天美传媒官网

>

Network Security Standard

Contacts & Dates:

STANDARD STATEMENT

This standard establishes the expectations for the security of university networks and their associated network devices in alignment with the and .

REASON FOR STANDARD

The university鈥檚 IT network forms the backbone for the reliable transportation of data between individuals, departments, schools, divisions, and the rest of the world. The purpose of this standard is to provide the requirements for the configuration, deployment, and administration of 天美传媒官网鈥檚 (VU鈥檚) IT network in alignment with the Secure Configuration Management Policy.

The Office of Cybersecurity will review this standard biennially with feedback collected from representatives across VU to understand new concerns and dynamic requirements to best serve the VU community and adhere to VU Information Security Principles listed in the Information Security Policy.

SCOPE AND AUDIENCE

This standard applies to the entire 天美传媒官网 community including, but not limited to, faculty, staff, students, contractors, post-doctoral fellows, temporary employees, and volunteers (collectively called 鈥淰U Community Members鈥).听In instances where institutional data is shared with other parties, this standard extends to the custodians of the shared data.听

DEFINITIONS

  • All Terms

    Encryption: The act of rendering something inaccessible by unauthorized people and/or unreadable through unauthorized means. Specifically, preventing access to digital spaces or making data unreadable in plaintext.

    Information Technology (IT) Asset: Devices, systems, and applications that enable the organization to achieve university business, academia, and research. IT assets include but are not limited to hardware assets (e.g., servers, laptops, printers, IoT devices, etc.) and software assets (e.g., operating systems, applications, cloud components, etc.).

    IT Asset Owner: An individual or team accountable for overall management and lifecycle of their respective IT assets.听 If applicable, responsible for partnering with IT Asset Stewards for central inventory and lifecycle management functions.

    IT Asset Steward: An individual or team that is responsible for day-to-day maintenance and support of IT assets and their configurations.

    Network Device: A network device is any physical or virtual component that makes up the university鈥檚 network infrastructure.

    Subnetwork: a logical division of an IP network.

    Virtual Local Area Network: a broadcast domain that is partitioned and isolated at the data link layer or Layer 2 of the OSI model.

    Supervisory Control and Data Acquisition: a听control system听architecture comprising听computers, networked data communications and听graphical user interfaces听for听high-level听supervision of machines and processes. It also covers sensors and other devices, such as听programmable logic controllers, which interface with process plant or machinery.

    Programmable Logic Controller: A solid-state control system that has a user-programmable memory for storing instructions for the purpose of implementing specific functions such as I/O control, logic, timing, counting, three mode (PID) control, communication, arithmetic, and data and file processing.

    De-Militarized Zone: A perimeter network segment that is logically located between internal and external networks. Its purpose is to enforce the internal network鈥檚 information assurance policy for external information exchange and to provide external, untrusted sources with restricted access to releasable information while shielding the internal networks from external attacks.

    Internet of Things: The interconnection of electronic devices embedded in everyday or specialized objects, enabling them to sense, collect, process, and transmit data.

    Service Set Identifiers: A name assigned to a wireless network.

    Remote Access: A method of access that permits an individual from an off campus location to connect to an on campus system or application.

    Virtual Private Network: A remote access service that enables an encrypted connection over a public network infrastructure such as the internet and prevents unauthorized people from eavesdropping on the traffic.

    Multi-Factor Authentication: An authentication method that requires the user to provide two or more verification factors to gain access to a resource. For example, providing something the user knows (password), something the user has (badge or smart device), or something the user is (fingerprint or facial recognition).

    Open Systems Interconnection (OSI) Model: a听conceptual model听that provides a common basis for the coordination of ISO standards development for the purpose of systems interconnection.听In the OSI reference model, the communications between a computing system are split into seven different abstraction layers: Physical, Data Link, Network, Transport, Session, Presentation, and Application.

STANDARD

A. ROLES AND RESPONSIBILITIES

Chief Information Security Officer (CISO): The CISO is responsible for the supervision, direction, and enforcement of the Information Security Program including all Information Security policies and standards.

天美传媒官网 Information Technology (VUIT): VUIT is responsible for the secure configuration, deployment, and administration of all network devices except enterprise firewalls in compliance with the requirements of this standard.

The Office of Cybersecurity: The Office of Cybersecurity is responsible for the secure configuration, deployment, and administration of all enterprise firewalls, and reviewing and approving external network connections in compliance with the requirements of this standard.

