Version: 1.0
Status: Approved; 04/20/05

Contact: Charles N. Ponton

Network and data security are two of the leading challenges for IT administrators in higher education. This is due in part to the need to collect highly sensitive information regarding students, faculty, and staff as well as stiff resistance to implementing an effective security policy. This model establishes the basic framework for building an effective plan to secure the local campus network infrastructure to include the local area network and supported information systems.

This model covers the campus or location network infrastructure, which includes the Internet connection, local network equipment, servers, desktop computers, wireless access points, and all supported information systems.

This standard applies to the twenty-three community colleges, System Office, and all VCCS ITS Enterprise Services locations.

DEFINITION

MODEL

The Information Technology Services (ITS) office has been engaged in determining and developing security guidelines that will provide direction and a framework to VCCS colleges to effectively secure their local network infrastructure and information systems. The network backbone and Internet connectivity is provided by Network.Virginia and each individual campus has a separate DS3 connection to the network. Because of this design, it has created 44 separate networks. Each college network infrastructure is independent of each other, which presents some difficulty with respect to security.

A campus may vary with regards to network equipment, applications, and services provided. As a result, each campus must be treated independently with regard to security. The following guidelines are structured to address those areas that are common to all campuses. Security does not stop at the edge router or with a firewall. Because of various security threats, such as hacking, viruses, worms, Trojan horses, and denial-of-service attacks, security must be applied throughout the network to the desktop computer level. These guidelines provide recommendations that will effectively minimize any potential security threats to the network infrastructure.

The VCCS network security model will be outlined into three (3) security access levels. Those access levels are open access, controlled access, and secured access. The security access levels define the potential impact on colleges or individuals should there be a breach of security (a loss of confidentiality, integrity or availability). Each security access level will be divided into four (4) functional protection areas. These functional protection areas include firewall, router, switch, and server protection. The functional protection areas define hardware that is generally common to all campuses. The access security levels will dictate how much security is required in each of the functional protection areas. Secondly, the model will define separate guidelines for wireless infrastructures. A college will either use the general process described in this document, or must develop a tailored process that meets their specific needs as well as the needs and/or requirements specified in this model. In either case, it is recommended that colleges incorporate the associated IT security steps included in this model to aid in securing their infrastructure and information systems.

Each of the three rings of the diagram identifies a specific level of security provided for applications and services falling into its realm. The positioning of an application within the security structure will be determined by the sensitivity and criticality of its data. The Risk Analysis and Business Impact Analysis will provide the application owner the guidance needed to position their application within the security structure.

1. Open Access (Internet) - Applications and services which are located in the outer circle are considered open to the public. They are afforded little protection. The World Wide Web Homepage established to publish public relations information is a good example of an application or service requiring this level of protection. Below are recommendations that apply to this security access level.

• Firewall Protection – A hardware firewall for these applications and services is not necessarily required. These applications and services are meant to be available to the public. Listed below are firewall features, if one is chosen.

• Hardware Firewall Features

• Controlling access for internal systems

• Intrusion detection

• MAC address filtering

• URL blocking

• Custom rule creation

• Various content blocking features

• H.323-enabled with H.323 proxy

• Upgradeable to Gigabit Ethernet

• Router Protection – Though theses applications and services are available to the public, these security measures can be applied to the edge and gateway routers. These recommendations are applied if a hardware firewall is not selected.
• IDS network module - The IDS module is an interface card that can be installed in a Cisco router. The module provides firewall/intrusion detection functionality at the router to detect possible attacks. The module is currently available for the Cisco 2600, 3600, and 3700 series routers.
• Cisco IOS Firewall – The Cisco IOS firewall provides integrated firewall and intrusion detection functionality at the edge router. The features are embedded in the IOS and would require upgrading your edge router to the appropriate IOS.
• Access Control Lists – see VCCS Security Guidelines for Edge Devices

• Switch Protection – No security measures required
• Server and Desktop Protection (Laptops) – Listed are recommended security measures
  • Maintaining backup files
  • Redundant server
  • Personal Firewall
  • Window XP Internet Connection Firewall (ICF)
  • ZoneAlarm
  • Norton Personal Firewall
  • Intrusion Detection Systems (IDS)
  • Anti-Virus software
  • Windows Security Patches – ensuring security updates are kept current on a daily basis.
  • Application filtering – filtering of streaming, pornographic, P2P, and gaming applications.
  • Websense
  • Surf Control

2. Controlled Access (Intranet) - Applications located in the middle circle are for use by members of the VCCS community and do not contain restricted information. These applications need some level of protection, but security is not considered critical. Access to these applications is limited to customers with a valid Customer Id and password. Internal email and internal WWW Homepages for classes are examples of applications of this type. Below are the recommended security measures for this security access level.

• Firewall Protection – Hardware firewall protection for these applications and services may or may not be required for this access level. Though these applications and services are primarily used internally by the VCCS community, the information may not be sensitive enough to warrant a firewall. Listed below are firewall features if one is chosen.

