Information Technology Security Policy

 

 

 

 

 

for the

 

 

 

 

Information Technology Services

 

 

 

 

of the

 

 

 

 

Central Washington University

400 East University Way

Ellensburg, Washington  98926-7436

509.963.2333

 

 

 

 

 

Updated by

 

 

 

 

 

Information Technology Services Networks & Operations Section

August 2004

 

 

INDEX

 

 

 

APPENDICES

 

 

OVERVIEW

 

This computer security plan covers all Central Washington University computing and network equipment which is managed by Information Technology Services Networks and Operations personnel.  This includes, but is not limited to, the VMScluster, Unix machines, communications and networking switches, routers and other equipment and lines connecting the campus network, dial-in/out modems, LANs, WANs, Netware servers, INET, Central Washington University web server, wireless networks, infoserver drives, disk drives, tape drives, software medium, media storage facilities and system printers.  This does not include the telephone switch, GIS MassComp machines and labs, Library servers, Health Center medical Databases, Computer Science SUNs, Facilities Management Energy Management System and departmental personal computers/web servers, and MACintoshes.  This security plan has been specifically designed for the following purposes:

 

            ‑ To keep information about the students and employees of Central Washington University confidential in accordance with the 1974 RIGHT TO PRIVACY ACT.  This act requires each federal record‑keeping agency to: 

 

                        "...establish appropriate administrative, technical, and physical safeguards to ensure the security and confidentiality of records and to protect against any anticipated threats or hazards in their security or integrity which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained."

 

            ‑ To ensure data and system integrity, data integrity being defined as data correctness and system integrity being defined as the ability of a system to operate according to specifications even in the face of deliberate attempts to make it behave differently.

 

            - To physically, technically and administratively provide system availability to authorized users whenever needed.

 

The computing facilities at Central Washington University are currently located in building 61, (Computer Center) and two office areas located in building 5, (Bouillon Hall) rooms 128 and 202.  The small size of the Computer Center building means that any remodeling carries serious risk of interruption to administrative and academic computing services.

 

Budget constraints and staff size severely limit our ability to maintain a comprehensive security plan.  Not all policies and procedures in this document have been implemented.  However, as time and priorities permit, we will devote staff time to this effort.  We are proceeding along the line of addressing deficiencies in order of criticality.  This plan will be out‑of‑date even as it is written because of the continuing modifications being done at this site.

 

The size of the Information Technology Services’ staff will remain relatively small with a modest increase as required to meet new demands and growth.  The greatest growth continues to be in administrative and academic user areas.  As these areas continue to grow, the opportunity for a security event increases dramatically.  Even with the number of workstations and personal computers growing among the academic and administrative users, all student and personnel records, library, auxiliary services, research and loan management databases are in a central area  and potentially a target for a security breach.

 

While no document can predict the nature of all disasters, this plan will be used during a security emergency.  The purpose of this plan is to provide a guideline in which to follow when such a need arises.  When this document is used, the expectations will be that the scenario will provide more information in 'learning' how to protect our databases and computing equipment.

 

This plan is to be used in conjunction with the current companion document Disaster Recovery Plan for the Central Washington University Computer Center.  The sole responsibility for the development and implementation of this security document lies with the Information Technology Services management.  Evaluation and update procedures of the plan is done by Information Technology Services annually or when major changes are made within the computing environment.  Distribution of this document to all interested parties is done by Information Technology Services.

 

Updates of this document are done yearly or when modifications to physical facilities, computer hardware/software, telecommunications networks, application systems, internet-based information systems and organizational and budgetary changes occur.

 

This document has been prepared in accordance with DIS Information Technology Security Guidelines, January 31, 2001, Amended June 2003, and supersedes the Central Washington University Information Technology Security Policy manual dated July 2003.  This document amended August 2004 and superseded previous CWU IT Security Policy manuals.

I.  BUSINESS IMPACT AND RISK, THREAT, AND VULNERABILITY ANALYSIS GUIDELINES

 

I-A.  Business Impact Analysis

 

Central Washington University Information Technology Services is not expected to perform a Business Impact Analysis for the institution, this responsibility lies with top management of Central Washington University.  Information Technology Services provides an environment in which gives its users reliable service, a high level of online security to support necessary confidentiality of files and system integrity.  Each department is responsible for providing security within their own manual procedures as well as to evaluate the operational, legal, and financial impact that could result from a disruption of computerized or telecommunication services.  The following table shows computerized critical business functions and their dependencies and vulnerabilities.  This table is directly related to the Risk, Threat, and Vulnerability Analysis in the next section.

 

I-B.  RISK, THREAT, AND VULNERABILITY ANALYSIS

 

Details of general procedures for emergencies can be referenced in the Disaster Recovery Plan for the Central Washington University Computer Center, section IV of the Reference Information Section.  The following table show a qualitative risk, threat and vulnerability analysis for computing services provided by Information Technology Services.  Power outages, longer than what the current UPS can handle, pose the greatest threat to all computing, networking and telecommunication equipment on campus.  This type of threat could damage equipment beyond repair for several days. Other threats that are high risks to the system have protective measures to ensure some recovery if loss is incurred.  Tracking of physical events is done using the TKGNATS system by the Information Technology Services’ Network and Operations staff. 

 

I-C.  IT SECURITY STRATEGY

 

This section of the Information Technology Security Policy outlines the security strategy for Central Washington University.  The end result of this section is to provide security practices for the entire organization in compliance with state and federal laws and regulations and industry best practices.

 

1.      This security plan provides detailed information regarding use of information technology services.  Below is an outline that establishes basic security access to information and equipment.

 

A.     Account Management

 

Account management of all major systems is done by Information Technology Services Networks & Operations Staff.  Accounts are provided according to section IV of this plan, which addresses the following:

 

-System Administrator Login-in Accounts

-User Accounts

-Individual Accountability

-Account Termination/Deletion

-Vendor/Contractor Access

-Naming Standards

-Password Length/Checking/Expiration

-Password History File

-Screen Saver Passwords

-Password Reset

-Account Supervision

-Volume Access

 

B.     Resource Management

 

Resources management of all major systems is done by Information Technology Services Networks & Operations Staff.  Management is provided according to section IV of this plan, which addresses the following:

 

-Data Security

-Data Ownership

-Confidentiality

-Software Version Control

-Access Control

-Data Entry

-Transmission

-Encryption

-Information Destruction

-Laptop Security

-System Maintenance

-Backup and Restores

                       

C.     Network/Communications Security

 

Network/Communications Security for the backbone, dial-in, VPN, etc. is done by Information Technology Services Networks & Operations Staff.  Management is provided according to sections IV and V of this plan, which addresses the following types of resources.

 

-Data Encryption

-Wireless Systems

-Radius Access (Dial-up Access)

-Internet Connections

-Firewalls

-Routers

-Use of VPN Services

-SSL Access

 

D.    Physical Security

 

Physical Security of equipment in the Computer Center is done by Information Technology Services Networks & Operations Staff.  Physical security of networking electronics, media, reports, etc is provided according to sections IV and V of this plan, which addresses the following type of equipment.

 

-Distribution of Output Reports and Introduction or Release of Data

-Data Center Access

-Media Protection

-Controls to Prevent Unauthorized Use or Removal of Tape Files, CDs, Diskettes, and Other Media

-Disposal of Sensitive Hardcopy Data

-Security Location of Communications Equipment

 

E.     Security Monitoring and Compliance

 

Security monitoring and compliance is done by Information Technology Services Networks & Operations Staff.  Sections IV and V of this plan addresses the following.

 

-Software Version Control and Currency

-Processing of Audit Trails

-System Access Violations

-Misuse

-Event Logs

-Penetration

-Prevention of Tampering

-Network Security Breach Response

-Anti-virus Software Updates

-Patches

 

F.      Security Awareness and Training

 

Security awareness and training is addressed in section VII of this document.

 

-New Hire Orientation

-Acceptable and Ethical Use of Information Technology Resources

 

G.    Legal and Regulatory Compliance

 

Legal and regulatory compliance is done by Information Technology Services Networks & Operations Staff.

The appendices in this document contain information regarding some of the applicable federal and state regulations regarding information technology use.  Information in sections IV and V of this plan address the following.

 

-System Access Violations

-Acquisition of Software

-Software Licensing

-Applicable Federal and State Regulations

-Information Misuse

-Noncompliance to Policies and Standards

 

2.      The responsibility for IT system and network security is charged with Information Technology Services Networks & Operations Staff.  This group of people has full access to all computing and networking resources managed by ITS and is responsible for review all audit trails, event logs, etc.  The ITS Networks & Operations state reports any misuse, noncompliance or state/federal regulation breaking to the appropriate authorities.

 

3.      Physical security arrangements are discussed in detail in section III of this document.

 

 

II.  PERSONNEL SECURITY PRACTICES

 

 

            II-A.  Hiring practices.

 

New employees are selected and hired through rules set up by the HEPB and Central Washington University Personnel Office.  Final selection is made by the Senior Director of Information Technology Services, their designee or the committee assigned to the job search.  Verification of past work history and personal qualifications are performed by staff personnel and Information Technology Services management.  Low salaries and the rural nature of Central Washington University often prevent us from holding professional people.  This results in high turnover and contributes to additional security risks. 

 

            II-B.  Reference and background checks.

