Meeting Minutes
More Secure Network Rules Subcommittee
May 16, 2003
The recommendations for
access to the More Secure network are:
1) Antivirus software
a) Issues
i) Required?
ii) Managed or not?
iii) Required full scan intervals?
iv) AV system is fully enabled?
v) Mandated antivirus solution (e.g. Norton v.s. something else)?
b) Decisions
i) Yes, require something
ii) Push management not required but encouraged. Checking for automatic antivirus signature updates is required at least once a day - installing Norton can meet this requirement with the proper configuration.
iii) Rules
(1) Required full scan weekly, daily recommended
(2) Machines must have a full scan before being moved to the More Secure network
iv) Realtime virus scanning must be enabled – details are a departmental decision
v)
Any brand is OK – departmental decision
2) Computer naming
a) Issues
i) Should there be a required naming convention for computer names (NETBIOS, etc)?
b) Decisions
i)
Recommend that computer names help to identify the location or
owner of the machine
3) Operating system patches
a) Issues
i) Patch level for Microsoft systems?
ii) Routine use of Windows Update?
iii) Apple Macintosh
iv) Unix/Other
b) Decisions
i) Recommend that Microsoft systems be maintained at the most recent service pack.
ii) Departmental decision on routine Windows Update use – security fixes should be installed.
iii) Ditto #ii, “Software Update” is name of Apple service
iv) In general, departments should keep security patches up to date
v)
System administrators should follow best practices for
configuring their operating systems.
Provide link?
4) Protocols
a) Issues
i) Appletalk
ii) IPX
b) Decisions
i) Remember: IPX and Appletalk do not work through the firewall between the More Secure and standard university networks.
ii)
Goal: ITC does not want to route Appletalk or IPX between
buildings on the More Secure network.
If required they can be supported.
5) Mandatory scanning
a) Issues
i) Required ITC ISS scans of More Secure network subnets?
ii) Is an Hfnetcheck scan required on some routine basis required?
b) Decisions
i) “As a LSP with users on the More Secure network you will receive ISS scan reports on some yet-to-be-decided periodic rate”.
ii)
Recommended, but really a departmental decision
6) Grace period for detected compromised machines
a) Issues
i) Should ITC immediately block compromised machines from network access instead of trying to get the user to fix it for a while first. Note: ITC does immediately remove machines that are causing problems for the network infrastructure as a whole. Choices
(1) Completely remove the machine?
(2) Block its access to the Internet?
b) Decisions
i)
Have ITC continue its existing practice. No difference between the More Secure and
standard networks.
7) Anything extra for Macintosh computers?
a) Issues
b) Decision: nothing beyond the existing rules
8) Anything extra for Unix machines?
a) Issues
b)
Decision: nothing beyond the existing rules
9) Student lab machines
a) Issues
i) Can a department place their lab machines on the More Secure network?
ii) Can a department place their open network plug-in jacks on the More Secure network?
iii) Can a department place grad student office machines on the More Secure network?
(1) Student-owned machines
(2) University-owned machines
iv) Can a department’s university-owned computer system for a student employee be on the More Secure network?
b) Decisions
i) No
ii) No
iii) Answers
(1) No
(2) Yes, if locked down and centrally managed with user login authentication
iv)
Yes
10) VPN Access to the More Secure network
a) Issues
i) Should students be able to VPN into the More Secure network
ii) What about private home machines, etc, telecommuting, etc
b) Decisions
i) Yes, but only with a faculty sponsor and signed paperwork from both the student and the professor
ii)
Yes, if the user agrees to follow these rules and agrees that
they understand general security awareness principles
11) Wireless – will discuss later – no action taken – pending some ITC rollout decisions on technology
a) Issues
b)
Decisions
12) Are the rules different for new machines v.s. existing machines that are moved to the More Secure network
a) Issues
i) Should we choose to be more stringent on requirements for new machines as opposed to existing systems being migrated to the More Secure network?
b) Decisions
i)
No
13) User awareness of the Rules for Participation?
a) Issues
i) Should a department be required to establish a process to notify users of their responsibilities for being on the More Secure network
b) Decisions
i) Yes. The documentation committee will produce a document that departments can use to meet this requirement.
1)
The rules committee will meet on some regular basis to update
the Rules for Participation in the More Secure network as needed.
2)
No computer systems are allowed to have interfaces on both the
More Secure and the standard university network.
3)
A requirement that all computers on both the More Secure and
standard university networks be registered will be put into place sometime in
the 2003-04 academic year.