Skip to Content

Information Security Office
Policy Index
Information Technology Security
Network Security Standard
Number: 8045.0 Revised: August 15, 2010

The campus network infrastructure is critical in supporting the mission of the University.  Whether it is a student accessing SacCT, a professor checking email, a technician supporting campus systems or an administrative assistant processing paperwork for a department, all users utilize the campus network to access services both on and off campus.  The network is so integrally interconnected that activity on any one aspect of the network has the potential to influence or even harm others elsewhere on the network. As such, it is imperative that the entire network is always highly available and secure, that the data it carries is segmented to protect confidential information, and that data transmission is at all times secure from compromise.

Charter

Due to the critical nature of the campus networking infrastructure, the Networking and Telecommunication Services (NTS) department of the Information Resources & Technology (IRT) division is chartered to be the official owner of all campus network infrastructure, encompassing all wired jacks, network closets, (ip)PBXs, wireless access points, airwaves and other aspects of networking.  NTS is therefore responsible for designing, implementing, maintaining, monitoring and deprovisioning of all network devices that comprise this infrastructure.  Oversight of the security of the network is shared between NTS and the Information Security Office (ISO).  Further, the ISO provides oversight to NTS in the form of advice on network design considerations, permission authorization management and auditing.  The ISO also manages the registration and risk assessment process for all networking and networked devices.

Network Device Registration

All defined network infrastructure devices must be registered with the ISO and specifically authorized for use as part of the campus network infrastructure by both the ISO and NTS departments.  A network infrastructure device is any device implemented for the purpose of allowing faculty, staff, students or third parties to access networked campus services.  A network device maybe a router, switch, wireless access point, firewall, VOIP device, VPN or other network appliance.

Unauthorized devices can lead to network outages, corruption of network structures, and breaches in network zone security.  As such, any network devices found attached to the network that are not registered and fully authorized will  vetted for use by the ISO, and either registered or replaced by an authorized network device.  The ISO reserves the right to remove un-authorized network infrastructure devices from the network or to physical secure the device until review of security and registration are completed.

DNS Naming Conventions

The official campus naming standards, as set forth by NTS, must be followed when naming any network device or configuring any system attaching to the campus network. Current naming conventions are as follows:


Form

Description

<group>-<namestring>.<group>.csus.edu

General Form

<group>-<namestring>.saclink.csus.edu

For all systems that participate the SacLink AD domain

<namestring>.csus.edu

If the device’s top-level name has been approved

<group>-<namestring>.csus.edu

If the device’s top-level name has been approved

dhcp-<a-b-c-d>.<subnet desc.>.csus.edu

Subnet function (building admin/lab/wireless/other)

Other centrally managed domains such as csus.net, sacstate.net and sacstate.mobi will follow the guidelines above.

<namestring>

The preference is to keep <namestring> meaningful to users, for example, a clear reference to the device’s location or function. The <namestring> can generally be anything non-offensive, as long as it is approved by the appropriate manager, conforms to required standards, and is not duplicative.  While <namestring> is less restricted than the rest of the name, the preferred names are of the following forms.


Preferred Form

Example

<group>-<building>-<room#><sequence#>

ul-arc2004095.saclink.csus.edu (lab station)

<group>-<building>-<room#><sequence#>

ul-arc2004p01.saclink.csus.edu (lab printer)

<group>-<building>-<room#>p<##>

ul-lib1500ps1.saclink.csus.edu (lab print release)

<group>-<userlastname><userfirstinitial><optional #>

nsm-doej1.nsm.csus.edu (J Doe Workstation 1)

<group>

Groups are defined as departmental, divisional or college-based organizational units in the SacLink domain.  The Identity Management group is chartered with managing the top-level campus organizational unit request and approval process.

Network Zones

For the purpose of minimizing risk to information contained on University servers and desktops, the campus network is segmented into the following zones: Critical, Business, Academic and Client.  The Information Security Officer will define mandatory requirements for network controls required for each of the zones, based on an assessment of risk for that zone.

The differences in the network zones are described at http://www.csus.edu/irt/is/policies/8045/8045csus.html.


Zone

Minimum Control Requirements

Critical

DMZ and Internal network zones
Defined egress and ingress rules
Increased monitoring

Business

DMZ and Internal network zones
Defined ingress rules

Vulnerable

DMZ and Internal network zones
Defined ingress rules
Increased monitoring

Client

Public access is not allowed directly from the Internet
Deny know bad egress traffic (i.e. malware traffic, clear text protocols)

Network Controls

Each network zone is protected by a layer of controls designed to reduce overall risk to systems in that zone.  Types of network controls are: Firewalls, Intrusion Detection/Prevention Systems and Log Monitoring Systems, with further details provided below:

Firewalls

Firewalls are network devices that control access to a system or group of systems based on a defined rule set pertaining to systems and ports.  All firewalls must initially be configured to disallow all incoming, or ingress, connections.  As additional exceptions are configured, the ‘Deny All’ rule must be the final rule in the configuration.  Exceptions must be system and port specific; rules allowing full access to all of a system’s ports are not permitted.  Egress rules, i.e., rules that affect outgoing traffic, are required for some critical network zones such as PCI and HIPAA and may be required for other zones based on regulations or policy.

Intrusion Detection/Prevention Systems

Intrusion Detection/Prevention Systems are network devices that monitor network traffic and analyze them for anomalies; these anomalies are compared against known attack signatures.  Intrusion Detection Systems will alert system and network administrators if an attack is registered or an anomaly is detected.  Intrusion Prevention Systems will alert system and network administrators and take preventative action by stopping the malicious traffic before it reaches is target.

Intrusion Detection/Prevention Systems are solely the responsibility of the NTS group, as the improper configuration of such devices and processes can have severe impact to other devices on the campus network.

Log Monitoring Systems

Log Monitoring Systems are network devices that collect, aggregate and report on log events from other network devices.  Log Monitoring Systems may exist at multiple levels of the network: system administrators may utilize local systems to monitor network devices under their purview.  All systems providing authentication to users or that maintain level 1 data must provide a log feed to the campus primary Log Monitoring System.  The Information Security Office operates the primary campus Log Monitoring system to track account anomalies, forensic activities and anomalous network behavior. All log activity must follow Log Management Guidelines, as defined in the Supplemental Information Security Policy.

Back to to Sacramento State Information Security Policy Website

Feedback/Questions/Comments