INTRO (Purpose and Intent)
The organization Tech THAT Network Protection Plan creates guidelines for IT practices used on a day to day basis to provide a protected and strong computing environment. These procedures are used in order to protect the mission, operation, and trustworthiness of Corporation Technology System and its information systems. These program security procedures, standards, and procedures which were established to get the Corporation Technology System, are intended to comply with the regulations and policies established down by State of Florida, Corporation Tech, plus the Federal Info Security Administration Act (FISMA).
OPPORTUNITY
These requirements and types of procedures apply to information systems and resources beneath the control of Organization Tech, including all computer systems connecting for the Corporation Tech network and Corporation Technology System personnel, contractors, and any other those who use and/or administer these systems and computers, particularly those involved with information program management.
COMMON PROVISIONS
Organization Tech It can manage risk by identifying, evaluating, handling, and mitigating vulnerabilities that are a potential threat to the info and information systems beneath its control.
Customer accounts and passwords will be implemented to maintain individual responsibility for network resource use. Any user whom obtains a free account and pass word for accessing a Corporation Technical provided source, is required to continue to keep these credentials confidential. Users of these devices may only use the accounts and passwords for which they have been given and official to use, and are also prohibitedfrom making use of the network to access these devices through any means. This plan likewise prohibits the sharing of private user accounts or accounts for accessing Corporation Technology or Internet computing assets. In the interest of keeping account security, passwords will probably be changed on a more regular schedule or perhaps anytime the integrity from the account is in question.
Corporation Tech IT network or perhaps computing solutions may not be used for personal commercial purposes, for private profit in order to violate the laws and regulations of the United States or any various other nation, or the laws and regulations of any state, city, region or other local jurisdiction in any material way. Usage of Corporation Tech resources for virtually any illegal activity may result in loss of network access benefits, official reprimand, suspension or perhaps dismissal. Organization Tech can cooperate with any reputable law enforcement organization or inquiry in the analysis and prosecution of virtually any alleged wrongful activity. Firm Tech’s network or Net facilities is probably not used to disable or overload any computer system or network, or to circumvent any system intended to protect the privacy or security of an additional user.
Firm Tech owned or operated networking and communications tools, may only be moved simply by Network and Computing Support staff, or perhaps authorized agents. Reconfiguration of network hardware or computer software, except simply by designated people within IT, is firmly prohibited. Prior to connecting any server, network communication or perhaps monitoring system to the Organization Tech Network, approval should be obtained from Info Center Sales and marketing communications. Attachment of any the subsequent devices to the Corporation Technical network, other than those presented or given the green light by Network and Computing Support, is totally prohibited:
a. DHCP web servers.
b. DNS web servers.
c. NAT routers.
g. Network Gateways.
e. Packet taking or network monitoring products.
farrenheit. Any device that interferes with or negatively impacts network operations.
ASSERTION OF TYPES OF PROCEDURES
The procedures for conducting a risk assessment and then for the control and minimization of risks to the Company Tech Data Systems consist of:
NETWORK CONTROL
Corporation Tech IT has computer software and systems in place which may have the ability to screen and record network, Net and computer system usage. Including monitoring and security systems which have been capable of recording network traffic, which includes traffic to Internet sites, forums, newsgroups and e-mail messages, file machines, telnet classes and file transfers in to and away of our interior networks. This capability is necessary in order to maintain the health of Corporation Technology network businesses and analyze network related problems. Corporation Tech THAT reserves the right to perform network monitoring at any time. The information gathered may be used by technicians and management to evaluate network utilization and tendencies, and may also be provided to upper managing or different authorities while evidence within any research of so-called policy violations.
Corporation Technology IT reserves the right to carry out periodic port scans, segment sweeps, and vulnerability reads on every network segments. Network operations, functions, and resources, that are not required as part of the normal and approved work duties or perhaps projects for Corporation Technical, may be band width limited or blocked simply by network control devices to be able to protect the integrity and availability of the complete system. Company Tech It may well suspend network access to any kind of location or perhaps system that disrupts usual network functions or systems that disobey Corporation Technology policy. Through this event, an attempt will be made to contact the responsible individual to resolve the situation.
