Network Server Security Requirements and Procedures
The University of Massachusetts Boston (UMass Boston) provides network services to a large number and variety of users, including faculty and staff members, students, and external constituencies. Security compromises for any campus-networked system can have a detrimental impact on other systems housed on UMass Boston’s network infrastructure. Information Technology (IT) at UMass Boston, in cooperation with university constituents, has campus-wide responsibility to ensure the stability, performance, integrity, and security of networking systems and to provide the wiring, cable, and wireless network infrastructure supporting voice, data, and video services.
University data are a critical institutional asset that are relied upon heavily for decision-making needs in all areas of university operations. It is essential to ensure the protection, integrity, and reliability of data, including instructional, research, financial, personal, operational, and other sensitive data, that are maintained on or served from university information systems. IT is responsible for making certain these systems are protected from misuse and that both the systems and the data stored on them are maintained and accessed in a secure environment.
This UMass Boston policy is in compliance with the Board of Trustees policy T97-010 (passed February 5, 1997; last revised September 23, 2005) Policy Statement on Data Security, Electronic Mail, and Computer Policy Development, which requires that each campus of the University of Massachusetts (UMass) develop and implement policies, standards, and guidelines related to data security, electronic mail, and acceptable use of computing and data resources. This policy is also in compliance with all UMass policies, standards, and guidelines, specifically the University of Massachusetts Data and Computing Standards and the University of Massachusetts Data and System Administrator Responsibilities and System Requirements.
UMass Boston is required to provide reasonable protection consistent with federal and state laws placing fiduciary obligation on UMass Boston to protect the privacy, use, and security of select data. Laws include, but are not limited to: Electronic Communications Privacy Act (ECPA), Computer Fraud and Abuse Act (CFAA), Gramm-Leach-Bliley Act (GLBA), the United States Patriot Act (USPA), Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act of 1996 (HIPAA) and others. This policy is intended to define the limits of that obligation and the duties and responsibilities of university employees to safeguard information that constitutes protected data on all UMass Boston computer network resources.
This policy is subject to change as new technologies and processes emerge.
Data or information security – refers to the development and implementation of a reasonable system of controls, measures, and safeguards to protect data (regardless of the medium on which it resides) and computing resources from unauthorized access, theft, removal, misuse, disclosure, or corruption so that data and computing resource availability and integrity are preserved.
Host-based or network-based intrusion-detection systems – systems that use an automated tool or set of tools designed to monitor traffic on networks in order to detect security violations by analyzing the data and the data source and to respond with appropriate actions.
Physical network security – controlled access to areas that house network infrastructure components, such as data electronics and physical cable plant.
Network management – the execution of the set of functions required for controlling, planning, allocating, deploying, coordinating, and monitoring the resources of a data network.
Network server – defined broadly, is a computer physically connected to the UMass Boston data network for the purpose of sharing or distributing its information resources such as printers, files, and programs. This definition is intended to include desktop workstations that are configured to run as servers, but to exclude desktop workstations that are supporting peer-to-peer file or printer sharing.
Network traffic – defined broadly, is the flow of data within the confines of the UMass Boston network, and traffic flowing from the UMass Boston network through the Internet service provider.
Remote access – the ability to get access to a computer or network from a remote location via telephone lines or a secondary Internet service provider
UMass Boston computers and networked resources – include all computers and network resources (e.g. routers, switches, print servers, remote access servers) owned or operated by or on behalf of UMass Boston, as well as all systems directly connected to IT-maintained networks or systems on networks that receive network service from UMass Boston (e.g., campus local area network connections, modem pools, virtual private network connections).
User authentication system – refers to an authentication scheme used by servers to validate the identity of remote clients.
Virtual private network (VPN) – is a private communication network to communicate confidentially to the protected UMass Boston network over a publicly accessible and less trustworthy network (e.g. the Internet) on top of standard protocols, inserting a firewall between the remote user’s workstation and the UMass Boston network or server.
Wireless access point (WAP) – unlicensed spread spectrum radiofrequency wireless network access device or technology that provides a bridge between UMass Boston’s wired and wireless networks.
Campus Network and Server Security Policy
As the central support entity for the UMass Boston data network, IT is assigned the following responsibilities and authority:
Network Management and Security
- IT is the primary contact for all network management and network security related activities.