 

Reference checks are required for personnel selected to work for Information Technology Services.  The small staff and responsibility of working in departmental databases require confidentiality.   Persons convicted of computer crime pose a potential informational security breach by intentionally disclosing information and/or 'breaking' the system.  This could cause irreparable harm to Central Washington University therefore persons convicted of any computer crime will not be considered for employment at Information Technology Services.  Reference checks are performed by the Senior Director of Information Technology Services, their designee or the committee assigned to the job search.  Criminal history (background) checks are done through the Campus Police Department.

 

            II-C.  Security awareness and program training.

 

Due to budget limitations, formal security training for employees is not in place, however, Human Resources holds new employee meetings which Information Technology Services provides a training instructor to provide IT security awareness.  Informal training is currently done on an as needed basis.  All employees and new users are required to comply with the Acceptable and Ethical Use of University Information Technology Resources Policy.  This document and additional policies are posted on the Central Washington University web site.

 

            II-D.  Employee performance requirements.

 

Performance evaluations are conducted for all civil service employees monthly for the first six months of employment and yearly thereafter.  These evaluations are done by the direct supervisor of the employee for accuracy.   All employee evaluations are done to keep performance at a maximum, to record work histories and for position audits.  This procedure is specified in more detail in WAC 251‑20.

 

Performance evaluations are conducted for administrative exempt employees on a yearly basis.  A yearly contract letter is sent to these employees for the first five years of employment.  If the employee is not performing their duties up to supervisor standards, necessary action is taken from the administrative exempt code.

 

            II-E.  Vendor and service personnel monitoring.

 

Information Technology Services has an on‑site hardware maintenance engineer who repairs the OpenVMS cluster systems, the PeopleSoft system and UPS devices.  Hardware repairs for switches, routers, file servers and other networking equipment are done by Networks and Operations staff.   Personal computer maintenance repairs are done by Computer Support Services staff or sent back to the vendor in accordance with the warranty.  Access to the Computer Center is in accordance with the Computer Center Building Security (see Appendix.) Vendors and other service personnel who may come to the Computer Center for repair/install purposes do so under the direct supervision of Information Technology Services.  Logon/passwords are provided to any vendors or other service personnel on an as-needed basis for major projects.  See section IV-S for more information.

 

Custodian and maintenance personnel are not provided with open access into the Computer Center.  The operator on duty provides access into the computing areas during normal working hours only and in accordance with the Computer Center Building Security Policy and Computer Center Equipment/Media Security Policy, (see Appendix.)

 

II-F.  Disciplinary Actions.

 

Employee disciplinary actions are done through the rules set up by the HEPB and Central Washington University Human Resources.   See WAC 251‑11.

 

II-G.  Terminating Employment.

 

When an employee of Information Technology Services terminates the following procedures are used.

 

            ‑ All access to the main computers and networks are removed.  The employee accounts are disabled and all other accounts they have access to have pass phrases changed within the same day.

            ‑ The employee account(s) are backed up to tape and retained for thirty days.  After seven days the account(s) are removed from the systems.

            ‑ The day the employee terminates, the personal alarm access codes for Information Technology Services office areas and the Computer Center are deleted.

            ‑ If the employee worked in the Computer Center, the off‑site vault combination is changed.

            ‑ An electronic checkout sheet from an authorized person is generated and notification is sent to all appropriate departments.

            - Keys to Information Technology Services, Computer Center and any computer labs are returned.

 

When employees of Central Washington University check, the following procedures are used.

 

            ‑ All access to the main computers and networks are removed.  The employee accounts are disabled and all other accounts they have access to have pass phrases changed.

-The employee account(s) are backed up to tape and retained for 30 days.  After seven days the account(s) are removed from the systems and networks.

- An electronic checkout sheet from an authorized person is generated and notification is sent to all appropriate departments.

III.  PHYSICAL SECURITY

 

            III-A/B.  Facility Characteristics/Location and Layout of the facility

 

The single floor Computer Center, building 61, is located in the center of the Central Washington University campus, between the Student Union Building and Black Hall.  The computer rooms are located within the protective center of the building, secured by locked doors and operator surveillance.  This building is considered a restricted building with the exception of the output distribution area, which is located in the front of the building and is open only during normal business hours.  All other areas are locked at all times.  The few windows in this building are either secured by bars or are sealed.  There are no outside windows leading into the main computing areas or the telecommunications equipment room.  The occupants of the building consist of network and operations staff and telecommunications staff.  All main computing, networking equipment and telecommunications equipment for the campus reside here so access to the building is limited.

 

The off-site storage area is located in Hebeler Hall and employs a tape/disk vault in accordance with NFPA‑75 standards.  Access to this area is limited to the operations staff.

 

The residence for the office areas are located in building 5, (Bouillon Hall) room 128 and 202.  The office areas are secured during business hours by the front office personnel and secured after hours with locked doors and alarm system.  Personal codes to the alarm system are distributed to permanent employees only and deleted when an employee terminates employment.

 

All construction, modification and maintenance of the Computer Center facility is coordinated via Facilities Planning and Construction, who develops the plans for major construction and/or modification.  The implementation of those plans is performed by either Facilities Management or is contracted to outside organizations.  Facilities Management is responsible for the power, cooling, heating and water services.

 

The air conditioning system is at some risk from tampering as the cooling fans are located in a yard at ground level.  While a locked eight‑foot fence provides some protection, it is not adequate.  Power transformers are located outside the building, which are not considered secure.  Computer room temperature and humidity are set within the air conditioning systems and are monitored by the operations staff.  Modifications, inspections and maintenance are done by Facilities Management personnel.

 

The communications rooms are keyed with special keys and given to various Telecommunications and Network and Operations staff only.  

 

All computing, networking and telecommunications equipment is tagged with a metal plate.  This plate is glued onto the chassis by Inventory Control staff.  Yearly inventory is done of all computer equipment to monitor its location.

 

            III-C.  Large computer (mainframe) room physical security attributes.

 

Accidental halon discharges could pose a threat to the computer rooms during unattended hours.  Preventative steps are in place to prevent this. See the Appendix for Halon and Fire Alarm Procedures and the Central Washington University Disaster Recovery Plan for more information on fire/water procedures.  Fire extinguishers are located in various places within the Computer Center.

 

An Uninterruptable Power Supply (UPS) was installed in 1994 in the Computer Center to keep power available for 30 minutes.  A generator sufficient to power the full computer center operation was installed in July, 2003.  In the event that this fails and if the power is expected to be out longer than 30 minutes, all equipment is shut down.  If the power is interrupted during the slot of time when there isn't operator coverage, Campus Safety has a call sheet of personnel who are authorized to come in and shut the systems down.

 

Sensitive and/or negotiable documents are distributed to users through locked boxes.  Sensitive documents that are department specific, such as transcripts, paychecks, and purchase orders are printed at the users site.   Each department is responsible for storing sensitive forms in locked areas.

 

The single floor Computer Center, building 61, is located in the center of the Central Washington University campus, between the Student Union Building and Black Hall.  The computer rooms are located within the protective center of the building, secured by locked doors and operator surveillance.  This building is considered a restricted building with the exception of the output distribution area which is located in the front of the building and is open only during normal business hours.  All other areas are locked at all times.  The few windows in this building are either secured by bars or are sealed.  There are no outside windows leading into the main computing areas or the telecommunications equipment room.  The occupants of the building consist of network and operations staff and telecommunications staff.  All main computing, networking equipment and telecommunications equipment for the campus reside here so access to the building is limited.

 

III-C1.  Physical Security Attributes for Telecommunications Rooms.

 

Each building on campus has a telecommunications room.  All electronic gear for networking and telephony are located in the telecommunications rooms.  All gear in racks are connected to an UPS and air-conditioned.  These rooms are secured with restricted keys, only given to Information Telecommunications Services personnel, and can be checked out by custodians when necessary.  Access to these rooms is restricted to Networks & Operations and Telecommunications personnel. 

 

           III-D.  Physical Access control.

 

The staff at the Computer Center is small and there is a limited amount of visitor traffic.  Passes, badges, sign-in sheets, etc. have not been used and are considered unnecessary at this time.  Authorized personnel all have keys into restricted areas and visitors are admitted only when accompanied by staff.  Access to the computer rooms, operations, stock room and vault areas are controlled by the Computer Operations Staff.  Access to the Information Technology Services office areas are controlled by the front office and employees in the area.

 

A list of persons who have been assigned keys to the Computer Center is requested from the Key Shop on a quarterly basis.  This list is reviewed and unnecessary assignment of keys are revoked when they are discovered.  The Director of the Facilities Management and the Director of Information Technology Services are the only persons who can authorize keys for the Computer Center and only do so when absolutely necessary.  Since the Computer Center is monitored more that eighty hours a week, few keys are assigned to personnel.  An alarm code is assigned to personnel who have a key to enter the Computer Center or the Information Technology Services office areas.

 

Locks to restricted areas are changed according to the Key Policy enforced by Facilities Management.  The vault combination is changed whenever an authorized user terminates employment with Information Technology Services.

 

Deliveries to the Computer Center are made at the front door and to the operations staff only.  Any deliveries to the back door are with the authorization of the operations staff only.  Deliveries to the office areas are signed for and distributed by the Administrative Assistant.

 

Custodian and maintenance personnel are not provided with open access into the Computer Center.  The operator on duty provides access into the computing areas during normal working hours only and in accordance with the Computer Center Building Security, (see Appendix.)

