IT Network Guidelines

• Introduction
• Standard Network Subnets
• Server Subnets
• Elevation of Network Privileges
• Hostnames and DNS
• Other

Introduction

The aim of this guideline is to provide a basic overview of the network setup used within the Faculty and to provide guidance on requirements around machines that require additional access beyond what is provided on a standard staff subnet.

The University network is made up of many IP ranges.  The IP ranges are split into subnets/smaller ranges and each subnet is allocated for a specific purpose.

Each subnet has particular access control properties assigned to it based on the “vlan” (virtual lan) group that machines on that subnet become assigned to.    The access control groups are generally of 5 types:  staff client; student client; internal server; external server and internal (direct) management.

The planning, sign off and assignment of each port to a particular subnet is the responsibility of the Faculty IT group as there are a number of considerations that must be taken into account for each port.   Administrative staff member/s may be authorised by the Faculty IT group to submit network port requests for client subnets on behalf of their school.

Access is generally provided on a least-privilege based system to ensure that our systems are as protected as possible.   

As well as the access controls applied at the network level, access controls are also applied locally using client machine firewalls.  

Standard Network Subnets

The majority of ports in the faculty are “staff client” ports, and allow full access between machines on the same subnet and access to various restricted resources without special authentication.    These are the ports available in offices to staff and postgraduate students. 

Ports available in labs or rooms used by undergraduate students are placed on a “student client” subnet which allows full communication between machines on the same subnet, but has additional restrictions for some resources.  For example, a machine on a student client subnet can not connect to ESS, SAP or Callista.  

A machine on a staff subnet cannot communicate with a machine on a student subnet and vice versa.

Client subnets are faculty specific.  A connection from a machine on a science client subnet would not reach a machine on an engineering client subnet. 

Client subnet ports are not directly accessible from outside the University. Machines on staff subnets can be accessed by connecting to the VPN using a staff certificate.

Server Subnets

Machines on a server subnet are designed to act as servers only.  Workstations and machines that are used day-to-day or as a client PC will not be placed on server subnets.  Machines on a server subnet need to be running an appropriate operating system and will be subject to strict guidelines on usage and configuration.

Also note that by their nature, server subnets have outbound access controls enabled - for example, internal server subnet machines cannot access the internet; external server subnet machines cannot access client subnets.   Servers generally do not need to make outbound connections into the Monash network and as such are restricted from doing so to protect the internal network from machines that may be compromised.

A machine placed on a server subnet does not mean that all ports will be available to connect to/from.   Networks and the University IT Security group have a list of ports that are blocked by default where these ports are known and heavily used attack vectors.  A block on a particular port may be able to be lifted, subject to approval by the Faculty IT Security Officer (Team Leader, Workstation Support) and the ITS Security Group.

Internal Server Subnets

Machines on an internal subnet are allowed access from a wider range of subnets to that machine.   These are generally used where a service on a machine requires access from multiple faculties or user groups – such as a licence server that people in Science, Engineering and Arts need access to.

There are varying levels of internal server subnets that allow/restrict access from different faculties; student/staff subnets; VPN and wireless, based on the needs of the applications or services on the machine and the level of risk.   Machines on these subnets are less secure than machines on a client subnet as there are more opportunities for the machine to be accessed and potentially compromised.

External Server Subnets

Machines on the external subnets are the most insecure as these machines are open to direct connections from both the internet and almost all University subnets.

Machines on an external server subnet have the highest number of attacks, in the real terms – machines at the University are port scanned by outsiders 24 hours a day 7 days a week and are under constant attack.    The University does have systems setup to prevent and mitigate these attacks but prevention and mitigation must happen on a number of layers for machines to remain secure.  (see further information below regarding management of elevated network privilege machines).

Elevation of Network Privileges

Elevation of network privileges (i.e. connection of a machine to a server subnet or port) is generally a faculty decision, however the decision will be made in consultation with IT, security, audit, risk and legal experts across the University

The Faculty IT Security Officer (Team Leader, Workstation Support) is the person to seek approval from for these types of requests.   Requests will only be approved where the user agrees to abide by the following conditions:

Risk and Responsibility

• A single user must be ultimately responsible for the machine. 
• The responsible user must be able to demonstrate reasonable IT knowledge of the applications that they are running on the machine (operating system included).   
• The responsible user will be required to sign acceptance of these terms and conditions.   These conditions may be varied from time to time.  Responsible users will be notified of changes to these terms.
• The Head of School and Dean will be notified of these requests and must accept the potential risk involved.
• The responsible user should familiarise themselves with the IT Security Framework).   Where possible, these principles should be applied to all aspects of the machine management.  The Faculty IT group or the University IT Security group may require specific recommendations or standards be implemented.
• The responsible user will be required to complete a security plan (template provided).