  • Hardware Firewall Features

    • Controlling access for internal systems

    • Intrusion detection

    • MAC address filtering

    • URL blocking

    • Custom rule creation

    • Various content blocking features

    • H.323-enabled with H.323 proxy

    • Upgradeable to Gigabit Ethernet

• Router Protection – Listed below are recommendations if a hardware firewall is not implemented.

• IDS network module - The IDS module is and interface card that can be installed in a Cisco router. The module provides firewall/intrusion detection functionality at the router to detect possible attacks. The module is currently available for the Cisco 2600, 3600, and 3700 series routers.

• Cisco IOS Firewall – The Cisco IOS firewall provides integrated firewall and intrusion detection functionality at the edge router. The features are IOS based and would require upgrading your edge router to the appropriate IOS.

• Access Control Lists – see VCCS Security Guidelines for Edge Devices

• Switch Protection – Listed are recommended security measures
• Access Control Lists – access lists may be applied to the core switch to provide another level of security and filtering.
• VLANs – configure vlans on the LAN switches to segregate network traffic.
• Server and Desktop Protection (Laptops) – Listed are recommended security measures
  • Personal Firewall –
    • Window XP Internet Connection Firewall (ICF)
    • ZoneAlarm
    • Norton Personal Firewall
  • Intrusion Detection Systems (IDS)
  • Anti-Virus software
  • Windows Security Patches – ensuring security updates are kept current on a daily basis.
  • Application filtering – filtering of streaming, pornographic, P2P, and gaming applications.
    • Websense
    • Surf Control

3. Secured Access - Applications and services located in the inner circle contain restricted and in some cases sensitive/confidential information. Protection of applications and services located in the inner most circle is considered critical. One must have access to a valid Customer Id and password to access applications within this circle. In addition, each application will provide an additional level of access control internally. FRS and SIS are examples of applications of this type. Below are the recommended security measures for this access security level.

• Firewall Protection – Firewall protection for these applications and services is required for this access level. These applications are critical to the overall mission of the VCCS. The information contained on these systems is considered to be sensitive. Below are recommended features when choosing a firewall.
• Hardware Firewall Features
• Controlling access for internal systems
• Intrusion detection
• MAC address filtering
• URL blocking
• Custom rule creation
• Various content blocking features
• H.323-enabled with H.323 proxy
• Upgradeable to Gigabit Ethernet
• Router Protection – Listed below are recommendations if a hardware firewall is not implemented.
• IDS network module - The IDS module is and interface card that can be installed in a Cisco router. The module provides firewall/intrusion detection functionality at the router to detect possible attacks. The module is currently available for the Cisco 2600, 3600, and 3700 series routers.
• Cisco IOS Firewall – The Cisco IOS firewall provides integrated firewall and intrusion detection functionality at the edge router. The features are IOS based and would require upgrading your edge router to the appropriate IOS.
• Access Control Lists – see VCCS Security Guidelines for Edge Devices
• Switch Protection – Listed are recommended security measures
• Access Control Lists – access lists may be applied to the core switch to provide another level of security
• VLANs – Configure vlans on the LAN switches to segregate network traffic.
• Server and Desktop Protection (Laptops) – Listed are recommended security measures
• Personal Firewall –
• Window XP Internet Connection Firewall (ICF)
• ZoneAlarm
• Norton Personal Firewall
• Intrusion Detection Systems (IDS)
• Anti-Virus software
• Windows Security Patches – ensuring security updates are kept current on a daily basis.
• Application filtering – filtering of streaming, pornographic, P2P, and gaming applications.
  Websense
  Surf Control
• Call Managers
• Security Patches – stay current with security patches
• Intrusion Detection System (IDS)
• Upgrade to Call Manger 3.3
  1. Cisco Security Agent (CSA)
• Voice Mail Servers
• Security Patches – stay current with security patches

Wireless Infrastructure Security – The following is a set of general security guidelines for wireless LAN implementation. However, colleges should exercise discretion in assessing the feasibility of such implementations and if necessary, put in appropriate or equivalent measures to mitigate any security risks.

1. Physical Security
   1. Ensure AP is within the physical boundaries of the building
   2. Prevention of resets on the AP – ensure AP is physical located where someone cannot readily or easily access the reset button. The reset button sets the AP back to the default configuration values.
2. Proper AP configurations
1. Operational and security settings on AP
   1. Change the default SSID
   2. Maximize the Beacon interval
   3. Disable broadcast SSID
   4. Change default cryptographic key
2. Configure MAC Access Control Lists
3. Software patches and upgrades – stay current with upgrades
4. Authentication
5. Intrusion Detection System (IDS) – access control and intrusion detection mechanisms should be installed on the wireless station (i.e., laptop, desktop)
6. WEP Encryption – set encryption for the strongest setting possible (128-bit)