DHCP SOLUTIONS
Corporation Technology IT provides centralized and repetitive DHCP and DNS providers for Company Tech. Because of the nature of such services, and because of the potential disruption of service and possible reliability breaches caused by incorrect set up of additional systems, attachment of unauthorized DHCP or DNS servers is definitely prohibited. The next guidelines has to be followed when requesting or perhaps using any kind of DHCP or perhaps DNS services:
¢ Devices requiring an IP address must support DHCP and be in a position of obtaining DHCP treat information in one of the centrally administered College or university DHCP web servers. ¢ Applying DHCP, gadgets requesting an IP address will be assigned a dynamic pool address from your subnet that the device is attached. Products with effectively assigned IP addresses may well have their treat change. ¢ Static IP addresses needed for server category machines or perhaps specialized clients must berequested from the Info Center Marketing and sales communications Team by way of a Help Office ticket.
DNS SERVICES
Consumer workstations, which has been assigned a dynamic pool area IP address, will have an connected DNS name assigned by network. Virtually any DNS identity or domain name that is being associated with Organization Tech network, must be expected from and registered through Web Solutions. DNS brands ending in corptech. com are made offered upon ask for Corporation Technology approved companies. Requests to get assignment of DNS brands must be to get valid Corporation Tech related purposes.
DNS names for domains besides corptech. com, and that happen to be to be organised by Firm Tech systems, must be expected from Net Services. Any charges to get initial or ongoing sign up of the expected name are definitely the responsibility from the requestor. DNS names, not in the corptech. com website, will be managed on a case by case basis. Organization Tech It will eventually work with any individual requesting a domain name to identify an appropriate and readily available name, even so Corporation Technical IT has final approval for all DNS name assignments.
WIFI NETWORK SOLUTIONS
Because cellular networks can be used to provide use of the same solutions and companies as born network devices, the same fundamental procedures that are used in a ” cable ” network environment can also be used in a wifi network environment. However , because of the nature of wireless systems, additional security and control mechanisms are needed to be able to maintain the security, operation and inter-operability of both classic and wireless systems. Wireless routers are generally not allowed around the Corporation Technical network until they have been given the green light by Corporation Tech IT.
Use of the Corporation Technology Wireless network is limited to individuals who have a Corporation Tech account except in locations where guest network is available. The Corporation Tech Guests Network is definitely segregated in the internal servers and resources used by authenticated users to hold the network secure. The Corporation Tech Guests Network is merely available in permitted areas, and require a obtain to be extended into any other areas. Users of the Firm Tech Customer Network are required to provide a valid cell phone number in order to authenticate.
Devastation and Convenience of Information and Devices
Constrained information must be disposed of in such way as to assure it can not be retrieved and recovered simply by unauthorized individuals. When donating, selling, transferring, surplusing or perhaps disposing of pcs or easily-removed media (such as DVDs), the proper types of procedures to make data unreadable upon those press will be considered. Acceptable techniques are outlined on ISSP-009, “Medial Removal.
NETWORK ACCESS
Anyone who uses the Corporation Tech computer environment must have appropriate status (e. g. management, staff, staff, or authorized third party) and must be correctly authenticated when ever required. Get will be supplied to vendors and or other Corporation Tech partners throughout the sponsored VIP account procedure, as described on http://www.corptech.com/it/services/vip.aspx. VIP accounts are analyzed and restored on six month intervals to verify if access is still needed. When an employee leaves the organization accounts will be handicapped once TERM status is updated, and individual departments must approve re-activation of account gain access to.
USER COMPUTING DEVICES
Users are responsible for the safety and sincerity of Organization Tech info stored issues workstation, consisting of controlling physical and network access to the device. Users may well not run or configure computer software or components that may enable access by unauthorized users. Anti-virus software program must be attached to all work stations that connect with the Corporation Technology Network. Corporation Tech Computer systems may not be used to copy, disperse, share, down load, or upload any copyrighted material with no permission of the copyright owner.
PHYSICAL GET
Access to Firm Tech THIS Data Middle should be restricted to those in charge of operation and maintenance. Access by non-IT personnel can be not permitted unless they can be escorted by an authorized THIS staff member. Computer installations should certainly provide fair security steps to protect the pc system against natural catastrophes, accidents, reduction or varying of electricity, and skade. Networking and computing equipment are placed in secure and appropriately cooled areas to get dataintegrity and security
NETWORK HARDWARE
Network hardware happen to be housed behind a locked door to guard physical use of switches and other network equipment. Access is only allowed although card access or with a inspected key. All switches and network components are password protected at a minimum via a community account set up on the gadget itself, these types of passwords will be changed routinely as managers leave the corporation. Subnets allowed to authenticate with switch administration will be limited, to create firmer control of after sales administration. Professional level get Timeouts applied on Gaming console and VTY lines, in order that any idle sessions will be terminated instantly. All changes are time synced applying NTP, to ensure that incidents may be tracked and correlated to the proper timeframe.
