TTUHSC IT Policies
1.4.11 NETWORK CONFIGURATION
The TTUHSC network architecture is based on industry best practices for perimeter protection. There is an external router that receives all incoming traffic from the internet and other external data sources. Incoming traffic is then routed through a firewall which restricts unauthorized access to or from our internal network. The next component for security is an Intrusion Prevention Device (IPS) that blocks viruses, malicious code, and other known exploits. The IPS is also utilized to block peer-to-peer traffic to reduce the risk of copyright violations. External and internal traffic are then routed through an internal router. Through the use of virtual local area networks (VLANs), routers, firewalls and IPS devices public Internet traffic and the Institution’s internal network traffic are separated by a neutral zone know as a Demilitarized Zone (DMZ).
Additional protection is provided internally to the Institutional server farm by utilizing a secondary IPS device. Threats from Institutional dial-up users connecting to the HSC network are mitigated with the use of secure authentication and IPS protection. Institutional users accessing the network from remote locations via the Internet are required to utilize a Virtual Private Network connection which creates a secure encrypted tunnel between their computer and the Institutional network. Additional security within the internal network is provided by segmenting functionally similar areas through the use of VLANs. Wireless users are required to authenticate and establish a secure tunnel prior to connecting to the Institutional network. Local users are required to authenticate to the network operation systems (Active Directory) before connecting to their computer.
This policy describes the requirements and constraints for attaching a computer, system, or network, or videoconferencing system to the TTUHSC network. The intent of this policy is to ensure all connections to the TTUHSC network are maintained at appropriate levels of security and interoperability, while at the same time not impeding the ability of TTUHSC faculty, staff, and students to perform their work.
Responsibilities
The Chief Information Officer (CIO) is the central authority for all network issues. The CIO may appoint and/or delegate management of certain aspects of network administration as deemed necessary.
TTUHSC regional campuses operate and maintain physical local area networks (LAN), with strategic oversight and operational direction from the CIO or their designee. Each regional campus or location must designate a Regional Site Coordinator (RSC) to serve as the administrator of all LANs at that campus. The RSC is the contact person for all connectivity issues between the regional campus LANs and the TTUHSC wide area network (WAN).
The Managing Director of Network, Security, and Systems is the main point of contact with Facilities Planning and Construction and Physical Plant at all campuses for all new construction and major renovation projects involving computing systems. Minor renovations will be handled at the local level.
Wide Area Network Connectivity and Routing
All routers within the TTUHSC WAN will be selected, operated, and maintained by personnel designated by the CIO. Subnet IP routing on the TTUHSC WAN will be performed in accordance with delegated IP address space. Routing of private IP address space (as defined by the Internet Engineering Task Force Request For Comments document #1918 - Address Allocation For Private Internets) across the TTUHSC WAN must be approved by the CIO or their designee.
All internal TTUHSC computers are protected from outside network access by a firewall. All incoming network requests not known and defined are denied and are not passed through to the internal campus network. This section describes the procedures to allow special access through the firewall to employees and third parties/vendors in instances where certain services and /or applications are required to maintain workflow and provide services.
Standard
Approval for outside network access to TTUHSC computing resources will be based on the following criteria:
- The connection is required for TTUHSC business,
- The connection does not represent an unnecessary security risk to TTUHSC,
- The connection does not use an insecure protocol where a more secure alternative exists, and
- The connection does not involve unnecessary replication of functionality
When the connection has been approved in principal, firewall access will be granted when the following have been completed:
- The machine is properly registered with Information Technology by filling out the Special Firewall Access Request Form at http://www.ttuhsc.edu/it/forms/firewallreq.aspx and sending it to the ITS.
- The target machine passes a vulnerability assessment performed by the ITS. This assessment consists of remotely scanning the target machine for common problems that could result in a security risk.
- The target machine has a reserved IP address.
Registration ensures that the target machine has an administrator known to Information Technology. The administrator will perform the necessary tasks to keep the system up to date and in a secure state, with the assistance from the Information Technology Security Group. Registration will be renewed once a year. Renewal notices will be sent via email by the ITS.
The ITS will perform routine security scans on machines registered for special access.
Procedures
The firewall access form should be submitted through the web to its@ttuhsc.edu. Depending on the request, it may take up to two business days for the request to be completed. If the request is considered urgent, and the two-day timeline is not sufficient, please state that the request is Urgent. Include in the email message the reasons why the request is time critical.
Request for changes to the firewall must come from the administrator of the target machine. Requests received from anyone else will be forwarded to the machine’s administrator for approval.
All requests will be sent to the Regional Site Coordinator (RSC) at the campus where the machine resides. Once the RSC has checked to make sure the machine has a reserved IP address, the request will be forwarded to the Information Technology Security Group for final approval by the Information Security Officer. Once approved, the Information Technology Security Group will make the necessary changes to the firewall. The RSC may require that network configuration of the destination computer be modified prior to approving access.
IP Address Allocation Standards And Procedure
IP Addressing
All address delegation with the regional campuses and any supported LANs will be coordinated between the CIO or their designee and with the appropriate RSC. The RSC will be responsible for administration and registration of all IP addresses and sub-networks within the delegated address range(s), according to the standards and guidelines approved by the CIO. All hosts in the TTUHSC domain must obtain a valid IP address from the RSC. No host on the intranet should broadcast dynamic routing information except specially configured gateway or router devices.
To ensure efficient IP address utilization, TTUHSC will allocate their assigned IP addresses to reflect the requirements of each building location, wiring closet, or network service. This ensures compliance with the American Registry for Internet Numbers (ARIN) requirements for utilization of public IP address space.
For regional IP addressing strategy, RSC’s should refer to the IP Address Allocation Strategy.
Reserved IP Address Standards
Reserved IP addresses are available to the following hosts:
- Server systems that provide file sharing, printer sharing, or other application services to multiple client systems
- Printers with a direct network attachment
- Hosts with a directly attached printer, where print jobs will be accepted from client systems on the network
- Hosts providing services or resources to clients outside the TTUHSC network. Refer to the Firewall Access Standards for details on requesting this type of access.
All other hosts will use dynamic addresses, allocated by Dynamic Host Configuration Protocol (DHCP) services at each regional campus. Reserved address requests for hosts that do not correspond with the above list must be approved by the appropriate Regional Site Coordinator.
Refer to the Server Hardening Section for additional requirements that must be met before a server can be assigned a reserved IP address.
Reserved IP Address Allocation Procedures
All reserved IP addresses must be properly authorized and recorded before they are issued. The following outlines the procedure for requesting and allocating reserved IP addresses:
- Complete the Reserved IP Address Request form and send to the Regional Site Coordinators at the respective campuses.
- Upon receipt, the network technician creates a work order, and verifies the attached information is complete.
- Using the TTUHSC IP Address Management application, the host is assigned to the correct VLAN and subnet. The next available address is selected, and the information provided by the requestor is entered into the system.
- The assigned IP address, hostname, and hardware address are entered into the DHCP server(s).
- If requested, Domain Name Service/System (DNS) alias entries are entered into the DNS configuration file to translate domain names into numeric IP addresses.
- The assigned IP address is sent to the requestor via email.
- The technician updates and closes the work order.