 

This site is secure in view of potential hazards such as airports, chemical plants, rivers, freeways, etc.

 

           III-E.  Data storage and telecommunications controls. 

 

Data storage is within the Computer Center and the Hebeler Vault areas.  There is not a separate facility therefore no separate policies written for this section.

 

            III-F.  Off-site media storage and environmental controls. 

 

The off site storage vault located in Hebeler Hall employs a tape/disk vault in accordance with NFPA‑75 standards.  Policies written for the Computer Center are used when referring to security within the off-site storage area.

 

III-G.  Mobile/remote computing security control.

 

Laptops are required to have a local password regardless if they connect to the network or not.  Personal Digital Assistants (PDA’s) are required to be secured by the owner via password because they are easily stolen or compromised.  Passwords for laptops can be synchronized with the Central Washington University network.  Encryption for wireless is via VPN. 

 

            III-H.  Fire and water control.

 

Water supply and drainage in the Computer Center is adequate.  The potential for burst pipes exist although no pipes travel over the computer equipment.  The main danger is from the accumulation of water under the floor during unattended operation or from condensation on pipes overhead during extreme cold.  Under floor water detectors have been integrated into the fire detection system.  See the Central Washington University Disaster Recovery Policy for more information on shutdown strategies for fire and water emergencies.

 

All staff received limited training in fire prevention.  Employees are advised on the location of all fire equipment in their areas, its use and procedures to follow in case of fire.  The operations staff have been trained in the use of the halon and the fire alarm procedures, see Appendix for more information.

 

Three fire detection systems have been installed in the Computer Center.  The first fire detection system is a general building alarm which senses extreme heat, extreme cold and smoke/fire.  If one of these is sensed then an alarm at Campus Security is tripped.

 

The second fire detection system is a specialized system connected to the halon gas system.  If one sensor in the  building senses fire or smoke, the first alarm will trip and set off the general building alarm.  If a second sensor  senses fire or smoke then the second alarm is tripped and the operator has 45 seconds before the halon gas is  dumped into the computer rooms and adjoining areas.  The Computer Center has several 'plungers' installed  which detains the dumping of the halon gas for an additional 45 seconds every time it is pressed.  (The clock is reset to 45 seconds when pressed.  It does not add 45 seconds to the current time when pressed.)  This fire detection system is connected to Campus Security and the Ellensburg Fire Department.  Coordination and liaison has been established with the Ellensburg Fire  Department, Ellensburg City Police, City of Ellensburg Utilities, the Facilities Management (campus utilities) and the Campus Security.

 

The third fire detection system is located in the Telecommunications area and is not used for computer room fire detection.

 

            III-I.  Electrical control.

 

The electric utility stability is adequate in its present form due to an uninterrupted power supply (UPS.)  The main power transformer is currently in an exposed location and has a low potential for sabotage.

 

            III-J.  Operational stability.

 

Operational stability means providing a stable environment, both hardware and software, for the user.  The following procedures have been created and are in place at Central Washington University in order to create a more stable user environment.

 

Hardware preventative maintenance is scheduled periodically for all equipment throughout the year.  Hardware configuration change proposals are developed by the Associate Director for Networks and Operations and his staff then reviewed and approved by the Director of Information Technology Services.  Hardware acquisitions are processed in accordance with DIS standards.  Scheduling of down‑time for hardware upgrades and repairs is done by the Associate Director for Networks and Operations.

 

Program changes are made through a service request mechanism.  Service requests are prepared by the user department, approved by the principal budget administrator and submitted to Information Technology Services.  All requests received by Information Technology Services are logged in by the department secretary, routed to the Facilitator or their designee where they are assigned to an analyst and scheduled for implementation.  When all programming and testing is complete, the changes are placed in production by a production captive account which logs all production moves (promotion to production.)   A completed service request form is then returned to the user.

 

Software upgrades and updates are made as soon as possible after they arrive at Information Technology Services.  The changes are scheduled when users will be affected in the least and in order of criticality.  All major upgrades and updates are planned for spaces in time when the systems can be isolated from use for a longer period of time.  

 

Other environmental changes are handled through an informal study and analysis procedure on an as-needed basis.

 

A problem report form exists for reporting complex application production problems.  Most problem reports are taken over the phone by the programmer.  System and network problems are done informally, handled directly by the appropriate systems person on call or assigned to the product, project or system.  The Computer Support Services staff is currently using a  helpdesk software in order to cut down on the number of problem calls received through the Information Technology Services offices.   Networks and Operations staff use another helpdesk software package for tracking various other items such as account requests, problems with networking equipment, upgrades to software, etc.

 

Documentation standards and procedures are continually being established for operational, systems and networks and program documentation. They include an outline of content, format, and maintenance responsibilities and procedures.  Responsibility for maintaining this documentation is divided between operations, applications and networks.

File Servers:   Our standard for Intel servers is Compaq, who will replace failed components under its next-day onsite service warranty.  For older systems, we have spare hard drives on hand as well as an entire spare server.  All systems have redundant components such as raid 5 disk sets, dual processors, etc.

 

File Servers are located in the Computer Center.  Only Networks and Operations staff have physical access to the hardware. 

 

Switches and Routers are located in locked communication rooms around the campus.  Only Networks and Operations staff and the Telecommunications staff have keys to these rooms. 

 

 

III-K.  Insurance coverage for computer operations.

 

Insurance for the computer center equipment is covered by Allendale Insurance Companies located in Olympia. 

 

5-February-2004                    

 

Item                                         Ident#  Orig Value        Insure Value

 

DEC 4100 (5)                                      $120,000         $120,000                                

DEC 8200 (2)                                      $200,000         $200,000

DEC AXP 7000/620                64865  $212,486         $212,486

COMPAQ Pro servers (32)                 $480,000         $480,000

COMPAQ GS160                               $370,000         $370,000

GS Storage network                            $60,000           $60,000

Brocade Fiber Channel Switch  $ 19,000          $ 19,000

XIOTech Storage Array                       $139,815         $139,815

ES40 AlphaServer (7)                         $159,990         $159,990

SUN HPC 250 (3)                               $135,000         $135,000

SUN HPC 450                                    $ 65,000          $ 65,000

SGI station                                           $ 64,000          $ 64,000

AlphaStations (5)                                  $ 30,000          $ 30,000

Network Computers (15)                     $ 75,000          $ 75,000

LG12 Plus Printer (2)                           $ 20,000          $ 20,000

H9A10-MC cabinet                             $ 10,000          $ 10,000

HSJ52-AJ dual controller                     $ 20,400          $ 20,400

DS-RZ1DD-VW 9.1GB UltraSCSI     $ 24,400          $ 24,400

DS-RZ1ED-VW 18.2GB Ultra            $160,600         $160,600

HSC-95s disk cntrlls (2)                       $ 62,962          $ 62,962

Qualstore Tape backup (2)                   $120,000         $120,000

VOCOM Voice Response Sys             $ 30,000          $ 30,000

OCTEL Aspen Voice Messaging          $130,400         $130,400

SNA Gateway                          62266  $  6,062           $  6,062

DataGeneral Sniffer                  59957  $ 17,019          $ 17,019

HP Laser Printer 5SI (2)                       $ 7,000            $  7,000

TU81 tape drive                                   $10,000           $ 10,000

TZ88 tape backup units (6)                 $10,000            $10,000

INFO Server 100 with 5 CDROM's     $ 12,500          $ 12,500

INFO Server 150 w 4 RRD42'63063  $ 12,000          $ 12,000

Misc electrical and computer cables      $ 50,000          $ 50,000

Misc Data Comm Equip(CISCO)         $600,000         $600,000

VaxStation 4000/90                 64860  $ 24,645          $ 24,645

VaxStation Monitor                  64861  $  1,728           $  1,728

US Micro PC cpu (5)                           $  7,000           $  7,000

Sony  monitor (2)                                 $    718            $    718

NEC 21 inch monitor (1)                      $    900            $    900

TTI 8MM 10GB d tape drive   (4)        $ 46,324          $ 46,324

RRD40 CDROM                     62264  $    705            $    705

SUN SparcStation 10               64875  $ 16,022          $ 16,022

SUN CD                                  64876  $    644            $    644

SUN Monitor                           64874  $  2,155           $  2,155

Codex 32port modem unit        65086  $ 28,000          $ 28,000

CISCO 7000  (3)                                 $100,000         $100,000

CISCO 6500  (2)                                 $238,000         $238,000

HP Sniffer                                64974  $ 17,087          $ 17,087

Northern Telecom SL-1XT                  $850,000         $850,000

Total                                                                            $4,767,562

IV.  DATA SECURITY

 

            IV-A.  Agency Data Security Policy Statements.

 

Data security and integrity is probably the second most important aspect of computer security.  If an unauthorized user does find a hole into the computer system, they are going to see what type of data they can access and how they can access it.  When the file protections are set appropriately and system alarms enabled, an unauthorized user who does gain access into the system will have considerably few files to browse, and with security alarms, will be caught in a reasonable amount of time.

 

With the different types of accounts and data sources on the Central Washington University computers and any of its associated file servers, different guardians for the databases, programs and sources are needed.  Student, academic and administrative accounts are the owners of all files created by their account and all files within their accounts and networks.  Files loaded by the Operations staff for any student, academic or administrative users are owned by the requesting user and will be loaded into the users authorized work area or network node area unless prior arrangements have been made.

