of information to be protected, the following information should be used to maximize the security of the network environment. The following type of network traffic should always be blocked: Inbound traffic from a n-authenticated source system with a destination address of the router system itself. Inbound traffic with a source address indicating that the packet did t originate from the access layer subnet. Inbound or outbound traffic from a system using a source address that falls within the address ranges set aside in RFC 1918 as being reserved for private networks at the border router. For reference purposes, RFC 1918 reserves the following address ranges for private networks: 10.0.0.0 to 10.255.255.255 (Class A) 172.16.0.0 to 172.31.255.255 (Class B) 192.168.0.0 to 192.168.255.255 (Class C) Additional blocked inbound networks 169.254.0.0 192.0.2.0 255.0.0.0 Inbound traffic containing Simple Network Management Protocol (SNMP) traffic except for specific network management stations. 2

Inbound traffic containing IP Source Routing information. Inbound or outbound network traffic containing a source or destination address of 127.0.0.1 (localhost). Inbound or outbound network traffic containing a source or destination address of 0.0.0.0. Inbound or outbound traffic containing directed broadcast addresses. Border Router Configuration Blocked Services Protocol Service Port(s) (transport) Service 53 swipe 137 (tcp & udp) Netbios-ns 54 narp 138 (tcp & udp) Netbios-dgm 55 mobile 139 (tcp & udp) Netbios-ssn 57 skip 161 (tcp & udp) snmp 77 Sun-nd 162 (tcp & udp) snmp-trap 99 Encrypt method 171 255 reserved User Distribution Router Configuration Blocked Services User distribution routers are used to provide network traffic routing, validate source ip addresses from end stations, and security standard enforcement on a subnet-by-subnet basis. Server Distribution Router Configuration Blocked Services The server distribution routers are used in conjunction with firewalls to protect the campus main servers including mail servers, web servers, and database servers from the internet and other parts of the campus. The routers are used to provide network traffic routing, validate source ip addresses from end stations, and security standard enforcement on a subnet-bysubnet basis. Router configurations should be backed up to the configuration servers with the end of each change session. The configuration server backups should be internally situated backup mechanism, e.g., tape drive Logs The routers will be configured to use system logging (syslog) to export its log messages to designated syslog servers. The router logs will be backed up and archived in accordance with current practices implemented on the syslog server. The routers will be configured to only accept SNMP requests from specific network management devices. At a minimum, the router log will be configured to detect: 1. Emergencies, such as unusable messages 2. Alert, critical conditions, error and warning messages 3. Logon access and configuration attempts made to the firewall Router log activity, and router administrators examine the logs on a regular basis. The network time protocol (NTP) will be used to synchronize the logs with other logging systems such as intrusion detection. In addition to examining the logs, the Information Security Officer or his/her designee periodically reviews the configuration of the firewall to confirm that any changes made are legitimate. Router/Switch Physical Security All Old Dominion University router and switches must be located in locked rooms accessible only to those who must have physical access to such routers and switches to perform the tasks assigned by management. 3

Responsibilities The Information Security Officer is responsible for ensuring the implementation of the requirements of the router standards. Daily operation and maintenance of the router will be the responsibility of the Assistant Director of Communications Services. Employees who violate this standard may be subject to disciplinary action. Anyone who kws or has reason to believe that ather person has violated this standard should report the matter promptly to his or her supervisor or the Information Security Officer. All reported matters will be investigated, and, where appropriate, steps will be taken to remedy the situation. Where possible, every effort will be made to handle the reported matter confidentially. Any attempt to retaliate against a person reporting a violation of this standard will itself be considered a violation of this standard that may result in disciplinary action. Change Management The system owner of a system located on a restricted subnet may request via a FootPrints ticket (or email if Footprints is unavailable), a router access control list (acl) change to allow (inbound connections) from a system on a less trusted network. 1. Temporary/testing access requests must include a reasonable expiration date t to exceed 30 days at a time. 2. Systems supporting access from the public internet (e.g. web and mail servers) will be scanned for vulnerabilities and approved by OCCS Security before firewall rules will be modified. The Assistant Director of Communications Services or his/her designee must approve in writing all configuration changes and rule requests. Changes will t be approved if the University determines them to be a threat to the confidentiality, integrity, or availability of its information techlogy resources and systems. Immediate emergency router acl changes to stabilize a network infrastructure situation such as an attack or compromise can be made as required with written tification to the Assistant Director of Communications Services. Router configurations will be reviewed annually or when there are major changes to the network requirements that may warrant significant changes to the router. Examples of such situations are (but t limited to): 1. The implementation of major enterprise computing environment modifications 2. Any occurrence of a major information security incident 3. When new applications are being considered. Alternatively, when an application is phased out or upgraded, the firewall configuration should be formally changed where appropriate. Operational Procedure For any service that needs to be open to the public, OCCS requires a vulnerability scan of the server. The server administrator will be required to fix all major and critical security problems before the OCCS Security Team will approve the request. All router acl requests must come from the system owner. Please review the ACL Request Procedures document. To place a router acl request, open a Footprints ticket. abuse@odu.edu. If Footprints is unavailable, please email your request to Please follow the diagram below before placing a router rule modification request. 4

Old Dominion University Router Request Work Flow (last updated: 20080303) Have a business need that requires access campus resources from Internet? Get authorization For request Request approved by system owner? Private Server Public or private server? Public Server A small group of employees Vendor or contractors Students with granted exception Many employees and students Large amount of students Entire internet community Discuss with OCCS security Team about opening VPN or router ticket Discuss with OCCS security team about services needs to be opened VPN supported services OCCS security team scan server for vulnerabilities Open vpn ticket Limited source IP addresses allowed on border router Server admin receives scan report and fixes problem, then request ather scan Pass scan? Server admin receives scan report. OCCS security team finish router acl request 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information