Google+
ITS and UVa logos for printed output

More Secure Network (MSN)

Considerations in Migrating Machines/Devices

Workstations

  • Not allowed on the More Secure Network:
    • Departmental public lab workstations
    • Workstations that interface with both the MSN and the standard University network, including wireless.
    • Workstations that are accessible when the owner is absent. (Machines on the MSN must be in a physically protected space.)
    • Privately-owned workstations (e.g., undergraduate and graduate student-owned workstations).
  • Require further consideration before migrating:
    • University-owned workstations that are used by graduate students.

      Very often graduate students are working with sensitive data that should only be available to devices on the MSN. In such a case, the graduate student must have a faculty sponsor and an Exception Form signed by both the student and the professor. Any such machine must be centrally managed, using login authentication, etc. If, however, the data is not sufficiently sensitive to require this level of protection, then other means of protecting the machine should be explored.

    • Communication between workstations when one of them is not on the MSN.

      If two workstations communicate with each other and one of them is moved to the MSN, then all communication must be initiated by the one that is on the MSN. It this isn't possible, then the workstation should not be moved.

Servers

  • Not allowed on the More Secure Network:
    • Servers that interface with both the MSN and the standard University network
    • Servers that are accessible when the administrator is absent. (Servers on the More Secure Network must be in physically protected space.)
  • Require further consideration before migrating:
    • A server that is accessed by students for course-related work/materials.

      Such servers should be secured by other means. Anyone not on the MSN must use a More Secure Network VPN to gain access; but MSN VPNs are only for faculty, staff, and students with a work-related need. Note: a system that holds sensitive information such as credit card numbers, social security numbers, birth dates, etc., should be located on a Level III network. Servers on Level III networks can be accessed from both on and off the More Secure Network.

    • Servers that must be freely accessible from outside the MSN

      Some faculty and staff maintain servers that host information used by people both within and without UVA. Once such a server is moved to the MSN, it will not be publicly accessible.

    • Departmental centrally managed push servers.

      If you provide centrally managed services and you are moving some of the clients that take advantage of these services to the MSN, then you will need to set up another server on the MSN to handle your secure clients. If you have a departmental Synamtec AntiVirus server, you may not need to set up another server. Using the departmental server, you can configure clients to run auto-update or go to the Symantec site.

    • Active Directories with Exchange Services

      Since inbound holes will not be made in the MSN, moving Exchange Services is not recommended. Doing so may cause replication and schema problems with Active Directory. Leaving the domain controllers on the public network and protecting them with a Windows IPSec policy provides a simple solution.

Printers

Remember that users on the regular University network can not send jobs to printers that are on the MSN.

  Page Updated: Tuesday 2017-10-10 16:11:26 EDT