 

Research data that is brought in to be put on the Central Washington University computers will be owned by the requesting user.   The requesting user will supply Networks and Operations staff with the restrictions of the supplier of the data.   Users who want access to the research data must submit a request to the data guardian and the Networks and Operations staff, and sign a release which states they have read the restrictions for use of the data and will abide by them.  Central Washington University Information Technology Services will not be responsible for users who do not abide by the rules and regulations of using research data supplied from outside sources.

 

Production accounts own all data within their account and any reports produced by that account.  Databases, executables, libraries, tables, etc. outside of the IAI system are owned by the account that utilizes them.

 

The SCT system is divided into four modules.  All databases and tables, with the exception of the security tables, for the SIS/LMS/FRS modules are owned by the Controllers office and the Admissions and Records office.  The databases and tables, with the exception of the security tables, within the HRS system that affect personnel are owned by the Business Manager.  The HRS data that affect payroll are owned by the Controllers office.  The executables, command files, sources, libraries and security tables are owned by Information Technology Services.

 

The Human Resource Peoplesoft databases and data are owned by the Controllers office.  The Financial Management System Peoplesoft databases and data are owned by the Business Manager.

 

Auxiliary services databases, executables, sources, libraries, tables, etc. are owned by the Director of Auxiliary Services.

 

System operating files, libraries, compilers, etc. are owned by the Associate Director for Networks and Operations in Information Technology Services.

 

Copyrighted material is covered under the Copyright Policy, see appendix for specifics.

 

IV-B.  Software Version Control and Currency.

 

Operating systems are updated and tracked as follows:

 

OpenVMS/Unix – O/S and compiler/email/networking updates are tracked in the system startup files.  Minor updates are done when patches come in.  Major updates are done between quarters or breaks. 

 

Network, Groupwise, Zen, Netware Clients  – Updates and change logs are tracked using CVS.  Supplemental information may be in GNATS, the Networks and Operations trouble tracking system.  Local configuration files and change logs are in RCS.  Minor updates are done when patches are sent out.  Major updates are done between quarters or breaks. 

 

Unix systems such as Ret hat Linux, Solaris and BSD have tracking mechanisms for when software is updated.  Administrators at Central Washington University normally use CVS in addition to the unix tracking mechanisms.

 

System security patches are installed as soon as possible when released.  Computer Support Services manages a patch server for Windows 2000 and Windows XP machines.  Client PC’s are configured so patches are automatically distributed after they’ve been approved by Computer Support Services.  MAC OS’s are updated as the user requests it. Application software is updated as the user requests it. 

 

Oracle and Peoplesoft software is done when the database administrators select which version to go to.  Tracking is done by the DBAs.

 

Computer Support Services manages an Anti-Virus definition update server for the entire campus.  Definitions are downloaded to the parent server and distributed to the campus as often as necessary.

 

IV-C.  Access control techniques.

 

Each department is responsible for their own databases and the accuracy of those databases.  Central Washington University Information Technology Services provides a stable environment in which to run computerized processes as well as provides online security and monitoring of software and database access.

 

All OpenVMS master file directories have the default SYSTEM file protection READ, WRITE, EXECUTE.  Any changes to the SYSTEM file protection will result in the master file directory being owned by the SYSTEM account and access granted through ACL protections.

 

OpenVMS data sharing within departments will use the HP/Compaq file protection scheme for files and directories within groups.  Data sharing outside of group access will be done with the use of ACLs. 

 

UNIX data sharing within departments will use the HP/Compaq file protection scheme for files and directories within groups. 

 

All system non‑executable files that need world access only receive read and/or execute access. Protections for system files are checked frequently. 

 

Non‑system owned files are the responsibility of the owners of the files.  ACLs and file protections are checked for world access on a weekly basis to help users keep data integrity. 

 

Non‑production data is protected by file protections and access control lists assigned to directories and/or files.  Default protection on the VMScluster gives SYSTEM and OWNER full access but denies any access to GROUP and WORLD.  A user has to specifically change file protections to allow other accounts access. 

 

Data sharing on the Netware file servers is done by Organizational Units.  Accounts within an OU are given access to a staff-shared directory in addition to their personal directory.  Any user needing access to a shared directory outside their staff-shared directory is granted access rights by the creation of a group object that has access to the file.

 

Database access within Oracle or Powerhouse is done by using the features of the database product and controlled by the database owner.

 

New accounts are granted full access only to their own folders and their departmental folders.  Additional access to folders can be gained by a request from the department head, senior secretary or administrative assistant.  People who change jobs are handled as a new account, the account is moved and general access granted to their own folder and departmental folders.  Access to folders from previous employment is revoked when the account is moved. 

 

A yearly audit of accounts is done by Information Technology Services Networks & Operations.  Accounts within a department are sent to the senior secretary or administrative assistant for verification of employment.

 

            IV-D.  Data entry processes.

 

Each department is required to have their own policies and procedures regarding data entry processes.  Central Washington University Information Technology Services does not take responsibility for what each department enters into their own databases.  See section IV part C for detailed information on what Information Technology Services does for access control techniques.

 

            IV-E.  Processing accuracy.

 

Checks and balances within computerized procedures are done within each department who uses the Central Washington University Information Technology Services computing and networking equipment.  See section III-C for detailed information on what Information Technology Services does to provide access control techniques.

 

            IV-F.  Distribution of output reports and introduction or release of data.

 

Distribution of output reports is done according to the Computer Center Equipment/Media Security Policy, see appendix for specifics.  The release of data or new programs is done at the request of the data custodian or the database administrators.  System and network software upgrades at the discretion of the Networks and Operations personnel and the Associate Director for Networks and Operations.

 

IV-G.  Data and program back-up.

 

Backup and recovery are regular duties assigned to the Networks and Operations staff.  Monthly full backups are stored offsite for 1 year.  Daily incremental backups are stored online for 1 month.  Weekly intermediate backups are stored online for 1 month.  OpenVMS system disk backups are done nightly during the week and stored offsite.  Full backup are stored off‑site in a vault located in the Hebeler building.  The chart below gives a visual representation of retention and site storage.

 

 

 

 

The offsite vault where backup medium is stored has the combination changed on a yearly basis or when an employee who knows the combination terminates employment.  During the period the combination is changed, an authorized person is to stay with the vault as the door needs to be removed when changing the combination.

 

Trusted network sessions are done using SSH.  Hypertext Transfer Protocol Secure is done to provide a secure channel for Web clients/server.

IV-H.  Media protection.

 

All PC/MAC machines that are sent to surplus have their hard drives scrubbed.  All outdated media is sent to surplus and put in a trash compacter then sent to the landfill.

 

IV-I.  Controls to prevent unauthorized use or removal of tape files, CDs, diskettes, and other media.

 

All media is stored in the Computer Center, in the offsite vault or in locked cabinets in offices.  Media that is loaned out is done via the Computer Center Equipment/Media Security Policy, see appendix for more details. 

 

System and network software media is controlled by the Networks and Operations staff. 

 

PC and Macintosh media is controlled by Computing Support Services, a division of Information Technology Services.  The Software Distribution personnel keeps a database of all machines and licenses.  Currently all media that is outdated is kept in a locked cabinet for later destruction.  Technicians all have a copy of PC/MAC software for field use, student workers are required to check out media daily. 

 

Labels for the software do not contain serial numbers. 

 

Paper documents containing personally identifiable information is shredded.

 

IV-J.  Guidelines for data encryption management.

 

All administrative processing is done via wired network (direct dial-in or landline) or VPN.  Detailed information regarding encryption is in section IV-K, under Wireless.

 

Self service student account/password information is done as such:

 

-The Web page will reside on an SSL server. Students will be prompted for ID, PIN and new password all on the same screen in order to eliminate the need for placing hidden identification fields in a form which could be forged by a hacker.

-The action for the form will be a Java servlet. Since once a Java class is loaded by the JRE it is persistent until destroyed, state can be maintained.

-The file containing the ID/PIN numbers will be encrypted and will be decrypted via the Java servlet.

-Upon successful authentication, the servlet will remotely execute the method for changing passwords via RMI. This communication with the Win32 machine will be encrypted. Furthermore, the method should be coded to permit access only from specific hosts.

-The Java application running on the Win32 system will invoke a native method via JNI to actually set the passwords. This must be a DLL coded in C++.

-All activity will be logged, preferably via syslog.Student account/password information is encrypted as users may change their password using a web server. 

Other

 

The WIN system uses SSL, web Groupwise (email) is redirected to a secure server (https), the VPN tunneling is utilitized for administrative off campus use.

 

IV-K.  Processing audit trails

 

Checks and balances within computerized procedures is done within each department who uses the Central Washington University Information Technology Services computing and networking equipment.  Audit trails for program changes is addressed in the Operational Stability section of this document.  See section IV part S for detailed information on what Information Technology Services does to provide system and database security.

 

IV-L.  System access violations

 

The Networks and Operations staff run various auditing software for the different OSs to monitor security alerts such as login failures or breakins, ACL changes, password changes, unauthorized browsing attempts, group right changes and various other alerts.  Logs are rolled over daily and review is done on an as needed basis. 

 

OpenView is use to monitor switches and routers to ensure they aren’t bouncing or having other problems that would cause a loss of service.