SERVER CONDITIONS
All web servers are subject to a security review and analysis before they are placed into production. Administrative access to servers has to be password protected and employ two-factor authentication whenever possible. Web servers should be literally located in an access-controlled environment. All internal servers used at Organization Tech has to be owned by simply an operational group that may be responsible for system administration. Servers must be signed up with the IT department. At least, the following data is required to absolutely identify the idea of contact:
a. Storage space owner contact(s) and location.
b. Hardware and Functioning System/Version
c. Primary functions and applications
d. MACINTOSH address (If not a virtual server)
Providers and applications that will not be used must be impaired where useful. Access to companies should be logged and/or safeguarded through access-control methods to the extent possible. The most recent secureness patches must be installed on the device as soon as useful. Do not employ administrator or perhaps root get when a non-privileged account works extremely well. Privileged get must be performed over protected channels, (e. g., protected network links using SSH or IPSec).
EXCEPTIONS
Most requests for exceptions to these standards and procedures will be handled by request, and can follow these types of guidelines: ¢ Must be submitted in writing to and given the green light by the CIO or with the proper authority. ¢ Will be reviewed on the case by case basis.
NETWORK PROTECTION
Corporation Tech network design is built a couple of principles, Defense-in-Depth, Compartmentalization details and Basic principle of Least Privilege. Each of our first step was going to look at what we are guarding, which is eventually our business and consumers data and information. To make sure a audio architecture we all started the style of our network with scalability in mind. It is vital that our design and style is adaptable enough in order to meet future needs. The dangers we know about and deal with today will not be the ones we all face down the road. While expanding security requirements for each of our IT system resources, we all will determine if they are mission-critical or data-sensitive resources. This permits us to determine where data confidentiality and integrity are the most important requirements, or where the priority is usually continuity of operation (availability).
DEFENSE-IN-DEPTH
Network safeguards supply the first security barrier than it system methods against hazards originating outside of the network. These types of threats could be in the form of intruders or malicious code. The network design offers split protections. This implies the security levels complement the other person; what one misses the other catches. This will be accomplished by discovering security protection in different areas throughout each of our IT system, as well as not really using a pair of the same types of shields. Although this could increase the intricacy of our home security alarm and can potentially make managing and routine service more difficult and costly, we believe the safety in the IT program resources ought to be based on the protection. With defense-in-depth in mind, the first layer of your network secureness plan starts with our network perimeter protection.
The theory network reliability defenses are firewalls, attack detection and prevention systems (IPS/IDS), VPN protections and content inspection systems like anti-virus, anti-malware, anti-spam and URL blocking. The traditional initially line of protection against episodes is typically the firewall, which can be configured to allow/deny visitors bysource/destination IP, port or perhaps protocol. It is extremely straight forward, either traffic is allowed or it’s clogged. With the advent of Next Generation firewalls, which can include application control, identity awareness and other features such as IPS, web filtering, and advanced malware recognition, all of these features can be manipulated by 1 device.
COMPARTMENTALIZATION OF INFORMATION
Organization Tech could have IT program resources with different sensitivity levels or several risk threshold levels and threat susceptibilities. These resources should be positioned in different secureness zones. The theory is to cover the data or perhaps information and make that available only to those devices where it is vital for performing system jobs. Examples of this are: ¢ E-mail, Net and DNS servers are located in the DMZ behind the perimeter fire wall. ¢ Databases servers including SQL servers are located in the Database Area, within the internal firewall/IPS. ¢ Intranet machines, file machines and user workstations will be in the LAN zone inside the internal firewall. ¢ The net is located in the Internet zone at the rear of the edge firewall.
Rule of Least Privilege
Firm Tech administrators and users will have little privileges essential for proper functioning within the organization. This kind of rule can be applied also to data and services offered for exterior users. An extension to this guideline is the “Need-To-Know principle which says that users and administrators of Corporation Tech IT program have access to only the information highly relevant to their role and duties performed. Other points of security we will talk about in our network services supply is the solitary point of failure rule, the splitting up of work and job rotation rules.