General Security

• The principle of least privilege is to apply to all users given access to the machine and for all connections/ports that are enabled.
• Logging should be enabled for all services where available. Logs should be routinely reviewed (i.e. weekly) by the responsible user.  Anomalies in logs should be raised with suitable experts to ensure any issues are corrected.
• The machine will be subject to scanning by Faculty and University software and hardware packages (i.e. intrusion and penetration testing systems, patch detection systems, port scanning systems etc).  Machines failing any scan or audit will be required to have the issue corrected immediately by the responsible user or be disconnected until the fault can be rectified.
• Applications, operating systems and hardware must be kept at current patch levels.  New patches should be applied within 48 hours of release.  It is recommended that the responsible user avail themselves of relevant mailing lists for the products that they run.  
• Applications and operating systems on the machine must be fully and legally licenced.   Software maintenance for all products on the machine is highly recommended and may be required in some cases.

Applications and Services

• Services or applications are not be run on the machine that duplicate an existing University or Faculty application or service.   i.e. licence servers, general content web servers, personal web space, general FTP services, email services.
• Applications should only be run where they are specifically required for use on this machine. 

Data and User access

• Data classified at the critical and protected levels (according to the Electronic Information Security Classification Policy) must not be stored or used on this machine at any time.
• Data classified at the restricted level may be allowable on the machine however this will need to be agreed to, in detail, in writing between the responsible user and the Faculty before restricted data can be stored on the machine.
• User accounts are to be limited to only those who have a business need to access the machine.  Each user is to be allocated a unique set of credentials.
• User accounts should generally be limited to University staff and students.  Where accounts are provided to external parties, the party should ideally be obliged to sign an access agreement or agree to an acceptable use policy.
• A user account with the ability to elevate the account to root/administrative status is to be created on the machine at the request of the Faculty IT group, for use by the Faculty IT group to ensure appropriate configuration.
• A password policy must be devised and be enforced by the operating system and applications on the machine.  The password policy must enforce at a minimum, the requirements for a strong password as listed on the ITS website (http://www.its.monash.edu.au/staff/security/passwords/)
• A lockout policy must be enforced by the operating system and applications on the machine.  The lockout policy must at a minimum lock an account and/or block connections from an IP address after 5 incorrect attempts within a 10 minute period.  The requirements for a lockout policy may be defined further by the IT Security Officer.
• The root account or the primary administrator account are not to be available by direct login.  Administrative privilege elevation should only be obtained from a user account.

Internet access

• The use of the internet (i.e. browsing and downloads of) on machines where access is enabled for that subnet may be authenticated by IP rather than by user account.  Any unauthenticated internet access/download charges/content/traffic will not be the responsibility of any individual users of the machine, but that of the responsible user.
• Unauthenticated internet traffic/content will be charged to a nominated cost centre and fund for the responsible user.
• The client firewall should limit as tightly as possible, access to all open ports only to specific IP addresses or ranges.  Ports or services not used on the machine must be disabled.  i.e. SSH should only be available from within the Science client subnet range, and standard operating system ports should also be locked down.

Physical access and location

• The machine should ideally be located in a Science server room.  Strict physical access conditions apply to server rooms and data centres.   If a server room is not suitable, the location of the machine must be secure (under lock and key, and not be available to the general public) and be accessible to Faculty IT staff and University Security at all times.  Consideration should be given to environmental and power conditions.  
• Machines with high availability or redundancy requirements may be required to be located in a data centre or be subject to further guidelines.

If any term in these conditions is not met at any point in time, the machine may be disconnected immediately by the Faculty IT group or University IT Security group.

If any conditions are not understood or are seen to be open to interpretation, please contact the Faculty IT Security Officer to discuss the conditions.

Hostnames and DNS

The primary host name for a machine as registered in the University network database systems will be set by Science IT based on a convention used across the faculty.    If a user requires a hostname such as “squeak.chem.monash.edu.au” as an easy to remember name, this will be added as a DNS alias. 

Machine local hostnames should reflect the primary name specified in the DNS system/network database where the machine is connected to a Faculty IT based remote access system or runs Windows as its operating system. 

Machines not linked to a Faculty IT remote access system that are running an alternate operating system (OSX/Linux) may choose either the primary name or alias name for their local configuration.

Other

Whilst this guideline is intended to be as comprehensive as possible there are additional policies and guidelines that may have been omitted in its creation.   If this occurs, please notify the Team Leader, Workstation Support or the Faculty Finance & Resources Manager as soon as possible so that this document can be updated.

Guideline Version 1.0