 

See section IV part S for password information.

 

IV-M.  Virus prevention, detection, and removal

 

All PC/MACs connected to the Central Washington University networks are required to run virus protection software with regular updates.  Scans are set to run weekly on all PC/Macs.  The email servers run Sophos, an email virus scanner.  Information Technology Services Computer Support Services runs a local patch server for Windows 2000 and Windows XP machines and a local Anti-Virus definition file update server.  After patches have been authorized, the patch server pushes it out to all local workstations.  Definition files are updated as they come in from the vendor.

 

IV-N.  Control of Interactive Internet Technology

 

Central Washington University does not prevent users from downloading Internet technologies.

 

IV-O.  Disposal of sensitive Hardcopy Data.

 

Data guardians are responsible for disposal of any sensitive hardcopy data is generated in their areas.  The Information Technology Services staff use shredders in the office areas for their disposal.

 

IV-P.  Software Testing.

 

All third party software and in house generated have procedures for testing before being moved into production.  In the case of administrative PeopleSoft systems, there are specific machines dedicated for testing before implementation.  In house software is typically tested with maintenance accounts before being promoted into production.  Log files are generated for software tests and moves. 

 

IV-Q.  Controls to prevent unauthorized use or removal of tape files, CDs, diskettes, and other media.

 

All media is stored in the Computer Center or in the off-site vault and controlled by the operations staff.  Media that is loaned out is done via the Computer Center Equipment/Media Security Policy, see appendix for more details.  System software media is controlled by the Networks and Operations staff and stored in the Computer Center, locked offices or cabinets.

 

IV-R.  Controls to prevent the introduction of unauthorized programs to computer systems.

 

The system file integrity is done by multipass comparisons of all operating system files and components on the system disk with originals installed during operating system installations and upgrades.  Any unexplained differences is investigated by Networks and Operations staff.  Network security is done by various methods.  All machines connected to the Central Washington University network is required to run virus protection software with regular updates.  The routers and switches have built in mechanisms for blocking access to various ports, etc. all of which are utilized and frequently checked.  Access to database and application servers is limited to system administrators and software developers.  The web environment is separated from the rest of the network via VLANs. 

 

IV-S.  System and network security.

 

Account security is probably the single most important item in keeping the Central Washington University computers and networks secure.  In computer security studies, the single most common entry point into a computer is by guessing a password to gain access into an account.  The following items have been prepared to keep user accounts secure from the systems point of view, and to educate the user in their role of computer security.

 

Requests for new user accounts come through Information Technology Services.  The Information Technology Services web pages has an electronic form that only authorized personnel are allowed to use for submitting a request.  Authorization to these pages is done via LDAP authentication.  Faculty and staff accounts are generated by using the first seven characters of the last name followed by their first name initial.  If that name us used then the last name is truncated and first name added until the name is unique.  Student accounts generally have their full last name followed by their first name initial until the name is unique. 

 

The Acceptable and Ethical Use of Central Washington University Computing Equipment is posted on the Information Technology Services web site.  This policy addresses individual accountability regarding use of Central Washington University computing resources.  All users are required to adhere to this policy.

 

All account changes with the exception of passwords change requests must be requested in writing or via electronic mail by the account owner and submitted to the Information Technology Services Networks & Operations staff.  Owner changes to an account must be approved by the current owner, the co‑signer of the account or the department head before it is turned over to the new owner.  Passwords will be discussed later in this document.

 

All OpenVMS user accounts have an expiration date.  All Novell Netware accounts do not have an expiration date.    The default duration of user accounts depend on what type of account it is.  Faculty, staff, administrative and production accounts have an expiration date of one year.  All student accounts expire when the student terminates from Central Washington University.  Accounts that have not been used for six months or longer and have not given Networks & Operations staff written notification of their desire to keep the account will be backed up to tape and removed from the system.  The backup of the account will be retained for 30 days and then deleted.  Student accounts are purged if they are not enrolled for a quarter.

 

All new accounts are created with a pre‑expired password.  This means that users who log into their newly created account must change their password before continuing into the system.  Password duration for accounts are as follows.  (VMS privileged accounts are considered any account with privileges above the Digital 'NORMAL' class.  OpenVMS captive accounts are accounts with the UAF flag 'CAPTIVE'.)

 

Administrator Accounts                                                30 days

Captive Accounts                                                         90 days

Faculty Accounts                                                          180 days

Student Accounts                                                         180 days

Staff Accounts                                                              90 days

 

Dictionary password checking is enabled for all accounts.  Password history checking is done for all accounts. 

Screen saver passwords are required for anyone who leaves their machine. 

 

Password change requests can only be done by the owner or the sponsor of the account and must proper identification must be provided.   Password minimum length is as follows.

 

Administrator Accounts                                    10 characters

OpenVMS Accounts                                        8 characters

Netware User Accounts                                   6 characters

 

Ad                   Requests for accounts without passwords, 'OPEN', will be reviewed by Networks and Operations staff.

 

'NORMAL' privileges (TMPMBX and NETMBX) will be given to all new OpenVMS user accounts. Accelerated OpenVMS privilege requests can be made to Networks and Operations staff for evaluation.  UNIX user accounts will not be permitted to attain superuser status. 

 

Usernames and user identification codes (UICs) will attempt to be unique for each OpenVMS user on the VMScluster. Some system software require duplicate UICs for functionality but outside of these accounts, new accounts will be unique.  OpenVMS account UICs will be grouped together by department.  Departments often have the need to share data among themselves and with the directory and file protection scheme that DIGITAL provides, this is the best option.  Group numbers 1‑10 octal are reserved for Systems and Operations, group numbers 11‑5000 octal are used for faculty, staff and production accounts and group numbers 5001 and up are reserved for classroom student accounts.  UNIX usernames and user ids (UIDs) will be unique for each UNIX user.  Accounts will be grouped together by department for file sharing among the group.  File sharing outside of group protections will be done by adding those users with similar needs to the appropriate group or by moving the files to an open  user directory.

 

Netware users who require file sharing are done by membership within groups.  The groups are then assigned rights on the volume/directory. 

 

Audit alarms are set on the VMScluster for all login failures, account breakin detections, file access failures and modifications to authorization records.  These alarms log a record into the security audit journal for every detection the audit server process finds.  This security audit journal is reset every working day and reports are processed and reviewed by Systems Security personnel.  Audit alarms are set on the UNIX computers for all logins, login failures, account breakin detections, file access failures, modifications to accounts and user commands.  These are logged to a file and saved as raw data on a daily basis for future reference. 

 

Netware audit alarms are set for login in and out, login failures, password changes, account modifications. 

 

Excessive login failures may result in the disabling of an account until the owner can be contacted.  If the owner does not verify the login failures then an investigation may be done.  Breakin detections may result in the disabling of an account until the owner can be contacted.  If the owner does not verify the breakin detection then an investigation will be done and the password of the account may be changed.

 

File access failures for an account may result in the disabling of the account and an investigation into the intent of the user browsing.  Excessive browsing after being warned may result in removal of the account from Central Washington University computers.

 

Malicious behavior will result in permanent disabling and removal of the account. Charges may be made after an investigation has been done.

 

User accounts will be deleted if one of the following criteria is met.

 

                        ‑ The account has been inactive for six months or more.

                        ‑ The account owner has terminated employment with Central Washington University.

                        ‑ The account owner requests deletion of the account.

                        ‑ The account has been expired for six months or more.

                        ‑ The account is not being used in accordance to Central Washington University policy.

 

Student accounts are purged if they are not enrolled for one quarter, excluding summer quarter. Accounts are deleted by Networks and Operations staff.

 

Accounts left logged in without supervision are considered a serious security breach.  Account owners are responsible for leaving terminals and PCs and those who leave them logged in unsupervised receive one warning letter.  Screen saver passwords are acceptable when leaving a machine unattended.

 

All user reported security breaches will be investigated by the Networks and Operations staff..

 

Faculty and staff who are not going to be using their computer account for over six months must provide a written request for Information Technology Services to hold the account.  The account will be disabled until the owner of the account requests in writing the enabling of their account.

 

All OpenVMS master file directories will have the default SYSTEM file protection READ,WRITE,EXECUTE.  Any changes to the SYSTEM file protection will result in the master file directory being owned by the SYSTEM account and access granted through ACL protections.

 

OpenVMS data sharing within departments will use the DIGITAL/Compaq file protection scheme for files and directories within groups.  Data sharing outside of group access will be done with the use of ACLs.  UNIX data sharing within departments will use the DIGITAL file protection scheme for files and directories within groups.  All system non‑executable files that need world access only receive read and/or execute access.  Protections for system files are checked frequently.  Non‑system owned files are the responsibility of the owners of the files.  ACLs and file protections are checked for world access on a weekly basis to help users keep data integrity.  Non‑production data is protected by file protections and access control lists assigned to directories and/or files.  Classroom accounts are deleted and created again the next quarter to clean up any changes users have made  during the quarter.  Default protection on the VMScluster gives SYSTEM and OWNER full access but denies any access to GROUP and WORLD.  A user has to specifically change file protections to allow other accounts access. 

 

Data sharing on File Servers is done by Organizational Units.  Accounts outside an OU that needs access will be granted rights by the creation of a group object that has access to the file. 

 

Systems and Operations personnel will delete files for the applications group only.  All other files deletion services will be done by the user themselves.