The network paths among users and mission-critical THAT system methods, all the links, devices (networking and security) as well as the servers will be deployed in unnecessary configurations. The purpose of the parting of obligation and work rotation regulation is to limit an employee’s ability to forget and break the THIS system’s protection policy. Parting of obligation dictates that important tasks/functions should be performed by two or more employees. Work rotation claims that there ought to be rotation of employees in important positions.
NETWORK HARDENING
For each level of protection, we will ensure they are working the most up-to-date application and systems, and that the gadgets are configured properly.
RELIABILITY ZONES
Invasion Prevention (IPS) devices are responsible for finding and preventing penetrations and attacks carried out by intruders and malevolent malware applications. We suggest an IPS be mounted in the network path among potential danger sources and sensitive THIS system methods. Attacks through encrypted SSL sessions certainly are a potential weakness so we all recommend decrypting the periods prior to it reaching the IPS device to be able to inspect unencrypted packets.
The IPS will probably be properly enhanced and monitored to capture attackers which may have slipped beyond daylight hours first security (firewall/router). Inside networks won’t have direct access online so a Trojan sent to a user’s workstation by using a phishing harm would not permit the intruder to get in touch to the exterior network. Net services are around for internal users only through company email and HTTP Proxy machines.
ENABLE SAFEGUARDED NETWORK ACCESS
We will install a VPN that is designed to allow protected communication to the network externally. Utilizing two-factor authentication, ensuring the ethics of the users making the request. This can be external-facing to the network and allows users to tunnel into each of our LAN externally once the suitable measures are taken to safeguarded access.
SEGMENTED DMZ
You will have a front end firewall for the exterior traffic and a back-end firewall for the internal traffic. Firewall guidelines will be maximized and stiffened on almost all publicly available systems to permit traffic to the particular necessary plug-ins and services living in the DMZ. Fire wall rules have been completely created to only allow the resource IP tackles and slot to the certain servers and proxies had been added inside the network from where administrators are allowed usage of the systems. Systems within just different VLANs (with a layer 3 switches) had been configured to aid isolate and respond to happenings if a storage space in the DMZ is sacrificed. Authentication for the LAN is necessary before use of the DMZ is actually attempted. This prevents allowing for complete control over these devices at any given time.
DEVICEINTEGRITY
All hardware and software will be purchased only from the maker or from resellers whom are approved and accredited by the tools manufacturer. Untouched physical cadre on network devices will probably be shut down. Access lists that allow just those protocols, ports and IP tackles that are essential by network users and services will be implemented. The rest is rejected. Network gadget configuration file are protected from unauthorized disclosure. Actions have been taken to avoid plaintext passwords in the configuration data files. This has been accomplished by using security and/or a salted hash with iteration to protect the confidentiality of passwords in configuration data. Change passwords/keys immediately if the network unit configuration document is sent in the clear (or can be otherwise exposed) while made up of non-encrypted passwords/keys. Secure protocols will be used once transmitting network device settings files. Every unneeded companies on network devices has to be shut down.
Logs will be evaluated regularly to get an in depth comprehension of normal network behavior. Any kind of irregularity will be reported and investigated.
PROTECT MANAGEMENT
Only secure protocol standards (SSHv2; IKEv2/IPsec; TLS v1. 0+) will be used when you are performing remote managing of network devices. Standard usernames and/or passwords are not used. The network infrastructure security coverage should specify password size and complexity requirements. Assessment the network infrastructure reliability policy. This kind of policy recognizes who is in order to log in to network facilities devices and who is in order to configure network devices, and defines an agenda for upgrading network system firmware for scheduled periods.
PORT VULNERABILITES
Port twenty-five ” Is utilized for SMTP (Simple Mail Transfer Protocol). It uses both tcp and udp protocols. This port used for e-mail routing among mail machines and is prone to many well-known Trojan’s. Were keeping this kind of port within a closed state. Port 70 ” Is employed for online traffic Hyper Text Transfer Process (HTTP). It uses both tcp and udp protocols. Port 80 udp is also employed by somegames, like Alien vs Predator. Code Red and Nimda worms also pass on via TCP port eighty (HTTP). As well, a number of trojans/backdoors use these kinds of ports. We could keeping this kind of port in a closed point out. Port 139 ” Can be used for NetBIOS. NetBIOS can be described as protocol utilized for File and Print Showing under every current types of House windows. By default, once File and Print Showing is empowered it binds to almost everything, including TCP/IP (The Net Protocol), rather than just the local network, meaning your distributed resources can be found over the entire Internet pertaining to reading and deletion, unless of course configured effectively.
