Communications Equipment Security

1.0 Overview

Several steps must be taken to defend the network against intrusions.  The steps include network segmentation, port-based filtering and an internal firewall to further protect particularly sensitive servers.

2.0 Purpose

This policy is designed to provide specific guidelines that must be followed by OIT Network Engineers to ensure the integrity of the data network.

3.0 Scope

This policy impacts OIT staff members who are responsible for the design and implementation of the data network.

4.0 Policy

OIT Network Engineers must take a number of steps to ensure the security of the data network.

  1. Border Protection
    Access control lists shall be used to filter dangerous ports and to deny access to hosts that cause problems on Clarkson’s internal network.  The standards governing these access control lists are given in the Access Control Policy.
  2. Network Segmentation
    The intranet shall be segmented into virtual LANs (VLANs).  This division shall be performed in such a way as to include logical groups of users together on the same VLAN.  This has the effect of separating broadcast domains, which improves both security and performance.  Additionally these VLANs shall be pruned from trunk links as appropriate, to minimize the risk of unauthorized access to restricted VLANs and to reduce the amount of broadcast traffic carried by trunk links.
  3. Intranet Protection
    A firewall shall be put into place to protect sensitive network segments from less-sensitive segments.  At a minimum, a firewall shall be put into place that will prevent direct communication between the PeopleSoft data networks and the rest of the campus network.  The only exception to this prevention of communication shall be protocols and hosts for which there is a demonstrated need (ie. TCP 80 to a specific group of hosts).
  4. Physical Protection
    Physical access to all communications equipment shall be restricted, per the standards set forth in the Physical Security Policy.

5.0 Enforcement

Failure to follow this policy will result in the offender(s) being subject to disciplinary action up to and including a formal written letter of corrective action.

6.0 Definitions

Communications Equipment – a specialized piece of electronic equipment designed to route or switch network traffic

7.0 Revision History

Draft Policy – 21 April 2005 – jfiske

Draft Policy – 09 January 2006 – jfiske

Draft Policy – 10 February 2006 – jfiske

Approved Policy v1.0 – 4 November 2013 – jfiske