 

The installation, upgrades and modifications of systems software is done by the Networks and Operations personnel.  The SCT products are installed by the applications personnel via a captive account that reinstalls the software in batch mode. 

 

Unauthorized browsing into areas not owned by the account will set off audit alarms.  Users who browse areas may have the account disabled until an investigation can be done.  Obvious attempts at malicious behavior will result in the permanent disabling of the account.

 

Default file protections for OpenVMS are SYSTEM:RWED,OWNER:RWED, GROUP and WORLD no access. The default 'umask' file protection for UNIX accounts is 077 (owner:read/write,group:none,world:none).  The default file protection for users is owner only, unless there’s a default departmental directory.  The user sometimes can modify these according to their specific needs.

 

Reports generated by users that are not picked up within three working days will be recycled.  Reports printed without a flag page will be recycled.  Information Technology Services will not be responsible for reports printed at the Computer Center by users who do not pick them up, including all sensitive reports.

 

File restorations will be done for the owner of the account or the co‑signer of the account only.  Requests for restorations to Networks and Operations staff can be done by electronic mail or in person with valid identification.  Restores will be done during normal business hours. 

 

Dial‑in access is available for all users who have a modem and an account.  RADIUS is used for LDAP authentication to use both student and staff modem bank.

 

PPP dial-in access is available to all faculty/staff and students.  There is one set of dial-ins for faculty/staff and one set of dial-ins for students.  Authentication is done by radius against the users netware account.

 

Dial‑out access on the OpenVMS VMScluster for the Information Technology Services applications group is given by the OUTBNDxx services.  All users must have a SCAN number for outbound service use.

 

Poor man's routing within the VMScluster is disabled.  Most resources needed are available from all nodes or are accessible via LAT services.

 

The LAN monitoring device and software known as the SNIFFER is used to monitor and audit ethernet traffic packets.  The capturing and examination of packets will be done occasionally as a diagnostic tool for ethernet problems.

 

IV-T.  Information Integrity.

 

Each department is their own data guardian for their data.  Information Technology Services provides security for all databases, networks, etc. via login information, access control and strict guidelines on who can access what type of data.  See section IV part S for details.

 

IV-U.  Misuse.

 

All users must adhere to the Acceptable and Ethical Use of Central Washington University Computing Equipment Policy.  Users who do not adhere to this policy are disciplined according to the policy.

 

IV-V.  Penetration.

 

Attacks by unauthorized persons or systems that may result in denial of service is done by router software which is programmed to perform basic packet filtering and firewalling.  Networks and Operations regularily updates and reviews the router configurations, currently Networks and Operations staff use HP Openview to monitor the network and watch for attacks as well as other problems.  The nature of  the University make is somewhat difficult adhere to aggressive security measures however, we do follow CERT recommendations at a minimum.

 

IV-W.  Wireless

 

Potential wireless clients fall into the following security categories which are not mutually exclusive:

 

- devices which support static WEP

 

802.11 requires support for 40-bit WEP as a minimum, and many vendors such as Cisco support 128-bit WEP. Administration of static WEP keys is a nightmare when dealing with more than a handful of devices, and they are much more susceptible to hacking than are dynamic keys. Their use should be avoided where possible.

 

-devices/OSes which support dynamic WEP

 

Variants of EAP can be used to negotiate dynamic WEP keys which rotate on a regular basis, making hacking much more difficult. These include LEAP, EAP-TLS, and PEAP. LEAP is currently Cisco proprietary and is available when using Cisco access points and NICs. It utilizes username/password authentication. EAP-TLS is a cross-platform     certificate-based authentication system. Administration of such certificates can be problematic. PEAP is a Microsoft superset f EAP-TLS that additionally supports username/password authentication on the client side. These methods all involve the use of a RADIUS server for negotiation of the WEP key. Typically EAP is available only on devices running full-featured operating systems. Its availability on handhelds is extremely limited.

 

-OSes which support IPSec

 

In contrast to Layer 2 WEP, IPSec is a Layer 3 protocol used to establish a VPN with 168-bit encryption. It provides a high degree of security alone or in conjuntion with WEP. Authentication is via  username/password or certificates. IPSec clients are available for a large number of platforms, including PDAs.

 

CWU Wireless Networking Plan

 

As wireless networking technology has evolved rapidly in recent years and prices have plummeted, its popularity has risen. There is great interest across campus in making this technology widely available. ITS recognizes the value of wireless networking but believes the technology is still immature, suffering from deficiencies in bandwidth, security and interoperability with the wired infrastructure. For this reason wireless in the immediate future will hold a subordinate position to the wired network, functioning as a complement to it, not as a replacement for it. In order to meet the needs and desires of the CWU community yet address the concerns of ITS networking staff, wireless infrastructure on campus will be the sole responsibility of ITS and will be implemented in accordance with an established plan.

 

Security Model

 

Wireless networking is inherently insecure due to its transport medium. Unlike the wired network where physical access to a data jack is required, an unauthorized wireless host can easily join an unprotected WLAN from the privacy

of the owner’s vehicle or other location beyond the reaches of any physical security providing the first line of defense for the wired network. Whereas in the switched CWU network environment a particular data jack sees only broadcasts

and packets destined for its Ethernet address, a WLAN host can see and capture all traffic. Thus there are two levels of security concerns – the ability to connect to the WLAN, and once connected, the ability to eavesdrop on network

traffic. The CWU WLAN infrastructure will address both of these issues by enforcing authentication and encryption.

 

Authentication & Association

 

SSID

 

A client adapter associates with an access point based on a common Service Set ID (SSID). Access points can be configured to broadcast their SSID in beacon packets, in which case the client does not need to know the SSID of the access point to associate. This feature will be disabled on CWU access points with the result that the client must have its SSID configured. Since the SSID will be well-known, this provides little security, but it does provide a first line of

defense against outsiders who are attempting to map the WLAN. It also prevents accidental association.

 

MAC Authentication

 

In the wired environment a host must be registered before it can access the CWU network. If the host is unknown the switch automatically places it on an isolated VLAN where it can do minimal harm. Only when a host is registered and

associated with a responsible party can it communicate on the greater network. Likewise WLAN hosts must be registered before they can connect to the network. The registration interface will remain the one currently in place for the wired network. Additional items will be added to the Category drop-down list in support of WLAN host categories (more on this below). At least initially, users will be required to enter MAC addresses of their WLAN hosts manually from a wired browser. In the future a facility may be added to permit them to register from a restricted WLAN.

 

Each access point will be configured to require MAC authentication. With this setting in place the access point will look up the MAC address of a host attempting to authenticate. If it does not find the address the attempt will be rejected and the host will not be able to communicate on the WLAN. Host registrations will be maintained in the NetDB tables just as they are for wired hosts. Access points will be configured to query redundant freeRADIUS servers running on network support computers for MAC authentication. The RADIUS daemon has an Oracle interface which permits it to look up the address in the database and return the results to the access point. MAC authentication attempts will be logged by the RADIUS servers and a process can be configured to send alerts for failed attempts. MAC authentication will form the second line of defense against unauthorized access to the WLAN.

 

User Authentication

 

The best method to ensure only authorized hosts can access the WLAN is to require username/password authentication. Port-based authentication is addresses in the IEEE 802.1x standard. The implementation of this standard that will be

utilized by CWU is EAP-TTLS/PAP. This method operates in a manner similar to SSL-enabled web communications. A certificate is required for the authentication server but not for the supplicant (the client component). Traffic is encrypted

and login credentials pass within the encrypted tunnel. These credentials are then verified via LDAP against eDirectory by the RADIUS server. At present EAP-TTLS is the only widely available EAP method that permits authentication

against eDirectory, as the other methods require access to the clear-text or NT-hashed password for verification. Closely related to EAP-TTLS, PEAP had the potential to provide this functionality as well, but Microsoft took a proprietary approach with its implentation of the protocol and required it to use MS-CHAPv2 authentication in the tunnel.

 

Since the PEAP implementation integrated into Windows will not meet our needs, a third-party supplicant will be required. Experiments with the Meetinghouse AEGIS client, the Funk Odyssey client and the Alfa & Ariss SecureW2 client on the Windows platform have both been successful. The AEGIS client is full-featured and integrates well with the workstation login process (including the NetWare client) as does the Odyssey client, permitting single signon to the workstation, but they are commercially licensed products. The SecureW2 supplicant is more basic and functions as an add-on to the wireless networking component of Windows. It is free.

 

There are also supplicants available for other platforms. The Open Source Open1x supplicant runs on Linux and Unix variants, including OS X. Both Meetinghouse and Alfa & Ariss sell supplicants for the PocketPC, and Meetinghouse supports Linux as well.

 

Whichever supplicant is selected for support, an effort will be made to package it in an easy to install form where all the options are preset and the user only has to run the installer.

 

Encryption

 

The 802.11 standard requires products to support 40-bit Wired-Equivalent Privacy (WEP) encryption with static keys, operating at the datalink layer. Most vendors support 128-bit WEP. Unfortunately 40-bit WEP provides only minimal security and even static 128-WEP keys can be broken fairly easily with tools available on the Internet. For these reasons extensions to WEP have been devised by Cisco including dynamic key rotation, message integrity check (MIC) and the temporal key integrity protocol (TKIP). Features such as these are being incorporated into the future 802.11i wireless security standard and into products supporting the interim Wi-Fi Protected Access (WPA) specification. While awaiting a truly secure wireless architecture based on these new specifications many organizations are opting for IPSec encryption at the network layer as an alternative or complement to WEP.

