Security :: Network Access Control

Printer-friendly versionSend by emailPDF version

The best way to protect the network is to proactively prevent malware or hackers from gaining access. At HSU, this is tackled at two levels:

Perimeter Protection

By protecting the perimeter of the network, any and all connections between HSU's internal networks and the Internet can be configured and managed for optimum user value and efficiency while minimizing risk.

Password protection

A robust password policy goes a long way towards deterring data thieves. ITS enforces strong passwords, regular password expiration cycles, and limits the number of times anyone may attempt to log into an HSU system before access is blocked. We've provided some helpful hints and tips on creating strong passwords that you won't forget.

Port blocking

The routers that connect the campus to the outside world are configured to block the top 20 ports designated by the SysAdmin, Audit, Networking, and Security (SANS) Institute as the most open to exploitation. This can sometimes result in problems installing and using new applications; in such instances, the campus Information Security Officer (ISO) will undertake a risk analysis before permitting a port to be unblocked.

Routers connecting to the central servers are configured to block any port that ITS has not specifically authorized for incoming network traffic. Personally-identifiable and other confidential information stored on other servers may be considered vulnerable under HSU's data protection obligations, so efforts should be make to move these servers into the secure central server group.

Blacklists

ITS uses third-party blacklists to block an extensive number of websites known to be used for the distribution of viruses, spam, phishing attacks, and other security threats. This can sometimes result in valid messages being blocked from campus networks (called “false positives”). Users who believe valid messages are being blocked by the campus filters should contact the Technology Help Desk at (707) 826-HELP (4357).

Spam and other emal controls

Occasionally, a large number of emails will be sent to the HSU campus for a valid reason, such as the distribution of an approved survey, and the emails will be blocked as spam. Anyone working with an outside group that will be sending a large number of emails to humboldt.edu addresses should contact Telecommunications & Network Services (TNS) to ensure the emails can be delivered.

Certain file types are not permitted to be sent via email because they pose a known security risk. Instead, transfer these files using Network Folders.

Remote control software

Information transfer via remote control desktop programs such as Windows Remote Desktop Protocol (RDP) is tightly controlled. On Windows machines, RDP must be disabled for user accounts and should be enabled for administrator accounts only if a real need to use it exists. Any machine that is configured to allow RDC connections must have client-side firewall settings that only allow connections from a specific host, set of hosts, or VLAN, and must be protected with a strong password.

Additional information on using RDP securetly may be found on the Windows Terminal Services website. Remote control desktop software other than RDP must provide security at least equivalent to that provided by RDP.

Vulnerability management

Vulnerability management is an ongoing process to ensure that information assets are protected and should only be performed by authorized personnel. Scanning activities should be planned and authorized in advance in order to avoid negative performance impact. CSU policy forbids CSU campuses from performing vulnerability assessments or running penetration tests and port scans on systems or networks outside of their immediate purview. At HSU, this also applies to campus units other than TNS scanning the assets of the other campus units or assets of the campus as a whole without prior authorization; any unauthorized scanning will be treated as a hostile attack and the entire network closed down.

System Protection

Any device connected to an HSU network must meet the following security requirements:

  • Patched and updated operating system
  • Up-to-date antivirus from the approved list. HSU also has a campus-wide license for the free use of Sophos Antivirus on personal computers.
  • Windows is configured to notify you when new updates are ready to download and install
  • Windows firewall is enabled
  • No network address translation device present
  • No peer-to-peer software running
  • No proxy running
  • No administrator privileges unless justified by the nature of the user's work

Additional best practice recommendations for connecting securely:

  • No workstations, other than lab computers, should be left unattended and powered up when connected to the network. This is critical if the user is logged in with administrative privileges and/or connecting via myHumboldt.
  • Computers not in use should be turned off overnight. Besides conserving electricity, this limits the window of opportunity for hackers. However, if it is necessary to run nightly back-ups or periodic system updates, the computers must be left on. Less-frequent backups should be scheduled for a weeknight to minimize exposure.It also may not be practical to turn off lab computers at night, although they should be set up with sleep mode to conserve electricity, if lab updates are being performed.
  • Unused software should be removed from computers. Users have a tendency to not patch software that they have not used in a long time and may even no longer be on the vendor's notification or update list if a vulnerability is discovered in the software.
  • Systems Administrators should also consider the following when setting up systems:
    • Unprotected Windows network shares can be exploited by intruders and the machines recruited into botnets. Windows network shares can be protected by reviewing both share and file system permissions and setting appropriately complex passwords.
    • Because many instant-messaging clients allow for the exchange of executable code, they present risks similar to those of email clients. Users should be cautioned against exchanging files with unknown parties over instant messaging.

When practical, servers should be set up in a hardened (secure) systems configuration:

  • Install the minimum essential operating system configuration - only those packages containing files and directories needed to operate the computer.
  • After installation, remove all privileges and access authorizations. Then grant (add back in) privileges and access only as needed, following the principle of "deny first, then allow.” It is essential that all installations be performed first because any installation performed after privileges are removed can undo such removal and result in corrputed configuration.
  • Ensure “test” or “guest” accounts are removed promptly when their use is no longer required.
  • Enable as much system logging as possible to provide the detailed information needed for in-depth analysis of any intrusion.
  • Grant access only by appropriately-authorized users.

It is recognized that the “start hardened and relax to functional” approach may be impractical with Windows servers for some server roles. System administrators should check with ITS for the latest “best practices”.

If you have questions, the campus Information Security Officer can be reached at (707) 826-3815 or security@humboldt.edu.

Related Topics

Tools & Resources, Security
feedback