The Network Security Standard provides measures to prevent, detect, and correct network compromises. The standard is based on both new practices and best practices currently in use at RIT.
Please consult the checklist or the standard below for a complete list of requirements.
This standard applies to all Network Devices (except personally-owned devices within the residential network) that connect to the centrally-managed RIT network infrastructure or that process RIT Confidential or RIT Operationally Critical information whether or not they are part of the RIT centrally-managed infrastructure.
The following security controls are required to be implemented.
An IDS service should be deployed on the links to/from the Institute network and the public Internet or Internet2. Hosts that are detected via the rule set shall be automatically blocked from further network access until the cause of the detection is understood and remediated.
The IDS configuration will be reviewed by ITS every six months or upon changes to the configuration.
All Network Devices should log to a logging/network management system.
To ensure the integrity of the network, all Network Devices should be regularly monitored for their ability to be reached by a centralized network management system.
Any logs, including but not limited to, network, telecom, security, and IDS logs shall be confidentially provided to the AVP Risk Management, AVP Human Resources or Chief Legal Affairs Officer upon written request to the CIO.
The network should be scanned regularly for hosts that are vulnerable to remotely exploitable attacks. Hosts that are vulnerable will be “moved” to a quarantine network where they may be allowed to self-remediate.
All data gathered from the vulnerability scanning and quarantine processes should be classified as RIT Confidential information.
The quarantine network will allow hosts to access services necessary to patch and remediate infections. These services may be provided through a proxy server.
Explicit blacklisting or permanent whitelisting of the ITS vulnerability scanner is prohibited.
Notification to administrators of registered subnets or individual network addresses in the event of quarantine or blocking:
The local administrator of the registered subnet or individual addresses is responsible for maintaining accurate registration information.
Unless the network may be harmed without immediate quarantine or blocking of compromised computers, the Network Administrator should notify administrators of systems found to be vulnerable by the vulnerability scanner before the systems are placed into quarantine or blocked.
If immediate quarantine or blocking is necessary to avoid harm to the network, the Network Administrator should notify the administrators of affected systems in a timely manner.
Before being allowed on the network, all network devices or systems with an IP address on the network should be registered in an ISO-approved registration system.
This device registration should include all MAC addresses and the name of the party responsible for the device.
Guest access should be registered with appropriate contact information.
Who does it apply to?
All systems or network administrators managing devices that:
Connect to the centrally-managed Institute network infrastructure
Process Private or Confidential Information
Currently, personal network devices used on the RIT residential network (such as routers, switches, etc.) do not need to meet the Network Security Standard. However, the use of wireless routers is prohibited in residential areas on campus. The use of wired routers is still acceptable. Read and comply with the requirements in the Resnet guide to Using a Router on the RIT Network prior to using them.
See our Wireless Networking page for information on how to access wireless networks at RIT and how to set up and use a wireless network at home.