 

CWU will initially encrypt the data stream via rotating dynamic WEP keys. A unicast key is negotiated during the EAP authentication phase and then is renegotiated periodically based on the authentication timeout on the access point. Access points will also be configured to rotate broadcast keys. Users will have the option to further secure traffic at layer 3 by establishing an IPSec tunnel to CWU's VPN concentrator. Static WEP will not be supported, as it is insecure and unmanageable.

 

As enhanced security features become available, they will be tested and implemented by ITS Networks.

 

Integration into the Dynamic Network Environment

 

The CWU network is divided into sectors, each containing a standardized set of  VLANs. Though the network segments assigned to these VLANs vary from sector to sector, the VLAN name and number remain the same. This consistency ensures mobility for dynamic hosts. See http://netdb.cts.cwu.edu/dynanet-info.html for details. This existing model will support the addition of VLANs for the wireless network. The VLANs wlan1, wlan2 and wlan3 will be defined for each sector, and network segments will be assigned to them. Initially these VLANs will be globally trunked with their routing handled at the core. This approach is necessary in order to support roaming of devices without loss of IP connectivity. In the future it is likely that a solution to the mobility problem such as proxy mobile IP will be implemented. In that case traffic will be segregated by defining the segments for the WLAN VLANs at each sector router and making the VLANs local to each sector.

 

Each sector has a native management VLAN where switches reside. For security reasons, the management interfaces of access points will not reside on this VLAN. A new wlan-mgmt VLAN dedicated to this purpose will be created for each

sector and access points will be homed there. This VLAN will be configured as the native VLAN for the connecting switch port. For security reasons wlan-mgmt will not be mapped to an SSID. This configuration inhibits a host from gaining Layer 2 connectivity to an access point via malicious configuration of its SSID. The access points support 802.1q VLAN trunking on their LAN interface. Only the wlan-mgmt and wlan[1-3] VLANs will be trunked.

 

VLAN assignment

Access-lists for wlan2 and wlan3 will be written to implement the security restrictions appropriate for the corresponding SSID. No access list will be required for wlan1. An 802.1q trunk will be configured between the switch port and the access point and these VLANs will be trunked to it.

 

Implementation

 

Implementation of the wireless network will be a cooperative effort among various groups within ITS and in some cases with Facilities. Prioritization of buildings is being completed by the University Information Technology Advisory

Committee (UITAC)

 

Coverage

 

The ultimate goal is to extend wireless coverage to as much of the campus as is technically and financially feasible, including exterior spaces. ITS is seeking the advice of the UITAC for determining priorities for the implementation.

Approval has been granted to concentrate initially on the Library and the grassy area to the east of Science and Dean. High-gain external antennae mounted on Science and L&L should provide extensive outdoor coverage. The Library will be more difficult due to the building’s construction, and a detailed site survey will be required.

 

While the SUB is not currently a high priority building, there are already two access points installed there. These devices will be reconfigured in the initial phases of the project in order to ensure consistency across the wireless implementation.

 

Hardware

 

Cisco 1220 access points with b/g radios will be used exclusively. These devices also have a spare slot where we can install a radios (or a different technology when it becomes available) should the need arise for greater bandwidth in

specific cases such as Geology or Computer Science. High-gain external antennae for the b/g radios will be utilized where appropriate to provide wider coverage.

 

The 1220 access points use POE. We will be installing POE capable switches in comm rooms which service the access points. POE will save us the expense of running power to the devices and will permit us to cold start them remotely.

 

Since access points are typically installed in locations which are difficult to access, it is desirable to have serial port connectivity to the devices should network connectivity be lost and unrecoverable via a cold restart. Such access

has the potential to save many hours in staff time by eliminating the necessity for site visits except in the case of hardware failure. An additional network cable will be run to each access point and terminated on a terminal server in

the comm room.

 

 

RADIUS support for wireless

 

A RADIUS server is required for 802.1x to function on the WLAN and can also be used to facilitate MAC address authentication. Information Technology Services Networks & Operations staff have installed the Open Source freeRADIUS code and completed initial configuration. 

 

MAC authentication via RADIUS is accomplished by setting all default unicast filters in the SSID setups on the access point to disallow and then configuring it to query the RADIUS server if it doesn't find an address in its local filter table. Entries in the users file on the server must list the MAC address with no colons or dashes as both the username and password. Oracle support is included so it should be possible to query the database to retrieve MAC addresses.

 

Although it appears we will be unable to proxy LEAP authentication requests to our existing user database, if we chose to utilize WEP, LEAP is still useful for enabling dynamic keys. We can distribute a username/password pair that is validated locally and rely on MAC authentication. Such an approach to layer 2 security would provide a more secure alternative to static WEP keys and nearly eliminate the administrative  overhead. In such an environment it would still be advisable to enforce layer 3 encryption for access to critical resources.

 

 

IV-X.  WWW and Web Browser/Web Server Configuration and use

 

ITS recommends that where possible departments take advantage of secure WWW solutions which rely on centralized resources such as www.cwu.edu which are actively maintained and enhanced by ITS.  Most university WWW needs are accommodated by this robust data-center based service. ITS staff will help departments migrate their applications if they so wish.  ITS will identify contact personnel for all known departmental web servers and work with these persons to:

 

Maintain a list describing the software and operating environment of each server.  Alert departments when security problems are discovered which may affect them.  Advise contact personnel of operational criteria to maintain such web servers with internet visibility and attention to security.  Work with those operating departmental web servers to migrate their servers to a special network segment designed for web serving only.

 

The official CWU web server is managed by Networks and Operations.  Several departments have not migrated their applications to the official server and continue to run on an unsecured PC and/or MAC.  To prevent hacking into the main CWU networking environment, all identified non-supported servers are on a virtual LAN (VLAN) that is masked off from the rest of the CWU environment. 

 

CWU supports the two latest versions of  Internet Explorer and Netscape for browsing the web. 

 

Users are able to download anything from the internet.  Files received must be run through a dynamic virus checker on the users personal workstation.

 

Sustained internet connections via an ISP connected to CWU is prohibited. 

 

Confidential information transmitted over the network must be done via VPN or using HTTPS.   Users of the CWU Wildcat Connection authenticate using a secure connection which transmits encrypted login information.  Anonymous use of the CWU Wildcat Connection is prohibited.

 

CWU has a public marketing website for use by anonymous users.

 

CWU has two internal intranet sites for use by authenticated users only.  Authentication is done by LDAP against eDirectory using a secure server.

 

The Web server is not to serve as a repository for confidential information.

 

IV-Y.  Secure Connection Methods.

 

Use of ssh/scp/sftp are required for access to administrative systems.  Enforcement is done by the internal firewall. 

 

IV-Z.  Secure E-Mail.

 

Web Email access is by secure server (https) and users must authenticate to their email account.  Users within cwu.edu use the email client.

 

IV-AA.  Secure Data Storage.

 

Data stored on the file servers or on the OpenVMS and Unix systems is not encrypted. 

 

 

 

V.  NETWORK AND TELECOMMUNICATIONS SECURITY GUIDELINES

 

 

V-A.  Network and telecommunications management

 

Information Technology Services provides a standard for all PC/MAC and printers that are introduced into the network.  Users who require specialized equipment must have DIS approval before the purchase.  All new PC/MACs can be registered on the Central Washington University network by using the online host registration system.  See below for specific information on how to register a machine on the Central Washington University network. 

 

Host Registration Help

You must register a device before it will function on the Central Washington University network. When an unregistered device connects to a jack the network electronics assign that port to a special network segment that has connectivity only to the registration server. After a device is registered and it is restarted, its port will be reassigned to a routed segment.

 Log in

You must log in before you can register a machine. Login with the credentials you use to log in to the network each morning. Be sure to use your distinguished name, which includes your context. Assume, e.g., that your username is SmithJ and you work in Facilities. If you click on the Advanced button on the Novell Login screen on your computer, you will see FMD.Admin.CWU in the Context field. You will need to append this context to smithj to log in to the registration system: smithj.fmd.admin.cwu (case insignificant). Enter this string in the Username field and your NDS password in the Password field.

Your session will expire after 15 minutes of inactivity and you will need to log in again.

Register

If this is a new registration, the system should automatically determine your Ethernet address and operating system. If it is necessary to enter your Ethernet address by hand, you can find it by running winipcfg on Win9x systems, running ipconfig /all on WinNT and Win2k systems, or by accessing the AppleTalk or TCP/IP control panel on Macintosh systems.

Select the building where your system will ultimately be located and its category. This is the category of the system, not your own status. E.g., if the machine is destined for lab use, select Lab/Student from the drop-down list even though you may be a faculty or staff member. Enter your system's Central Washington University asset tag number (the one on the system unit, not the monitor). If you are registering a private system leave this field blank.

If you choose the wrong building, chances are your system will not function, and if you enter no tag number, the registration system will assume the machine is privately owned.

You are responsible for any systems registered in your name!

Edit

This option permits you to edit or delete records of machines you have registered. You will need to edit a record if you have replaced your Ethernet card. Use the Next and Previous buttons to cycle through the hosts registered to you. Use the Update button to save changes you make.

