Overview
Version 1.1
Last Revision Date: March 16, 2012
Approval Date: November 3, 2007
Approval Authority: CWRU Chief Information Security Officer
Purpose
The CWRU Quarantine Process is defined to inform and instruct network and help desk users in the use of the Quarantine Network in network-based security problem mitigation.
Scope
This policy applies to all information technology systems that use the CWRU network infrastructure.
Cancellation
Not applicable.
Procedure Statement
General
All hosts (personal computers, servers, printers, etc.) on CWRU networks are required to be registered in accordance with the II-3 Network Management Policy. When CWRU UTech staff detect anomalous network activity related to specific hosts on the network, the host in question can be placed in Quarantine Network which provides reduced network communication to the host. This network prevents spread of attacks and malware while permitting end users to communicate with network-based anti-virus and software update services.
The operational model is to place hosts in the quarantine network, notify the end users or their responsible administrators, investigate the root cause, resolve the root cause and potential user practices, and return the host to full network services.
Procedure
- When a host exhibits anomalous network behavior which in the judgment of the UTech staff constitutes an unacceptable risk to the CWRU IT infrastructure and university computing environments, it may be placed into the Quarantine Network either manually or by automated means.
- When a host is quarantined, an automatic notification is sent to the CWRU Help Desk concerning the host. The CWRU Help Desk will create a tracking ticket and attempt to contact the registered owner of the host via phone calls (to the number listed in the CWRU LDAP) and email to the owner's case.edu email address. The CWRU Help Desk will attempt to contact the owner. Once placed in the Quarantine Network the host's user will see the Quarantine Page for all web traffic (due to traffic redirection). When the owner responds to the Help Desk, then the owner is assisted in problem investigation and remediation.
- Upon successful remediation, the CWRU Help Desk will move the host from the Quarantine Network back to the production network. The tracking ticket will be closed out.
- If a quarantined host owner does not respond to the CWRU Help Desk within 30 calendar days of the original quarantine date, the host will have its network registration removed (registration disabled). When the host is disabled, the Quarantine Network changes will be removed and the network faceplate will be restored to the production network. The tracking ticket will be moved to a different work queue.
- To restore network services to a registration-disabled host, the host shall be brought to a CWRU Help Desk walk-in center where it will undergo a full remediation by the Help Desk staff. Once the Help Desk staff have determined that the root cause of the original quarantine event have been understood, and the owner is given corrective actions (up to a full system rebuild and secured configuration). A system baseline audit will be performed to assure the host is in compliance with the CWRU minimum standards for networked operation. The owner shall then pay a network restoration fee of $100.00, and the Help Desk will submit the tracking ticket to the CWRU UTech staff to restore the network service for the host in question.
Responsibility
CWRU End Users: When a registered host is quarantined, contact the CWRU Help Desk. The Help Desk staff will assist the user in steps to self-assess and correct the security issues.
CWRU UTech Staff: Monitor the network for potentially malicious activity. Use established procedures and protocols to move hosts into quarantine pro-actively to prevent propagation of infections. CWRU UTech staff also will perform host registration disable and re-enable tasks. Maintain documented procedures with the CWRU Help Desk.
CWRU Help Desk: Contact End Users (as listed in the host registration information) when notified of a quarantine. Notify CWRU UTech Staff of a host that has been quarantined for more than 30 days without response from the End User.
Definitions
host: Any network capable device utilizing network services. A host can be a personal computer, a networkable appliance, server resources, printers, scanners, copiers.
network faceplate: The primary network interface for CWRU users. Many network faceplates have fiber-optic cable connections, and network users will be using a network switch with a fiber-media converter, permitting the host to connect using a standard RJ-45 type CAT-5a or CAT-6 network cable.
Standards Review Cycle
This procedure will be reviewed every three years on the anniversary of the policy effective date, at a minimum. The standard may be reviewed on a more frequent basis depending on changes of risk exposure.