Document Feedback - Review and Comment
Step 1 of 4: Comment on Document
How to make a comment?
1. Use this to open a comment box for your chosen Section, Part, Heading or clause.
2. Type your feedback into the comments box and then click "save comment" button located in the lower-right of the comment box.
3. Do not open more than one comment box at the same time.
4. When you have finished making comments proceed to the next stage by clicking on the "Continue to Step 2" button at the very bottom of this page.
Important Information
During the comment process you are connected to a database. Like internet banking, the session that connects you to the database may time-out due to inactivity. If you do not have JavaScript running you will recieve a message to advise you of the length of time before the time-out. If you have JavaScript enabled, the time-out is lengthy and should not cause difficulty, however you should note the following tips to avoid losing your comments or corrupting your entries:
-
DO NOT jump between web pages/applications while logging comments.
-
DO NOT log comments for more than one document at a time. Complete and submit all comments for one document before commenting on another.
-
DO NOT leave your submission half way through. If you need to take a break, submit your current set of comments. The system will email you a copy of your comments so you can identify where you were up to and add to them later.
-
DO NOT exit from the interface until you have completed all three stages of the submission process.
(1) All (2) The (3) Securing the network infrastructure is a crucial element in providing a reliable operational environment for the (4) The intent of this manual is to establish the minimum standard network security controls to protect (5) In recognition of the University’s rapidly evolving lifecycle, network security controls must be adjusting to accommodate new functionality and services. Consequently, network security controls should provide a framework of controls which allows the University to access new and innovative services in a secure and controlled manner. (6) The minimum standards defined in this manual apply to all members of the (7) Where relevant, parts of this manual will apply to any party who has a system outside of the (8) The following security configurations are to be followed and implemented across the (9) These standards are also applicable to in-scope systems and devices managed by individuals and teams outside of (10) Exceptions will need to be authorised at an Associate Director level, or assessed by the IT Services Architectural Governance Board (AGB). (11) (12) Network documentation must be developed that includes: (13) Network documentation must be updated as network configuration changes are made, and include a ‘current as at [date]’ or equivalent statement. (14) Network documentation provided to a third party, or published in public tender documentation, should only contain details necessary for other parties to undertake contractual services. (15) Any access to internal non-public facing (16) Where systems allow, before a user gains access to (17) The (18) The (19) The (20) The (21) The recommendations of the Internet Engineering Task Force (IETF) Best Current Practices (BCP) 38 should be implemented to help protect the (22) Firewall rules must specify the permitted service, service port number/protocol, source and destination address relevant to the business, security or management need of the traffic flow. (23) All access through the (24) For any change to be enabled in the (25) Access to the (26) Remote access to the (27) Remote access shall only be provided through a University-managed secure tunnel such as a Secure Sockets Layer (SSL) or Internet Protocol Security (IPSec) Virtual Private Network (VPN). (28) Remote access must be controlled with encryption and strong passwords. For further information on acceptable password parameters see the Password Requirements section of the (29) The VPN shall be configured in such a way that the users would not be able to access any other network simultaneously while connected to (30) (31) All remote access to administrative interfaces must be blocked unless access is established via the (32) All systems providing VPN termination must be configured with an idle time-out. The time-out shall be configured to end all sessions after an idle period of 30 minutes. (33) Wireless access points shall be enabled with minimum IEEE 802.11i settings (WPA2-Enterprise with EAP-TLS) to implement strong encryption for authentication and transmission. The use of WEP as a security standard to access (34) All wireless access points should be Wi-Fi Alliance certified. (35) Wireless networks provided for the general public to access, e.g. guest and conference users, must be segregated from all other networks. (36) The administrative interface on wireless access points should be disabled for wireless network connections. (37) The Pairwise Master Key (PMK) caching period should not be set to greater than 1440 minutes (24 hours). (38) Networks must be divided into multiple functional network zones according to the sensitivity and criticality of information and services. (39) Database servers and web servers should be functionally separated, physically or virtually. (40) A network Intrusion Prevention System (IPS) must be implemented between trusted and untrusted networks to monitor and protect critical data centre networks, network hosting critical research systems, and internet hosted application against attack. (41) Management traffic should be separated from user