Log out

Please log out or exit your browser when you are finished.

 

 

Dial in lines are provided for all Central Washington University users.  All users must adhere to the Acceptable and Ethical use of Information Technology Policy when using the dial-in lines.  Users of the Resnet services must following the Resnet Acceptable Use Policy, see appendix.

 

Access to remote infrastructure networking equipment is done via modem.  Remote servers managed by Telecommunications is done by PC-Anywhere on various servers.  Rconsole is used for remote Netware servers.

V-B.  Inventory Control

 

Inventory control is done by the Property Management Department.  On a yearly basis a person assigned by the Administrative Assistant will physically verify all equipment on Information Technology Services list. 

 

Networks & Operations staff maintain software that imports PCs into eDirectory for inventory control and remote management.

 

Networks and Operations staff keep update to date diagrams of the IP network and Central Washington University Network. 

 

Only authorized workstations have access to the Central Washington University networks.  See section A regarding Host Registration.  Central Washington University has a dynamic environment, any machine on campus that is registered on the Central Washington University network can use any jack in any building.    See below for more information regarding the dynamic environment:

 

How it Works: Overview

The Ethernet address of every computer is stored in a database along with the network segment (VLAN) to which it is assigned. Whenever the computer is powered up the Ethernet switch to which it is connected learns the computer's address and sends a query to a server to determine what VLAN to assign the computer's port. Based on information in the database the server responds and the switch dynamically configures the port to be on the appropriate VLAN.

 

If the computer's Ethernet address is not in the database the switch assigns it to a restricted segment with access to only enough resources to complete the registration process. The host registration system automatically determines the computer's Ethernet address and operating system and inserts a record into the database once the user authenticates. Every 15 minutes a job runs which updates configuration files based on information in the database.

 

The computer sends a Dynamic Host Configuration Protocol (DHCP) request in order to acquire its IP address, which is necessary for it to communicate with other hosts on the Central Washington University network and the Internet. The router interface for the VLAN forwards the request to a DHCP server which responds with an address dynamically assigned from a pool appropriate for the VLAN where the computer resides. The DHCP server also updates the Domain Name System (DNS) with a user-friendly hostname associated with the IP address.

 

Computers enjoy mobility among buildings because they are assigned to the same VLAN regardless of the building where they reside, and the VLANs are available in all dynamic buildings.

 

For details on the system see the appendix.

 

 

V-C.  Secure location of communications equipment

 

Each building has one or more communications rooms for all networking and telecommunication equipment.  “COMM” keys are given only to authorized personnel, in the case of Central Washington University, some Networks and Operations staff and Telecommunications staff.  Building master keys are located in a lock box which contains a log of who checks out/in keys. 

 

The Computer Center is a secured area, see appendix for security in this building.

 

V-D.  Prevention of tampering

 

Network and telecommunications lines are installed according to Standards and Design Guides, technical specifications listed on the following web pages:  http://www.cwu.edu/~its/its_specs.htm  See appendix for further details regarding specifications.

 

V-E.  Terminal, remote job entry (RJE) and network node access security

 

See section IV part S for detailed information on what Information Technology Services does to provide system and network security.  All network nodes are physically secured in the Computer Center or in the case of the extended university centers, in a locked communications room.

 

V-F.  Controls to prevent the introduction of unauthorized programs into computer systems

 

The system file integrity is done by multipass comparisons of all operating system files and components on the system disk with originals installed during operating system installations and upgrades.  Any unexplained differences will be investigated by Networks and Operations staff.  Network security is done by various methods.  All machines connected to the Central Washington University network is required to run virus protection software with regular updates.  The routers and switches have built in mechanisms for blocking access to various ports, etc. all of which are utilized and frequently checked.

 

V-G.  Network Security Breach Detection

 

NDS security is audited by third party software called Netvision.  This software logs all intrusion detections, NDS group modifications, password changes and other anomalies.  Review of the logs is done on an as-needed basis.  Logs are rolled over daily and backed up.

 

The routers and switches have built in mechanisms for blocking access to various ports, etc, all of which are utilized and frequently checked by Networks and Operations staff.  The use of OpenView is done to monitor all networking equipment and review of alarm logs is done in real-time.

 

Access to all intrusion detection tools and log files done by Information Technology Services Networks & Operations staff.  Approval of viewing for all logs and use of tools is granted by the Director of Information Technology Services Networks & Operations.

 

V-H.  Network Security Breach Response

 

Networks and Operations Staff respond immediately to any breach detection, which may include the shutdown and/or restore of various network machines, disabling of accounts and legal action against the offender, depending on the breach. 

 

V-I.  Use of Virtual Private Networks

 

The VPN 3000 offers a hierarchical security environment which meets our current needs. There is a base group which sets default parameters for subordinate groups/users. A default address pool can also be defined for users who are not assigned an address by other means.  Subordinate to the base group are admin-defined IPSec groups. Users are typically assigned to these groups, and the group name/password is used in the first phase of IPSec authentication. An address pool can also be assigned to one of these groups, as can a local LAN routing policy. It is at the group level that the authentication type is set, e.g. internal to the concentrator or external RADIUS. An individual user can be assigned an address or can receive it from the pool assigned to the group (if any) or the default pool (if any). If no permitted method of address assignment succeeds the connection is terminated.

 

Configuration of users machines for the purpose of split-tunneling or dual homing is not permitted at any time.

 

All access into administrative systems require direct dial-in or VPN access to sensitive data. 

V-J.  CWU Backbone Networks – Resnet and Admin – Conceptional View

V-K.  Dynamic Network Sector (Conceptual View)

 

 

 

 

VI.                                                                                                                                                               Access Security Guidelines

 

VI-A.  Identification and authentication

 

Section IV part S, System and Network security provides detailed information on identification and authentication.

 

VI-B.  Authentication Risk Level Determination Charts

 

The following applications represent only those which are available for internet access.

Evaluation of the Student Management Form (Password Change Utility)

 

Question/Issue	Impact Quantification Guidelines (0-5) 0 – No Impact     1 – Minimal Impact 3 – Some Impact  5 – High Impact			Total Score by Issue
	Fiscal	Operational	Customer
What is the potential impact of unauthorized viewing of the data by outside intruders?	0	0	5	5
What is the potential impact of unauthorized viewing of the data by legitimate users?	0	0	5	5
What is the potential impact of the use of the information assets for other than authorized purposes?	3	0	5	8
What is the potential impact of unauthorized deletion, modification, or disclosure of information?	0	5	3	8
What is the potential operational impact if the service becomes unavailable (denial of service attacks)?	0	1	1	2
What is the potential cost impact if the services provided by the system become unavailable (denial of service attacks)?	0	1	1	2
What is the potential public confidence impact if the services or data provided by the system are compromised?	0	1	1	2
How important is non-repudiation (inability of a user to deny the initiation of a transaction) to the transactions supported by the system?	0	0	3	3
	Overall Score			35

 

SMS is used by our student population as a tool to change their passwords.  Authentication is done via a combination of Student ID number or Social Security Number plus the student Personal Identification Number (PIN).  Students are given instruction regarding the need to keep their PIN private.  SSL is used to ensure private transmission of data.  Risks exist in the use of the SSN.  Failure could lead to identity theft or unauthorized use of the student’s email or network file space.

Evaluation of the WIN system.

 

Question/Issue	Impact Quantification Guidelines (0-5) 0 – No Impact     1 – Minimal Impact 3 – Some Impact  5 – High Impact			Total Score by Issue
	Fiscal	Operational	Customer
What is the potential impact of unauthorized viewing of the data by outside intruders?	0	0	3	3
What is the potential impact of unauthorized viewing of the data by legitimate users?	0	0	3	3
What is the potential impact of the use of the information assets for other than authorized purposes?	0	0	3	3
What is the potential impact of unauthorized deletion, modification, or disclosure of information?	5	3	5	13
What is the potential operational impact if the service becomes unavailable (denial of service attacks)?	3	3	3	9
What is the potential cost impact if the services provided by the system become unavailable (denial of service attacks)?	1	1	0	2
What is the potential public confidence impact if the services or data provided by the system are compromised?	1	1	0	2
How important is non-repudiation (inability of a user to deny the initiation of a transaction) to the transactions supported by the system?	0	0	1	1
	Overall Score			36

 

WIN is used by students, faculty and staff.  Students’ private information such as grades and financial aid information is accessible through the application.  No social security numbers or financial transactions are processed or available.  Risks are limited to access to the above information.  Authentication is done via student ID number and Personal Identification Number (PIN).
Evaluation of Groupwise Web Interface.

 

Question/Issue	Impact Quantification Guidelines (0-5) 0 – No Impact     1 – Minimal Impact 3 – Some Impact  5 – High Impact			Total Score by Issue
	Fiscal	Operational	Customer
What is the potential impact of unauthorized viewing of the data by outside intruders?	0	0	1	1
What is the potential impact of unauthorized viewing of the data by legitimate users?	0	0	1	1
What is the potential impact of the use of the information assets for other than authorized purposes?	0	1	1	2
What is the potential impact of unauthorized deletion, modification, or disclosure of information?	0	1	1	2
What is the potential operational impact if the service becomes unavailable (denial of service attacks)?	0	1	1	2
What is the potential cost impact if the services provided by the system become unavailable (denial of service attacks)?	0