B. NETWORK DEVICE REQUIREMENTS

Installation

Installation of all network devices must be approved and coordinated by VUIT. A network device is any physical or virtual component that makes up the university鈥檚 network infrastructure. This includes but is not limited to firewalls, hubs, routers, bridges, switches, gateways, modems, wireless access points, personal Wi-Fi, MiFi (hotspots) and other cellular type wireless devices, etc. VUIT may at its own discretion block and/or physically remove unapproved network devices without warning. 听

Secure Configuration

Network devices must be securely configured to meet the following requirements:

  • Located in an area with appropriate physical access control,
  • Configured with an appropriate secure baseline in compliance with the Secure Configuration Management Policy,
  • Configured with a current and tested OS/firmware version that is patched against known security vulnerabilities,
  • Configured to use 802.1x authentication, where technically feasible,
  • Configured in a way that does not allow for security configurations to be bypassed,
  • Vendor supplied default passwords must be changed prior to deployment,
  • The access VLAN must not be VLAN1,
  • Unpatched ports and unused services must be disabled,
  • Insecure protocols per below must be disabled:
    • Simple Network Management Protocol (SNMP) version 1. Default SNMP community strings must be changed.
    • Terminal Network (Telnet)
    • File Transfer Protocol (FTP)
    • Secure Shell (SSH) version 1
    • Server Message Block (SMB) version 1, and
  • Allowed protocols must use currently secure versions. The Office of Cybersecurity will determine the versions of allowed protocols that are insecure and work with VUIT and VU community members to disable the use of insecure versions of protocols.

Network Segmentation and Isolation

VUIT is responsible for segmenting the network into physically and/or logically separate trusted and untrusted security zones. Trusted security zones must be further segmented based on business criticality, risk, and/or data sensitivity by utilizing subnetworks (subnet(s)) and/or Virtual Local Area Networks (VLAN(s)). A subnet is a logical subdivision of an IP network. A VLAN is a broadcast domain that is partitioned and isolated at the data link layer or Layer 2 of the OSI model.

In addition to being placed on a Layer 2 isolated VLAN, inter-VLAN routing at Layer 3 must be disabled, where technically feasible, in the following scenarios:

  • Legacy Devices 鈥 devices that are no longer supported by the manufacturer, are not receiving security updates, and cannot be upgraded to a current OS/firmware version,
  • Industrial Control Systems such as Supervisory Control and Data Acquisition (SCADA), Programmable Logic Controllers (PLC), and other facilities operations devices
  • Enterprise Internet of Things (IoT) devices,
  • Management/Administration interfaces of network devices, and
  • Where regulatory compliance requires disablement (e.g., systems housing Controlled Unclassified Information (CUI)).

If disablement is not technically feasible, inter-VLAN routing at Layer 3 must be limited to only the minimum connections that are needed to meet business needs.

Management/Administration

Access to management, security, or administrative functions of network devices must be compliant with the following:

  • Traffic must be separate from user traffic and isolated on a management network;
  • Traffic must use an approved encryption mechanism in compliance with the Encryption Standard.
  • Access must be secured by privileged user account username/password combination and MFA, where supported, in compliance with the Identity and Access Management Policy; and
  • Passwords must comply with the university's password complexity requirements.

Logging and Monitoring

In compliance with the Security Logging and Monitoring Policy, all network devices must:

  • Continuously generate and transmit security logs to the university Security Information and Event Management (SIEM) tool; and
  • Continuously generate and transmit all other logs to a separate log collector.

Change Management

Changes to network devices and/or the university network must follow the established VUIT change management process.

C. BOUNDARY PROTECTION

Boundary protection devices, including but not limited to firewalls, routers, bastion hosts, encrypted tunnels, etc. must be configured by default to deny all inbound traffic and to allow inbound traffic only after completing a firewall rule request form in VUIT鈥檚 ITSM ticketing tool.

Boundary protection devices must be further configured based on the data classification level, as defined in the , of the IT assets within their boundary. Boundary protection devices must be configured to meet the boundary protection requirements outlined in Table 1 below.

Table 1. Boundary Protection Requirements

Boundary Protection Level 1 Data Level 2 Data Level 3 Data Level 4 Data
Deny all outbound network communication by default and allow only by exception Recommended Recommended Recommended Required
Implement subnetworks for publicly accessible system components that are physically or logically separated from internal university networks Required Required Required Required
Implement Full Tunnel (no-split tunneling) for VPN access to internal systems. Recommended Recommended Recommended Required
Audit boundary protection rules at least annually Recommended Recommended Required Required
Continuous auditing of network traffic logs at external boundaries and key internal boundaries Recommended Required Required Required

D. FIREWALL MANAGEMENT STRATEGY

The Office of Cybersecurity is responsible for the direction, execution, and management of the university鈥檚 firewall strategy. As part of that strategy, the Office of Cybersecurity will:

  • Block unused and ephemeral ports based on business criticality,
  • Disallow the use of high-risk applications or ports on the perimeter firewall unless business justification is provided and is approved by a manager of the requesting VU community member in accordance with the Security Risk Management Policy. This includes but is not limited to:
    • 20 and 21 (File Transfer Protocol)
    • 23 (Telnet)
    • 69 (TFTP)
    • 110 (POP3)
    • 111 (RPC)
    • 135/137/138/139/445 (NetBIOS/SMB)
    • 143 (IMAP)
    • 161/162 (SNMP)
    • 2049 (NFS)
    • 3389 (Remote Desktop Protocol (RDP))
    • Database applications and ports,
  • Implement firewall rules/services, intrusion prevention, and URL filtering as necessary and without prior notice to protect the university network from imminent threats, and
  • Use application-based or Layer 7 firewall rules where possible instead of port-based rules.