traffic. (42) VLAN’s shall be set up to restrict network traffic between production environment and non-production environment inside the Data Centre infrastructure. (43) Network devices implementing VLANs must be managed from the most trusted network. (44) Security containers / network segmentation shall be created to host all internet facing applications and services in a segregated network from the internal network. (45) Internet Protocol version 6 (IPv6) functionality can introduce additional security risks to the (46) To aid in the transition from Internet Protocol version 4 (IPv4) to IPv6, numerous tunnelling protocols have been developed that are designed to allow interoperability between the protocols. IPv6 tunnelling protocols must be disabled on network devices and ICT resources that do not explicitly require such functionality, to prevent the bypassing of traditional network defences by encapsulating IPv6 data inside IPv4 packets. (47) Stateless Address Autoconfiguration (SLAAC) is a method of stateless Internet Protocol (IP) address configuration available in IPv6 networks. SLAAC reduces the ability of the (48) Unless explicitly required, IPv6 tunnelling must be disabled on all network devices and ICT equipment. (49) IPv6 tunnelling must be blocked by network security devices at externally connected network boundaries. (50) User-authenticated BYOD systems and devices connecting to the (51) All network device passwords should be created and managed in accordance with the Privileged Account Password Requirements section of the Information Security Access Control Manual. (52) Before installing a device on the network the default account settings and configurations must be changed and devices must be hardened. Hardening must include: (53) Patches and updates must be applied to network devices as per Information Security Patch Management Manual. (54) Plain-text protocols should not be used in network management. (55) Network device management interfaces should be on a separate management network. (56) All management interfaces must be secured by credentials that meets the requirements of the Privileged Account Password Requirements section of the Information Security Access Control Manual. (57) Network management services should be configured with SNMPv3 with encryption enabled (or other option that does not use plaintext community strings). The use of SNMPv2 should be avoided as far as possible. (58) All default SNMP community strings on network devices must be changed and must have write access disabled. (59) The following protocols are prohibited for use: (60) The following protocols should not be used, and will become prohibited for use from 1 March 2020: (61) The configuration of all network equipment should be backed up regularly, and immediately following any configuration change. (62) The configurations should be subject to managed revision control. (63) Logs generated from the security devices should be stored and backed up. Refer to Information Security Operations Management Manual for log retention guidelines. (64) Where technically feasible all communication devices and systems shall be enabled with encryption solutions and must comply with applicable (65) The NTP source must be accurate and reliable for use by cryptographic services. (66) The NTP service must be based on at least NTP version 4 and synchronised to a ‘known-good/reputable’ external time reference source (e.g. stratum 1, 2 or 3). (67) As incident response relies on accurate timestamps from devices, loss of the NTP service must be progressed via the incident management process. (68) Internal NTP services must: (69) Any changes required to the Firewall must be according to the change request process, and by completing a Change Request form (See associated information). Refer Information Security Operations Management Manual for change management process and guidelines. (70) Requested firewall changes must be assessed and approved by a senior member of the IT Capability Line responsible for firewall administration. This assessment will evaluate such areas as the potential impact upon other network devices and network services. (71) The change application must then be referred to the Information Security Team for review and endorsement before implementation. (72) The Information Security Team will perform an annual assessment of network devices to check compliance with these standards. (73) Security Information and Event Management (SIEM) solutions shall be implemented to perform log correlation and periodically review and monitor for anomalous events. (74) Firewalls protecting enterprise systems must be reviewed annually and the documentation supporting the firewall rule sets are to be retained. (75) Exceptions to the standards defined in this manual may be requested in writing to the Chief Information Officer (CIO). Exceptions will be assessed based on the business impact, the security (76) All users performing roles of system or application administrators managing (77) The (78) All other (79) The Information Security Team is responsible for routinely performing compliance checks with these standards.Information Security Network Security Manual
Section 1 - Audience
Section 2 - Purpose
Section 3 - Scope
Section 4 - Network Security Requirements
Core Principles
Documentation
Authentication
Firewall
Remote Access
Wireless Access
Network Design & Segregation
Using Internet Protocol version 6 (IPv6)
BYOD Network Segmentation
Network Management
Cryptography
Network Time Protocol (NTP)
Change Management
Review and Monitoring
Exceptions
Enforcement
Roles and Responsibilities