• Policies, Procedures & Guidelines
• Best Practices & Resources
• Secure Passwords
• Training
• Incident Response
• Breach Notification
• ISRS Security Forms
• Steering Committee

Network Standard

Introduction
Scope
Network Devices
Network Peripherals
Network Management
Compliance

1.0 Introduction

1.1 Purpose

This document will establish a framework for the management of the MnSCU network infrastructure.

1.2 Background

MnSCU has adopted a defense in depth strategy for Information Security. Management of the network infrastructure elements, based upon established Security Perimeters and Security Zones, is one layer of the security model.

2.0 Scope

2.1 Users

This standard shall apply to all administrators and managers of the MnSCU network infrastructure.

2.2 Systems

This standard shall apply to all network elements that are part of the MnSCU network infrastructure.

3.0 Network Devices

3.1 General

3.1.1 Procurement

Uncontrolled procurement may introduce unknown risk.

• All Network Devices shall be approved by the Information Security Manager or designee.

3.1.2 Tracking

Stewardship responsibilities require assets to be accountable.

• All Network Devices shall be registered with the asset management system before introduction into ANY security zone.
• Removal of any registered asset shall require approval of the Information Security Manager or designee.

3.1.3 Physical and Environmental considerations

Stewardship responsibilities require locations to be adequate.

• All Network Devices shall be installed in compliance with all relevant physical and environmental codes and standards.

3.1.4 System Time

Accurate system time is required for proper event reconstruction and forensics.

• All Network Devices shall synchronize internal system clocks via facility time servers.

3.1.5 Maintenance Ports

Maintenance ports allow uncontrolled access to the Network Device.

• No unattended maintenance ports shall be allowed on any Network Devices.
• All Network Device maintenance ports shall have password protected screen savers with a timeout of not more than 5 minutes.

3.1.6 Default username/passwords and accounts

Network Devices typically come with well-known default username/passwords for administrative access.

• All default username/password combinations shall be changed on all Network Devices.
• All default accounts shall be justified or deleted on all Network Devices.

3.1.7 User accounts

The existence of any user accounts should be based on business requirements.

• All unnecessary user accounts shall be disabled on all Network Devices.
• User accounts shall not be shared.

3.1.8 Log-on warnings

Log-on warnings inform users of rights, obligations, and recourse.

• A log-on banner informing users as to authorizations, and recourse shall be presented on each log-on attempt.

3.1.9 Logging

Logging is crucial to accurate event reconstruction.

• All Network Devices shall enable logging.
• All Network Device administrative log-ons shall be logged.
• All logging shall be time stamped with NTP synchronized time base
• All Network Devices shall log to a discreet logfile on an authorized log repository.

3.1.10 Device Naming

Retrieval of Network Device names may allow network mapping, both physical and logical.

Network Devices shall have names that have no relevance to:

• MnSCU
• device function
• location in the network architecture.

3.1.11 Network changes

Changes to any portion of the network infrastructure must be managed to preclude inadvertent introduction of vulnerabilities.

• All network changes shall be governed by a Configuration Control process
• Any network element changes shall require:
  • re-baselining of the network audit.
  • re-baselining of the host operating system.

3.2 Routers

• Border routers have one or more interface external to the MnSCU network
• Internal routers have all interfaces on the MnSCU network

3.2.1 General

• All routing functionality and protocols shall be standards based.
• All configurations shall be saved prior to any configuration changes.
• A backup copy of all running configurations shall be maintained external to the device.
• Anti-spoofing shall be practiced at all interfaces to ensure source addresses are valid.

3.2.2 Border

• Border routers shall utilize access lists to filter and control traffic that passes through them.
• Border routers shall utilize BGP4 routing protocol for external WAN links and OSPF routing protocol for all internal WAN links.

3.2.3 Internal

• Internal routers shall utilize access lists to filter and control traffic that passes through them.
• Internal routers that use dynamic routing shall utilize OSPF routing protocol.

3.2.4 Access Control

3.2.4.1 Physical

• All routers shall be installed within a High Security Perimeter.
• All routers shall be physically accessible only to authorized personnel.