IT asset owners/stewards that need a change to a firewall must submit a firewall rule request ticket in the ITSM tool. IT Asset owners are responsible for contacting the Office of Cybersecurity when the IT asset that necessitates a firewall rule change is life-cycled and/or the firewall rule changes are no longer needed.听

The Office of Cybersecurity may also, at its sole discretion, grant individuals and/or departments Read-Only access to the enterprise firewall management platform. This read only access is:

  • Based on business need,
  • Reviewed at least annually by the Office of Cybersecurity, and
  • Removed when no longer necessary.

E. PUBLIC IP ALLOCATION

Public IP addresses are by nature less secure than private IP addresses due to their exposure to the public internet. To meet business needs where a public IP address is required, public IP addresses will:

  • Be granted by exception only. The Office of Cybersecurity is responsible for approval of public IP address exception requests. Any such request will be assessed based on the amount of risk it introduces to the university and in compliance with the Security Risk Management Policy;
  • Be terminated by a load balancer with the system having a private IP address where technically feasible;
  • Be physically located inside a data center behind a firewall (preferred), or logically behind a distribution firewall in a designated zone;
  • Have limited connectivity to internal and external networks to only those ports and services needed to meet business needs.

F. REMOTE ACCESS

Remote access is a method of access that permits an individual from an off-campus location to connect to an on-campus system or application. The Office of Cybersecurity will provide a Virtual Private Network (VPN) to VU community members for secure remote access. A VPN is a remote access service that enables an encrypted connection over a public network infrastructure such as the internet and prevents unauthorized people from eavesdropping on the traffic. The use of any VPN software and/or clients other than the university provided VPN solution must be reviewed and approved by the Office of Cybersecurity. In addition to the use of the VPN, remote access to university IT assets must comply with the following requirements:

  • Remote access to an IT asset must be authorized by the system administrator,
  • Must use a vendor supported, patched remote access client with no known unpatched security vulnerabilities,
  • Authentication methods used for remote access including but not limited to, username/passwords, key-based, digital certificates, password-less authentication, etc. must comply with the Encryption Standard and the Identity and Access Management Policy where applicable,
  • Remote access to IT assets housing Level 3 or higher data or to an IT assets management interface must leverage MFA in compliance with the Identity and Access Management Policy, and
  • Remote access to IT assets housing Level 4 data must leverage the university VPN on a dedicated IP range that is logically separate from other VPN traffic.

The following remote access protocols are permitted for use:

  • Secure Shell (SSH) 鈥 must use SSHv2 or later protocol.
  • Remote Desktop Protocol (RDP)

G. EXTERNAL CONNECTIONS

Network connections to individuals, companies, or facilities that are external to Vanderbilt and by their nature extend the perimeter of the university network including but not limited to site-to-site (IPsec) tunnels, direct connects, cloud, etc. must be:

  • Reviewed by the Office of Cybersecurity based on the risk posed to the university and approved in accordance with the Security Risk Management Policy prior to the connection being established,
  • Traffic must use an approved encryption mechanism per the Encryption Standard,
  • Reviewed at least annually by the Office of Cybersecurity, and
  • Disabled when no longer needed.

Additionally, The Office of Cybersecurity reserves the right to take immediate action to disable any or all external connections without warning to protect the university network from imminent threats.

H. WIRELESS NETWORKS

VUIT is responsible for the secure design, deployment, and management of university wireless networks. As such, VUIT will:

  • Approve all installations of wireless access points on campus,
  • Ensure that wireless access points meet applicable rules of regulatory agencies such as the Federal Communications Commission,
  • Ensure that all wireless access points meet the secure configuration requirements set forth in section B of this standard,
  • Ensure secure authentication and authorization mechanisms are in place before network access is given,
  • Ensure that separate Service Set Identifiers (SSIDs) exist and are logically separated based on their function i.e., guest or enterprise IoT networks, and 听
  • Monitor for unauthorized or rogue wireless access points and disable them as appropriate.

EXCEPTIONS

On a rare occasion, a security policy exception may be considered depending on the impact to the university mission and security risk(s) introduced. Exception requests must be submitted to the VU Chief Information Security Officer for evaluation and risk assessment. The CISO, or a delegate, will grant or deny the request based on the level of risk.听

ENFORCEMENT

Any VU community member that violates this policy may be subject to disciplinary action up to and including termination. The Chief Information Security Officer will refer violations to university units (e.g., Student Accountability Office, Human Resources, and Deans) as appropriate. Violations may also constitute a violation of state or federal law and individuals shall be accountable as applicable.

FORMS AND TOOLS

N/A

FREQUENTLY ASKED QUESTIONS

N/A

RELATED INFORMATION

HISTORY

Review Date
Summary of Changes
February 2025Added a review cadence