4. Network Management
This section of the toolkit adds further detail to the corresponding Network Management sub-policy within the University's Information Security Policy.
The unit is responsible for all connections on the unit's side of the FRODO box. The University does not operate an organisational level firewall at the JANET link. Whilst a small number of ports are blocked inbound by router access control lists, this should NOT be seen as sufficient protection for individual units. Instead the backbone network should be treated like the Internet and each unit should have their own means of controlling traffic to and from their network. Usually this would mean operating a unit level firewall and/or a series of firewalls at strategic locations in order to prevent unauthorised network traffic. Where units do not operate a firewall there should be documented justification for this decision and, where appropriate, alternative controls should be put in place. This could include, for example, switch or router access control lists. Firewalls or other devices for restricting information flows should be based on source and destination address checking mechanisms.
Any firewall rulesets (or other means of access control) should be in line with an agreed access control policy. A good starting point would be to opt for a default deny inbound policy and a default allow outbound, however there may be good reasons for choosing other policies. Whatever the setup, only authorised traffic should be allowed to traverse the network and so it is advised that access is restricted to being only from necessary locations and only to necessary services. For example, where remote access is required (e.g. SSH or Remote Desktop), this could be restricted to a known set of IP addresses such as a static or VPN range. Only access to the necessary ports should be allowed and it may be worth considering the use of non-standard ports, if appropriate.
Firewall rules and other access control lists should be checked at regular intervals to ensure they are behaving as expected. This could be done on a monthly basis and should always be done when significant changes are made to the configuration. Units should have some procedures in place to ensure that changes to firewall configurations are controlled and rulesets should always be checked after config changes or troubleshooting. A full record of any changes should be maintained.
Network management and control should ensure the security of information in networks and the protection of connected services from unauthorised access. Responsibilities for network management should therefore be clearly assigned and all networks should be managed by suitably qualified and experienced staff. This is in order to avoid costly errors, inappropriate access to network devices (e.g. from non IT support staff) and/or slow responses to fixing problems which may have an impact on the unit and/or University as a whole. ITS3 at OUCS can help to organise appropriate training courses.
A list of services available to Network Administrators can be found within the OxCERT webpages. This includes any chargeable services. NSMS do also offer a chargeable network management service details of which can be found at: NSMS network management service.
Any network services and their security requirements should be clearly identified. Such services might include the provision of connections, private network services and managed security solutions such as firewalls and intrusion detection systems. Security features of services could be technology such as authentication, encryption etc. or procedures to restrict access to services or applications.
Where possible network traffic should be appropriately segregated with routing and access controls between the domains. This could include, for example, separating traffic on untrusted, "public" networks, from that of staff and students. Thought may also be given to segregating critical assets where the loss or compromise of that asset would have a big impact on the operation of the unit. DMZs could be used, for example, to protect access to major services such as mail servers, web servers or domain controllers. Consideration should also be given to the segregation of wireless networks from internal and private networks.
Appropriate physical security for network cabling will depend on the physical environment and the sensitivity of any data being transferred. Particular attention should be paid to cabling which is exposed in public areas or exposed to the physical elements. For example, cabling and other network equipment may be at risk of flooding in parts of Oxford and appropriate controls should be implemented to mitigate the risk. Where particular network links carry sensitive data, or where availability is a key priority, protection should be implemented to protect from interception or accidental damage.