Carnegie Mellon University

Guidelines for Data Protection - Network Security

The following table defines baseline network security controls for University owned and/or operated networks that transmit Institutional Data. For the purpose of this Guideline, network devices are considered Information Systems and, as a result, appropriate Information Systems Security controls should be implemented to protect these devices.

ID Control Public Private Restricted
NS-1 Networks that transmit Institutional Data are segmented according to access profile * Recommended Recommended Required
NS-2 Access to a network that transmits Institutional Data is authenticated Optional Recommended Recommended
NS-3 Controls are in place to prevent unauthorized inbound access to a network that transmits Institutional Data (e.g. firewalls, proxies, access control lists, etc.) Recommended Required Required
NS-4 Controls are in place to prevent unauthorized outbound access from a network that transmits Institutional Data (e.g. firewalls, proxies, access control lists, etc.) Recommended Recommended Required
NS-5 Changes to network access controls follow a documented change procedure Recommended Recommended Required
NS-6 Network access controls are reviewed on a periodic basis for appropriateness Recommended Recommended Required
NS-7 Controls are in place to protect the integrity of Institutional Data transmitted over a network connection * Optional Recommended Required
NS-8 Network based intrusion detection and/or prevention technology is deployed and monitored Recommended Recommended Required
NS-9 Network devices are configured to protect against network-based attacks * Recommended Required Required
NS-10 Successful attempts to establish a network connection are logged Required Required Required
NS-11 Failed attempts to establish a network connection are logged Required Required Required

Supplemental Guidance

NS-1:  Network segmentation is a complex topic and strategies will vary depending on the circumstances of a given scenario. It may be appropriate to segment a network based on access profiles. For example, a database server that requires no direct user access could be placed on a network with more restrictive access controls than a web server that requires direct user access. It may also be appropriate to segment a network based on the type of data residing on that network. For example, a collection of servers that store Restricted data could be placed on a network with more restrictive controls than a collection of servers that store Public data. Available financial resources will also likely play a role in the decision making process.

NS-7:  Integrity related security controls should be implemented to protect Institutional Data from unauthorized modification during transmission over a network.  Message signing is one of the more common methods of ensuring the integrity of a data transmission.  Message signing often goes hand-in-hand with encryption controls.  For example, both the Transport Layer Security (“TLS”) protocol and the IP Security (“IPSec”) protocol offer messaging signing and encryption.

NS-9:  Network devices should be configured to protect against denial of service, eavesdropping, impersonation and other network based attacks. ARP spoofing and MAC flooding are two examples of such attacks. Network devices can be configured in a variety of ways to protect against these attacks. For example, on a Cisco network device, DHCP snooping and dynamic ARP inspection can be configured to help prevent ARP spoofing attacks and port security can be enabled to help prevent MAC flooding.