University of Connecticut

University Information Technolgy Services

ITPolicies

LAN Security Guidelines

These guidelines apply to Local Area Networks (LANs) used and supported at the University of Connecticut. These networks are typically used by administrative and academic departments as well as research groups. The expected audience for these guidelines is the set of administrators and experienced users that typically create and/or support these networks.

• Access Control - Access controls are defined for, and assigned to, specific data files, utilities, resources and other system privileges. Users should only be given access to those files and resources they need to perform their job.
• Audit Considerations - Logging facilities should be turned on and audit logs should be reviewed regularly. Implement technical and administrative means of recording the user id involved in network and system activities so that unauthorized activities can be tracked.
• Backup and Recovery - Backup and recovery requirements should be identified and implemented. Backup of server files should be automated and should happen on a nightly basis. Several generations of backup files should be maintained and backup media should be stored in a safe environment, preferably off site. Unless individual workstation hard drives are also being backed up on a regular basis, users should be required to store important files on the server.
• Data Confidentiality - Insure that whatever controls are implemented to protect confidential or sensitive data stored and/or processed on the LAN are also implemented for removable media, such as backup tapes and diskettes. In addition, it is important to insure that all sensitive data is removed from hard drives before disposing of equipment. Keep in mind that even when files containing confidential or sensitive data have been deleted from the hard drive, they may still exist on backup copies.
• Reset default passwords on hardware and software components after installation.
• Keep the device's operating system(s) and applications software up to date - Keep current with security patches, evaluate and expeditiously apply as appropriate; keep the operating system at a level supported by the vendor.
• Dial Up Services - System administrators need to be aware of any dialup software installed on workstations attached to the LAN. Do not allow dialup access to the LAN without approval and without implementing minimum security standards such as callback, keyboard and host screen disable, "host reboot upon disconnect" option, review of logs, etc.
• Redundancy - Depending upon the criticality of the services provided by the LAN and the risk to failure, consider implementing hardware redundancy for key components of your LAN. Some techniques to consider are disk mirroring, disk duplexing, drive arrays and hot backup.
  • Disk Mirroring - Disk Mirroring is the duplication of data from one hard disk to another hard disk. The disks share common disk controller circuitry, access to either disk is at risk should the controller itself fail.
  • Disk Duplexing - Disk Duplexing is similar to disk mirroring except that each drive has its own controller circuitry.
  • Drive Arrays - Some disk array systems enable the administrator to replace a failed drive while the server is still running.
  • Hot Backup - In this technique, two file servers operate in tandem. Data is duplicated on the hard disks of the two servers. In effect, this is like disk mirroring but across two servers instead of one server.
• Physical Security - Physical access to the LAN server and related components (including media) should be limited to authorized personnel.
• Administration - A system and/or security administrator should be assigned to each LAN. The administrator should be provided with adequate training and be aware of his/her responsibilities vis-à-vis administration of the LAN as well as the security and integrity of the data and information stored and processed on the LAN. Administrators should only operate as root to perform system administration functions that require root privileges. For all other operations, they should use their normal user account. Routinely operating as root can result in damage to the system as root overrides many safeguards in the system.
• Documentation - Adequately document the security mechanisms used by each LAN component. Identify the functions and privileges that should be controlled and auditable events. Monitor activity to ensure compliance and accountability with security policies.
• Configuration Management – Use a configuration management process to track changes made to network components and software.
• Guest Accounts - Guest Account is an account set up to provide individuals with temporary and restricted access to the LAN, If at all possible, it is best not to use the GUEST account on your LAN. If someone requires temporary access, then a temporary account should be set up.
• Virus Protection - Use up to date anti-virus software for both the server and each workstation attached to the server. The feature to allow the anti-virus software to run continuously on each device should be turned on, so that it can constantly protect from attack. Also, an automated schedule for updating the anti-virus software should be established to keep it "aware" of new virus types. University ITS provides information on downloading and installing Norton Anti Virus software.
• Close unused network ports to prevent unauthorized use and block IP addresses for network sites/nodes that are known to abuse security policies.

Updated: 06.17.2004:ldl