Several steps must be taken to defend the network against intrusions. The steps include network segmentation, port-based filtering and an internal firewall to further protect particularly sensitive servers.
This policy is designed to provide specific guidelines that must be followed by OIT Network Engineers to ensure the integrity of the data network.
This policy impacts OIT staff members who are responsible for the design and implementation of the data network.
OIT Network Engineers must take a number of steps to ensure the security of the data network.
- Border Protection
A campus firewall shall be used to filter dangerous ports and to deny access to hosts that cause problems on Clarkson’s internal network. Only those servers or services sanctioned by the University shall be publicly accessible. All other services shall require the use of the VPN.
- Network Segmentation
The intranet shall be segmented into virtual LANs (VLANs). This division shall be performed in such a way as to include logical groups of users together on the same VLAN. This has the effect of separating broadcast domains, which improves both security and performance. Additionally these VLANs shall be pruned from trunk links as appropriate, to minimize the risk of unauthorized access to restricted VLANs and to reduce the amount of broadcast traffic carried by trunk links.
- Intranet Protection
A firewall shall be put into place to protect sensitive network segments from less-sensitive segments. At a minimum, a firewall shall be put into place that will prevent direct communication between the PeopleSoft data networks and the rest of the campus network. The only exception to this prevention of communication shall be protocols and hosts for which there is a demonstrated need (ie. TCP 80 to a specific group of hosts).
- Physical Protection
Physical access to all communications equipment shall be restricted, per the standards set forth in the Physical Security Policy.