3.2.4.2 Logical

• All unnecessary console ports shall be disabled.
• All required console ports shall be password and access list protected.
• Remote access shall only be allowed via secure encrypted link.
• Remote access shall only be allowed from within a High Security Perimeter.

3.2.5 Administration

3.2.5.1 Administrative authorization

• Only authorized roles shall be allowed to log in to and modify router configurations.

3.2.5.2 Administrative accounts

• Authorized administrators shall have unique accounts

3.2.5.3 Administrative authentication

• Administrative authentication shall be a minimum of two factor.
• All passwords shall be encrypted.
• There shall be no administrator default password.
• Passwords shall be unique for each account.
• Passwords shall expire every 30 days
• Passwords shall be a minimum 8 characters in length
• Passwords shall be a mixture of characters and numbers

3.3 Switches / Hubs

3.3.1 General

• All inter- switch communication shall be standards based
• All configurations shall be saved prior to any configuration changes.
• A backup copy of all running configurations shall be maintained external to the device.

3.3.2 Core Switches

• All unused ports shall be disabled
• All active user ports shall be locked down to a discreet MAC address.

3.3.2.1 Physical Access Control

• All switches shall be installed within a High Security Perimeter.
• All switches shall be physically accessible only to authorized personnel.

3.3.2.2 Logical Access Control

• All unnecessary console ports shall be disabled.
• All required console ports shall be password and access list protected.
• Remote access shall only be allowed via secure encrypted link .
• Remote access shall only be allowed from a High Security Perimeter.
• All passwords shall be encrypted.

3.3.3 Secure Distribution Switches

• All unused ports shall be disabled

3.3.3.1 Physical Access Control

• All switches shall be installed within a High Security Perimeter.
• All switches shall be physically accessible only to authorized personnel.

3.3.3.2 Logical Access Control

• All unnecessary console ports shall be disabled.
• All required console ports shall be password and access list protected.
• Remote access shall only be allowed via secure encrypted link.
• Remote access shall only be allowed from a High Security Perimeter.
• All passwords shall be encrypted.

3.3.4 Unsecure Distribution Switches

3.3.4.1 Physical Access Control

• All switches shall be installed within a secure perimeter.

3.3.4.2 Logical Access Control

• All unnecessary console ports shall be disabled.
• All required console ports shall be password and access list protected.
• Remote access shall only be allowed via secure encrypted link.
• Remote access shall only be allowed from a High Security Perimeter.
• All passwords shall be encrypted.

3.3.5 Administration

3.3.5.1 Administrative authorization

• Only authorized roles shall be allowed to log in to and modify switch / hub configurations.

3.3.5.2 Administrative accounts

• Authorized administrators shall have unique accounts

3.3.5.3 Administrative passwords

All passwords shall be encrypted.

• There shall be no administrator default password.
• Passwords shall be unique for each account.
• Passwords shall expire every 30 days
• Passwords shall be a minimum 8 characters in length
• Passwords shall be a mixture of characters and numbers

3.3.6 VLAN?s

Switches capable of supporting VLAN?s must be considered potential extensions of security perimeters and/or zones as defined in the Data Protection Standard.

• Switches serving as VLAN trunk terminations must meet the most restrictive zone protection requirements of any trunk member VLAN.

3.4 Firewalls

3.4.1 General

• Default configuration on all firewall interfaces shall be ?deny all?
• All firewalls shall have a trusted secure path for firewall management
• All firewalls shall have audit capabilities
• All firewalls shall have alarm capabilities
• Services allowed shall be based on business requirements.
• Services allowed shall be approved by the Information Security Manager or designee.

3.4.2 Internet (external) Interfaces

• All inbound traffic with an internal network source address shall be dropped as an anti spoofing measure.
• SYN flood protection shall be enabled.

3.4.3 MnSCU (internal) Interfaces

• ICMP echo request and reply shall be allowed only to/from a High Security Perimeter.

3.4.4 DMZ Interfaces

• All inbound traffic with a DMZ network source address shall be dropped
• ICMP echo request and reply shall be allowed.

3.4.5 Lab Interfaces

• ICMP echo request and reply shall be allowed only to/from a High Security Perimeter.

