Meeting Minutes
More Secure Network Rules Subcommittee
April 4, 2003

 

 

The group went through the collection of ideas raised at past meetings and discussions on the Rules for Participation in the More Secure Network.  A few new issues were uncovered and discussed.  Some ITC requirements were also discussed.

 

Collection of ideas discussed

1)      Antivirus software

a)      Issues

i)        Required?

ii)       Managed or not?

iii)     Required full scan intervals?

iv)     AV system is fully enabled?

v)      Mandated antivirus solution (e.g. Norton v.s. something else)?

b)      Decisions

i)        Yes, require something

ii)       Push management not required but encouraged.  Checking for automatic antivirus signature updates is required at least once a day - installing Norton can meet this requirement with the proper configuration.

iii)     Rules

(1)   Required full scan weekly, daily recommended

(2)   Machines must have a full scan before being moved to the More Secure network

iv)     Realtime virus scanning must be enabled – details are a departmental decision

v)      Any brand is OK – departmental decision

2)      NETBIOS computer naming

a)      Issues

i)        Should there be a required naming convention for NETBIOS names?

b)      Decisions

i)        Recommend that NETBIOS names help to identify the location of the machine

3)      Operating system patches

a)      Issues

i)        Patch level for Microsoft systems?

ii)       Routine use of Windows Update?

iii)     Apple Macintosh

iv)     Unix/Other

b)      Decisions

i)        Recommend that Microsoft systems be maintained at the most recent service pack.

ii)       Departmental decision on routine Windows Update use – important security fixes should be installed.

iii)     Ditto #ii, “Software Update” is name of Apple service

iv)     Keep security patches up to date

4)      Protocols

a)      Issues

i)        Appletalk

ii)       IPX

b)      Decisions

i)        Remember: IPX and Appletalk do not work through the firewall between the More Secure and standard university networks.

ii)       Goal: ITC does not want to route Appletalk or IPX between buildings on the More Secure network.  If required they can be supported.

5)      Mandatory scanning

a)      Issues

i)        Required ITC ISS scans of More Secure network subnets?

ii)       Is an Hfnetcheck scan required on some routine basis required?

b)      Decisions

i)        “As a LSP with users on the More Secure network you will receive ISS scan reports on some yet-to-be-decided periodic rate”.

ii)       Recommended but really a departmental decision

6)      Grace period for detected compromised machines

a)      Issues

i)        Should ITC immediately block compromised machines from network access instead of trying to get the user to fix it for a while first.  Note: ITC does immediately remove machines that are causing problems for the network infrastructure as a whole.  Choices

(1)   Completely remove the machine?

(2)   Block its access to the Internet?

b)      Decisions

i)        Have ITC continue its existing practice.  No difference between the More Secure and standard networks.

7)      Anything special for Macintosh computers?

a)      Issues

b)      Decisions

8)      Anything special for Unix machines?

a)      Issues

b)      Decisions

9)      Student lab machines

a)      Issues

i)        Can a department place their lab machines or network plug-in jacks on the More Secure network?

ii)       Can a department place grad student office machines on the More Secure network?

(1)   Student-owned machines

(2)   University-owned machines

iii)     Can a department’s university-owned computer system for a student employee be on the More Secure network?

b)      Decisions

i)        No

ii)       Answers

(1)   No – but more discussion with the rest of the committee is desired

(2)   Yes, if locked down and centrally managed – but more discussion with the rest of the committee is desired

iii)     Yes

10)  Wireless – will discuss later – no action taken

a)      Issues

b)      Decisions

11)  Are the rules different for new machines v.s. existing machines that are moved to the More Secure network

a)      Issues

i)        Should we choose to be more stringent on requirements for new machines as opposed to existing systems being migrated to the More Secure network?

b)      Decisions

i)        No action taken

12)  User awareness of the Rules for Participation?

a)      Issues

i)        Should a department be required to establish a process to notify users of their responsibilities for being on the More Secure network

b)      Decisions

 

ITC Requirements for Participation in the More Secure Network

1)      The rules committee will meet on some regular basis to update the Rules for Participation in the More Secure network as needed.

2)      No computer systems are allowed to have interfaces on both the More Secure and the standard university network.

3)      A requirement that all computers on both the More Secure and standard university networks be registered will be put into place sometime in the 2003-04 academic year.

© 2008 by the Rector and Visitors of the University of Virginia.

The information contained on the University of Virginia’s Department of Information Technology and Communication (ITC) website is provided as a public service with the understanding that ITC makes no representations or warranties, either expressed or implied, concerning the accuracy, completeness, reliability or suitability of the information, including warrantees of title, non-infringement of copyright or patent rights of others. These pages are expected to represent the University of Virginia community and the State of Virginia in a professional manner in accordance with the University of Virginia’s Computing Policies.