- IT will prepare network recommendations and guidelines and will post them on IT web pages. IT will publish security alerts, post vulnerability notices, direct users to applicable security patches, and disseminate other pertinent information to assist in preventing network security breaches.
- All inbound dial-up lines (e.g., modems) and real-time external connections (e.g., Internet) to the UMass Boston network must pass through an additional access control point (e.g., firewall) before authorized users reach the log-in banner or screen. The access control point, using a user authentication system, will uniquely identify each user, device, and port. It is a goal of UMass Boston to eliminate all dial-up modems through use of a VPN.
- IT will coordinate investigations into any alleged computer or network security compromises, incidents, or problems. Suspected security problems and issues should be reported to IT via e-mail to firstname.lastname@example.org or by calling extension 7-5220.
- IT will monitor all network traffic (i.e., intra-campus, inbound and outbound Internet, modem connections, VPN) in real-time as necessary and appropriate for data and information security purposes (e.g., to detect unauthorized activity or intrusion attempts) and to ensure proper network management and performance. The vice provost for information technology and chief information officer (CIO) will be responsible for implementing network traffic controls necessary to achieve network management and security objectives and that are consistent with the academic and business operations goals of UMass Boston.
- IT is authorized to perform a security audit or scan of any UMass Boston computer, server, or network device at any time to support network operations and performance and to ensure appropriate security. If a security audit or scan identifies security vulnerabilities that could jeopardize the UMass Boston network or the integrity and reliability of university data, then the cooperation of the device custodian or system manager will be solicited to accomplish the necessary corrective action. If the appropriate contact cannot be made, the head of the custodian’s or manager’s department or unit will be notified. If the computer, server, or network device constitutes a serious security issue or negatively impacts the UMass Boston network on a global basis, IT is authorized to take the appropriate action after consultation with proper university officials, including suspending network access of the device, until the security issue or performance problem has been rectified.
- IT must approve and install any network filtering devices used as a firewall. While these types of firewall systems can provide excellent functionality, there are a number of potential problems with using them. These problems include: (a) the security of the host system itself must be maintained; (b) network filtering devices are often difficult to configure and maintain, requiring significant system administration skills and may result in excessive coordination responsibilities for IT staff; and (c) an improperly configured network filtering device may cause problems for other systems on campus. If problems exist with a network filtering device, IT personnel will attempt to contact the appropriate individual. If contact cannot be made, IT personnel are authorized to take the appropriate action after consultation with proper university officials, including suspending network access of the device, until such time that a technical resolution is found.
- To ensure physical network security, IT will determine how access will be granted to rooms that house network electronics and physical cable plant.
Server Management and Security
- IT will develop and maintain a registry of all servers resident on the UMass Boston network, including all desktop workstations that are configured to run as servers. Registration can be accomplished using the online form located at the IT website. Such registration is intended for the identification of the resource on the network, to facilitate communications between all parties responsible for server support and operation, and to ensure compliance with all UMass Boston and UMass policies, standards, and guidelines, as well as state and federal rules and regulations relating to the storage, use, and security of data.
- All servers will conform to guidelines set forth in the Server High Risk Area document located at the IT website. Specific server configuration parameters are published on the IT website, which provides a library of general and operating system-specific guidelines.
- All servers that support administrative, business, or office functions or process, servers that house institutional data subject to federal, state or local law, or servers that act as the primary repository for institutional data will be administered by IT personnel. Moreover, it is a goal of UMass Boston that all such servers will reside within a secure IT-managed data center.
- Servers used and managed by academic departments for instructional or research purposes are permitted. However, registration of such servers with IT is required. Registration is not intended to imply control over the functional use of the server. It is a goal of UMass Boston that all servers used and managed by academic departments will reside within an IT-managed data center to ensure the security and availability of these resources. IT will assist all academic departments in determining appropriate security solutions to implement on servers residing outside of an IT-managed data center. This will minimize the potential for security breaches and data theft by intruders. IT will provide one or more valid Internet protocol (IP) addresses for dedicated systems, depending on demonstrated need. IT will configure and maintain all network firewall devices. Information concerning changes to individual unit firewall configuration and routine maintenance actions will be communicated to a designated department contact person.
- If servers are placed on UMass Boston’s network without proper registration, IT staff will attempt to contact the appropriate individual. If contact cannot be made, IT personnel are authorized to disconnect the server from UMass Boston’s network until such time as proper registration is completed.