Any machine with NetBIOS enabled rather than configured effectively should be considered at risk. The best safeguard is to turn off File and Print Showing, or stop ports 135-139 completely. We all will leave this interface in an open up state but will turn off record and print sharing features. Port 1900 ” Is used for SSDP, UPnP. UPnP discovery/SSDP, is actually a service that runs automatically on WinXP, and produces an instantly exploitable secureness vulnerability for just about any network-connected program. It is susceptible to denial of service and buffer overflow attacks. Microsoft SSDP Permits discovery of UPnP equipment. We are keeping this port in a closed state. Slot 2869 ” Is IANA registered pertaining to: ICSLAP. It uses both tcp and udp protocols and is used for Microsoft company Internet Connection Firewall (ICF), Web connection Sharing (ICS), SSDP Discover Service, Ms Universal “plug and play” (UPnP), and Microsoft Event Notification. We will keep this dock in an available state.
Dock 5357 ” Is used by simply Microsoft Network Discovery, and should be blocked for open public networks. By using both tcp and udp protocols. Also, it is IANA registered for: Internet Services pertaining to Devices (WSD) ” a network “plug and play” experience that may be similar to putting in a UNIVERSAL SERIAL BUS device. WSD allows network-connected IP-based equipment to advertise their particular functionality and gives these companies to consumers by using the Web Services protocol. WSD communicates over HTTP (TCP dock 5357), HTTPS (TCP dock 5358), and multicast to UDP interface 3702. We will close this port and reroute traffic to HTTPS (TCP dock 5358). Slot 6839 ” This port is not really associated with virtually any particular companies and should become closed unless it is associated and utilized. Port 7435 ” This port can be not linked to any particular services and should be closed unless it truly is associated and used. Plug-ins 9100, 9101 and 9102 ” These types of TCP slots are can be used for producing. Port figures 9101 and 9102 are for parallel ports two and a few on the three-port HP Jetdirect external printservers.
It is utilized for network-connected produce devices. These ports ought to remain available to allow print out services. You will find no shown vulnerabilities associated with these ports. Port 9220 ” This port is for raw checking to peripherals with IEEE 1284. 4 specifications. Upon three dock HP Jetdirects, the check out ports will be 9290, 9291, and 9292. It is intended for network-connected printing devices. This kind of port should remain available to allow produce services. You will find no detailed vulnerabilities associated with this dock. Port 9500 ” TCP Port 9500 may use a definite protocol to communicate depending on the application. Inside our case we could using interface 9500 to reach the ISM Server.
The ISM Storage space is used pertaining to exchanging backup and restoration information between storage gadgets. This interface should continue to be open while services are in use. You will find no shown vulnerabilities connected with this slot. Port 62078 ” This kind of port is utilized by i phone while syncing. The Port used by UPnP for multimedia system files writing, also employed for synchronizing iTunes files between devices. Port 62078 contains a known vulnerability in that a service named lockdownd sits and listens around the iPhone in port 62078. By attaching to this interface and speaking the correct protocol, it’s possible to spawn a number of different providers on an iPhone or apple ipad tablet. This dock should be blacklisted or shut when assistance is not required on the gadget.
References
BEST: Network Security Policy and Procedures. (n.d.). Retrieved from http://www.ct.gov/best/cwp/view.asp?a=1245&q=253996 Example Security Plan. (2014, November 17). Retrieved from http://www.binomial.com/security_plan/example_security_plan_template.php Hardening Network Infrastructure Security Recommendations for System Accreditors. (n.d.). Retrieved from https://www.nsa.gov/ia/_files/factsheets/Hardening_Network_Infrastructure_FS.pdf Network Security Policy: Best Practices White Paper ” Cisco. (2005, October 4). Retrieved from http://www.cisco.com/c/en/us/support/docs/availability/high-availability/13601-secpol.html Paquet, C. (2013, February 5). Security Policies >Network Security Concepts and Procedures. Retrieved from http://www.ciscopress.com/articles/article.asp?p=1998559&seqNum=3 WITHOUT ” Information Security Resources | Information Security Insurance plan Templates |.
one particular