Network Security Standard

The Network Security Standard provides measures to prevent, detect, and correct network compromises. The standard is based on both new practices and best practices currently in use at RIT.

Please consult the checklist or the standard below for a complete list of requirements.

Scope

This standard applies to all Network Devices (except personally-owned devices within the residential network) that connect to the centrally-managed RIT network infrastructure or that process RIT Confidential or RIT Operationally Critical information whether or not they are part of the RIT centrally-managed infrastructure.

Requirements

The following security controls are required to be implemented.

  • If an RIT Network Device currently deployed is not capable of complying with a specific requirement of the Standard then that specific requirement is waived for that device.
  • All other RIT Network Devices currently deployed should comply with all requirements of the Standard.
  • All Network Devices purchased after the effective date of this standard should support all requirements of the standard.
  • All Network Devices deployed after the effective date of this standard should be configured to implement all requirements of this standard.
  • All Network Devices should be secured in an area with physical access control.
  • Core network equipment should be located in an alarmed area.
  • Core network equipment should be attached to an appropriately designed UPS and generator system.
  • Access to Network Devices should be controlled by access lists so that the equipment is accessible only from a limited number of locations.
  • Access to configuration backups should be restricted to authorized personnel only.
  • All networks should be protected from Layer-3 IP address spoofing by an access list or other means.
  • All external connections to RIT should be protected by an access list that blocks certain high-risk TCP/UDP ports.
  • This list is maintained by ITS and is reviewed by ITS on a yearly basis (or as needed). Changes are subject to the change control process.
  • Centralized user-level authentication should be used to authenticate all interactive users making changes to all Network Devices.
  • Hard-coded passwords will be allowed as necessary for non-interactive purposes, as well as recovery of Network Devices that have become disconnected from the network.
  • Whenever possible, network devices will display a trespassing banner at login.
  • This banner text shall not provide the underlying characteristics of the network device. Sample banner text may be found via the Network Standard Web page.
  • On any 802.1q trunk, the native VLAN should not be VLAN 1.
  • Plain-text protocols should not be used in network management.
  • Management traffic should be separated from user traffic.
  • Network Device management interfaces should be on a management network.
  • Any console ports used for device management should be secured by a username/password or other ISO-approved method.
  • Network management services should transition from SNMPv1, v2, v2c to SNMPv3 (or other option that does not use plaintext community strings).
  • Default SNMP community strings should be changed.
  • Initial prohibited protocols will include LDAP without use of TLSv1.2, FTP, telnet, remote host protocols, SSHv1, SSLv1, SSLv2, SSLv3.
  • An IDS service should be deployed on the links to/from the Institute network and the public Internet or Internet2. Hosts that are detected via the rule set shall be automatically blocked from further network access until the cause of the detection is understood and remediated.
  • The IDS configuration will be reviewed by ITS every six months or upon changes to the configuration.
  • Anti ARP-spoofing technologies should be deployed on user-edge Network Devices.
  • Features that support DHCP/ARP snooping should be enabled on Network Devices to better secure layer-2 networks from techniques such as ARP spoofing.
  • Any changes involving significant risk to the Institute network should go through a change control process.
  • The change control process should include:
    • Problem statement
    • Supporting data
    • Potential solutions
    • Impact/Risks
    • Management approval of changes
  • All Network Devices should log to a logging/network management system.
  • To ensure the integrity of the network, all Network Devices should be regularly monitored for their ability to be reached by a centralized network management system.
  • Any logs, including but not limited to, network, telecom, security, and IDS logs shall be confidentially provided to the AVP Risk Management, AVP Human Resources or Chief Legal Affairs Officer upon written request to the CIO.
  • Passwords on Network Devices should be changed in accordance with the currently stated password standard.
  • Network administrators shall disable or change all manufacturers’ default passwords.
  • The configuration of all pieces of network equipment should be backed up regularly.
  • The configurations should be subject to managed revision control. Any changes in configuration should automatically notify the Network Administrator(s) in a timely manner.
  • An audit of network configurations may be conducted by either ITS or IACA. IACA may review the audit results upon request.
  • Any VPN service that is deployed for use at RIT should be configured to not allow connection to the Internet except through RIT.
  • Any new VPN service should undergo a security review.
  • The network should be scanned regularly for hosts that are vulnerable to remotely exploitable attacks. Hosts that are vulnerable will be “moved” to a quarantine network where they may be allowed to self-remediate.
  • All data gathered from the vulnerability scanning and quarantine processes should be classified as RIT Confidential information.
  • The quarantine network will allow hosts to access services necessary to patch and remediate infections. These services may be provided through a proxy server.
  • Explicit blacklisting or permanent whitelisting of the ITS vulnerability scanner is prohibited.
  • Notification to administrators of registered subnets or individual network addresses in the event of quarantine or blocking:
    • The local administrator of the registered subnet or individual addresses is responsible for maintaining accurate registration information.
    • Unless the network may be harmed without immediate quarantine or blocking of compromised computers, the Network Administrator should notify administrators of systems found to be vulnerable by the vulnerability scanner before the systems are placed into quarantine or blocked.
    • If immediate quarantine or blocking is necessary to avoid harm to the network, the Network Administrator should notify the administrators of affected systems in a timely manner.
  • All new wireless Network Devices should support ISO-Approved Encryption Methods.
  • Minimum levels of security should be adhered to according to a schedule developed by the ISO in collaboration with the RIT community.

Before being allowed on the network, all network devices or systems with an IP address on the network should be registered in an ISO-approved registration system.

  • This device registration should include all MAC addresses and the name of the party responsible for the device.
  • Guest access should be registered with appropriate contact information.

Who does it apply to?

All systems or network administrators managing devices that:

  • Connect to the centrally-managed Institute network infrastructure
  • Process Private or Confidential Information

Currently, personal network devices used on the RIT residential network (such as routers, switches, etc.) do not need to meet the Network Security Standard. However, the use of wireless routers is prohibited in residential areas on campus. The use of wired routers is still acceptable. Read and comply with the requirements in the Resnet guide to Using a Router on the RIT Network prior to using them.

See our Wireless Networking page for information on how to access wireless networks at RIT and how to set up and use a wireless network at home.

What do I need to do?

Use the Network Security Checklist to set up your networking device.

Additional Information

Network administrators should consult the Technical Resources pages for detailed information, including preferred and prohibited protocols, trespassing banners, etc.

NOTE: During the pandemic period, we are removing the restriction on split tunneling.

Network Security Checklist (pdf)

Effective Date: August 1, 2009

Standard History:

  • November 1, 2006
  • October 19, 2015
  • November 11, 2013