Guidelines for Data Protection - Network Security
The following table defines baseline network security controls for University owned and/or operated networks that transmit Institutional Data. For the purpose of this Guideline, network devices are considered Information Systems and, as a result, appropriate Information Systems Security controls should be implemented to protect these devices.
ID | Control | Public | Private | Restricted |
NS-1 | Networks that transmit Institutional Data are segmented according to access profile * | Recommended | Recommended | Required |
NS-2 | Access to a network that transmits Institutional Data is authenticated | Optional | Recommended | Recommended |
NS-3 | Controls are in place to prevent unauthorized inbound access to a network that transmits Institutional Data (e.g. firewalls, proxies, access control lists, etc.) | Recommended | Required | Required |
NS-4 | Controls are in place to prevent unauthorized outbound access from a network that transmits Institutional Data (e.g. firewalls, proxies, access control lists, etc.) | Recommended | Recommended | Required |
NS-5 | Changes to network access controls follow a documented change procedure | Recommended | Recommended | Required |
NS-6 | Network access controls are reviewed on a periodic basis for appropriateness | Recommended | Recommended | Required |
NS-7 | Controls are in place to protect the integrity of Institutional Data transmitted over a network connection * | Optional | Recommended | Required |
NS-8 | Network based intrusion detection and/or prevention technology is deployed and monitored | Recommended | Recommended | Required |
NS-9 | Network devices are configured to protect against network-based attacks * | Recommended | Required | Required |
NS-10 | Successful attempts to establish a network connection are logged | Required | Required | Required |
NS-11 | Failed attempts to establish a network connection are logged | Required | Required | Required |
Supplemental Guidance
NS-1: Network segmentation is a complex topic and strategies will vary depending on the circumstances of a given scenario. It may be appropriate to segment a network based on access profiles. For example, a database server that requires no direct user access could be placed on a network with more restrictive access controls than a web server that requires direct user access. It may also be appropriate to segment a network based on the type of data residing on that network. For example, a collection of servers that store Restricted data could be placed on a network with more restrictive controls than a collection of servers that store Public data. Available financial resources will also likely play a role in the decision making process.
NS-7: Integrity related security controls should be implemented to protect Institutional Data from unauthorized modification during transmission over a network. Message signing is one of the more common methods of ensuring the integrity of a data transmission. Message signing often goes hand-in-hand with encryption controls. For example, both the Transport Layer Security (“TLS”) protocol and the IP Security (“IPSec”) protocol offer messaging signing and encryption.
NS-9: Network devices should be configured to protect against denial of service, eavesdropping, impersonation and other network based attacks. ARP spoofing and MAC flooding are two examples of such attacks. Network devices can be configured in a variety of ways to protect against these attacks. For example, on a Cisco network device, DHCP snooping and dynamic ARP inspection can be configured to help prevent ARP spoofing attacks and port security can be enabled to help prevent MAC flooding.