Handbook of Operating Procedures > Series 700 Information Resources > 7.1.2 Network Perimeter Security Controls

7.1.2 Network Perimeter Security Controls

A. Purpose

To describe how the University protects against unauthorized use or access of the IT internal network.

B. Persons Affected

To all employees, students, contractors, visitors and consultants at the University of Texas at Tyler (the "University") who access University information resources and networks via VPN, to all data communication systems owned by and/or administered by the University Information Technology network team, and to computing devices communicating between the public and private network, or any traffic crossing the University network perimeter.

C. Definitions

DMZ - Demilitarized Zone, a special network zone for public servers. The DMZ is both a logical and a physical location.

Firewall - Security device used to block unsafe network traffic.

Network - Computers and associated devices connected to the University's central communications line.

Perimeter - Boundary delineating the private internal network and the public Internet.

Public Server - Approved server that provides services to the general public. Examples include web servers, domain name servers, and FTP servers.Server Computer that provides services to multiple users or other computers.

VPN - Virtual Private Network, an encrypted, authenticated, trusted connection from an external site to the network.

Gateway Router - A Network Device that connects the network to one or more ISPs and is logically located before the firewall.

ISO - Information Security Officer

D. Policy

The University develops and maintains appropriate mechanisms to protect the confidentiality, integrity and availability of its computerized data and information resources. Many threats against network systems and applications originate from external sources. To control traffic from the public Internet, the University maintains a variety of devices and technologies at all entry points where users and business partners can access the private network. These devices, Firewall, Gateway Router, VPN, and related technologies in their aggregate form the perimeter of the network.

Firewall

The firewall will be configured using Industry "best practices", including but not limited to the following:

• The University will use a robust "Firewall System" interposed between the Internet and the University's internal network.  All Internet traffic from inside to outside, and vice-versa, must pass through the firewall. 
• Access from the Internet to the University's public information systems must not make sensitive information or information systems vulnerable to compromise. 
• Any systems requiring users to login to an internal application, or providing confidential information to the public via the internet, must have that communication encrypted.  Any server providing such a service must do so only via secure sockets layer (SSL) protocol. 
• Only network sessions using strong authentication and encryption will be permitted to pass from the Internet to inside through the firewall. 
• The firewall will be configured to implicitly deny all traffic not expressly permitted. 
• The firewall will not accept traffic on its external interfaces that appear to be coming from internal network addresses aka spoofing. 
• The firewall will be configured to implement transparency for all outbound traffic and therefore will be configured to implicitly allow such traffic. 
• The network security access control list (ACL) on the firewall must be reviewed on a regular basis to remove statements that are no longer valid. 
• Only the firewall administrator(s) will have privileges for updating system executables or other system software. Any modification of the firewall component software must be done by firewall administrator(s) using appropriate change control procedures. 
• The address space of the University's internal network must not be exposed to the outside.  All devices must have their address translated to a public address by the firewall before communication to the Internet can occur. 

DMZ – UT Tyler North Campus – Health Science Center

• University servers providing inbound public access, such as but not limited to Internet servers, will be implemented via use of a DMZ.  All servers providing some form of inbound access to the public shall be placed within the confines of the DMZ. 
• Access to servers in the DMZ shall be explicitly permitted and limited to only the service and network port that needs to be opened.  All other services to those servers shall be implicitly denied. 
• To provide for a more secure environment, there shall not be addresses from multiple networks in a DMZ.

Note: UT Tyler South Campus (University Blvd) – Network infrastructure redesign is in planning stages and will add DMZ architecture.

Virtual Private Networks (VPN)

All connections between internal University systems over the Internet to other private networks shall use encrypted Virtual Private Networks to ensure the privacy and integrity of the data passing over the public network.  The VPN can be done either by agreed to VPN devices, or by VPN client software running on a computer.  When access to internal University networks is required over VPN from outside the University, two factor authentication will be required for verification purposes. 

• All VPN connections must be approved by the University IT Department.
• A complete list of all current VPN connections is available to the ISO upon request.   

Enforcement

Violation of this policy may result in disciplinary action that may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of University Information Resources access privileges, civil, and criminal prosecution.

E. Review Responsibilities and Dates

The Division Head for this Policy is the Chief Information Security Officer and this Policy shall be reviewed every two (2) years or sooner, if necessary, by the Division Head or their designee.