II-6 Network Defense Policy

Date Approved:  May 31, 2016
Effective Date:  May 31, 2016
Responsible Official: Chief Information Security Officer
Responsible Office: [U]Tech Information Security Office
Revision History: Version 1.0; dated May 31, 2016
Related legislation and University policies:  

Review Period:  5 Years
Date of Last Review:  May 31, 2016
Related to:  Faculty, Staff, Students

Purpose

The purpose of this document is to define the policy governing availability of networked services to users on the public internet. The core objective is to reduce risk to the institution from internet-sourced attacks.

Coordination With Other Policies and Procedures

Scope

This policy applies to all CWRU managed or operated networks where institutional IT infrastructure is connected, on campus or at hosted locations.

Cancellation

Not applicable.

General

CWRU originally implemented network security appliances and firewalls in a manner deemed necessary to provide a low barrier to entry for users to share IT based information and systems with the world through publicly accessible internet protocols. This policy addresses a fundamental change in network security strategy and brings the CWRU campus network to a layered defense posture.

Network attacks from off campus sources have increased to a level of persistence and severity where even basic IT infrastructure has been successfully targeted.

CWRU is reducing the security risk to campus networked systems through the implementation of this policy.

Requirements

  1. CWRU networked IT infrastructure will transition from a model of "default allow, block specific ports and protocols" to a model of "default deny, permit only vetted and approved ports and protocols."
  2. CWRU will deny, by default, network communications from external networks to CWRU endpoints.
  3. CWRU shall maintain an assessment and evaluation process to address user requests to allow a CWRU endpoint to be accessible from external networks (Internet facing services).
    1. On-campus users shall demonstrate a unique need for any exception to this policy, and the ability/resource to manage cyber risk to their allowed service.
    2. Exceptions may be granted on a temporary basis, with a maximum timeframe of 1 calendar year, after which time the exception request must be re-submitted for renewal.
    3. Users that would like to request external (from off-campus networks) access to a CWRU network endpoint must open a help desk ticket and submit a firewall access request. They will have their request evaluated in context of IT risk exposure to the university.
    4. Only minimum essential services and processes will be approved as exceptions, based upon device, IP address, service port, or application.
  4. The Chief Information Security Officer will periodically direct the assessment of overall risk to the university's information technology infrastructure presented by networked systems available from off-campus.
    1. Exposed CWRU endpoints that are at risk may have their exception temporarily suspended until risks have been mitigated.
  5. Consequences for non-compliance will be addressed as a violation of the policy for Acceptable Use of Information Technology Resources.

Responsibility

Network Security and Information Security: Assess IT systems and services with Internet facing services and make risk-based recommendations for exceptions to the deny all rule.

System Owners with exceptions granted: Apply system hardening and maintain all security patching to systems exposed to off campus traffic.

Definitions

Data Center - Restricted access facilities on campus where server and network infrastructure are housed.

Default Deny - A default deny rule in firewall management refers to the default blocking of all network services, where only selected, approved, and trusted services are allowed through the firewall with the implementation of an Access Control List.

External Networks - Any network that is not part of the CWRU IT infrastructure, and is therefore an untrusted network.

CWRU Endpoint - A networked device with a fixed IP address using CWRU networks where an IT service is provided.

Cyber Risk - In the context of this policy, management of cyber risk means that the CWRU business unit or administrator of the system is accountable to ensure their system is not creating unnecessary risk to the university IT infrastructure.

Internet Facing Services - Network based services or protocols that can be accessed directly from the Internet without the use of any VPN services (e.g. www.case.edu).

Minimum Essential - only the ports and services needed to accomplish the mission of the endpoint.

Unique Need - an academic or research focused service that cannot be fully supported or hosted in a data center or other university commodity IT service.

Standards Review Cycle

This standard will be reviewed every three years on the anniversary of the policy effective date, at a minimum. The standard may be reviewed on a more frequent basis depending on changes of risk exposure.