3.4.6 Management Interfaces

• Only traffic with a source address from the management console shall be allowed inbound.
• Only traffic with a destination address of the management console shall be allowed outbound.

3.4.7 Access Control

3.4.7.1 Physical

• All firewalls shall be installed within a High Security Perimeter.
• All firewalls shall be physically accessible only to authorized personnel.

3.4.7.2 Logical

• All unnecessary console ports shall be disabled.
• All required console ports shall be password and access list protected.
• Remote access shall only be allowed via secure encrypted link.
• Remote access shall only be allowed from a High Security Perimeter

3.4.8 Administration

3.4.8.1 Administrative authorization

• Only authorized roles shall be allowed to log in to and modify firewall configurations.

3.4.8.2 Administrative accounts

• Authorized administrators shall have unique accounts

3.4.8.3 Administrative passwords

• All passwords shall be encrypted.
• There shall be no administrator default password.
• Passwords shall be unique for each account.
• Passwords shall expire every 30 days
• Passwords shall be a minimum 8 characters in length
• Passwords shall be a mixture of characters and numbers

3.5 Remote Access

3.5.1 Wireless Access Points

• WAP?s shall not be permitted within a logical High Security Perimeter.
• All WAP?s shall have WEP enabled
• All default passwords shall be changed
• All guest accounts shall be disabled

3.5.2 Dial-in

• Dial-in authentication shall not use static passwords
• Dial-in authentication shall not use shared accounts.

3.5.3 VPN

• Network VPN?s shall terminate in a dedicated VPN device approved by the Information Security Manager or designee.
• VPN usage shall be governed by the protection requirements of the Data Protection standard
• VPN devices shall terminate client-server tunnels after 30 minutes of inactivity.

3.6 Cabling

• All cabling shall be in accordance with ?Building wiring standards for state owned buildings? from the State of Minnesota Department of Administration.
• Cable terminations shall only be accessible to authorized personnel.
• All cables shall be labeled.

4.0 Network Peripherals

4.1 General

4.1.1 Procurement

• All Network Peripherals shall be approved by the Information Security Manager or designee.

4.1.2 Tracking

• All Network Peripherals shall be registered with the asset management system before introduction into ANY security zone.
• Removal of any registered asset shall require approval of the Information Security Manager or designee.

4.1.3 Physical and Environmental considerations

• All Network Peripherals shall be installed in compliance with all relevant physical and environmental codes and standards.

4.2 Printers / Copiers / FAX

• Printers / Copiers / FAX devices shall be governed by the requirements of the Data Protection Standard.
  • Devices shall be configured to clear caches upon completion of reproduction jobs.
  • Devices reproducing RESTRICTED or PROTECTED data must reside within logical High Security Perimeters.
    

4.3 IP Telephones

• IP telephone usage shall be governed by the requirements of the Telecommunication Standard.

5.0 Network Management

Network management is fundamental to the efficient operation of the network, both internally and externally.

5.1 SNMP

• SNMP aware devices shall have SNMP enabled for network management
• Community strings shall not be named ?public?, nor ?private?
• SNMP access shall only be permitted from a High Security Perimeter.

6.0 Compliance

MnSCU local networks interfaces with the outside world via routers, firewalls, or switches. Any of these devices may serve as a gateway into the MnSCU network and as such, must be protected.

6.1 Baseline

• The MnSCU network shall be scanned to obtain a baseline.
  • The network shall be scanned from the public internet
  • All MnSCU internal subnets shall be scanned.

6.2 Monitor

• Network paths shall be capable of being monitored by an intrusion detection/monitoring system.

6.3 Audit

• Network audits shall be performed from the public Internet on a semester basis.
• Network audits shall be performed on each internal subnet on a semester basis.
• Host audits shall be performed against all network hosts on a semester basis.
• All audits shall be compared against existing pre-established baselines
• Current standards require a password with a minimum length of 6 characters and a maximum length of 8 characters. A minimum length of 8 characters would increase the difficulty of a brute force attack.
• A password segment in the Security Awareness curriculum should demonstrate the need for password security. The sophistication and reality of brute force attacks could be emphasized to make the point.