Communication Technologies (ComTech), working in conjunction with Security and Compliance (S&C), has developed a plan which allows campus local IT support staff to easily and quickly move traditional building networks to a protected network infrastructure – NCSU-PN.
Adopting this policy and supporting the move to protected networks would be a large step toward mitigating attacks on campus. It is also in line with a larger University goal to secure the wired and wireless networks.
This architecture allows us to enforce a simple, yet effective, security policy to customer equipment to help protect these devices from off-campus threats without restricting our customer’s access to their needed resources. It has been designed to protect as many possible devices with a general security policy. Because of the comprehensive nature of this network, no specialized security exceptions will be added to this instance.
This one-time change can be accomplished with little overhead to the campus IT support staff. Each department’s traffic will be reviewed to ensure that any particular security and access needs are understood. If a system is moved to the protected network and any required access is restricted, we will work with the customer to move that particular equipment to a network which will allow the needed connectivity.
Benefits of the NCSU-PN include:
- Equipment moved to a Protected Network is no longer subject to attacks or scans from malicious entities on the Internet.
- This solution will also allow us to secure departmental systems with a simple modification to the network that requires little work on the part of local IT staff and no action on the part of the customer.
As we move towards applying a more consistent security model for our campus networks, departmental equipment should be secured from the Internet. These could include:
- Desktop PCs
- Laboratory equipment
- any other device with a wired connection to the network.
Some systems are NOT candidates for moving to the Protected Network:
- Equipment needing to be accessed by an external vendor or other outside entity without NCSU VPN access.
- Departmental Servers accessed from the Internet (web servers, etc.)
- Polycom devices
- Specialized devices that already have their own secured Networks (PCI, SCADA, COPY/PRINT, etc.)
Off-campus Access to the NCSU-PN
Currently, certain types of remote access to equipment from off-campus require the use of the VPN (Virtual Private Network) client provided by ComTech. Once the network has been transitioned, the VPN client must be used for all remote access. If the access required by non-NCSU affiliated individuals then the device will need to be transitioned out of the Protected Network and into an Unprotected Network.
Protected Network Project Phases
Every network on campus has its individual needs and security concerns. We will take into consideration several factors before transitioning the network over to NCSU-PN architecture and will respond to requests in the following order:
- Initial Customer transitions to the protected network. This phase will focus on Customer networks that have fit a very narrowly define case and are considered the less complex networks.
- Customers needing additional IP address space. This phase will focus on Customers who have run out of address space and would like additional address space in addition to requesting the move to NCSU-PN.
- Customer networks that are in routed buildings.
- Customers in networks considered more complex, including those networks shared by more than one department or academic entity.
How to Transition a VLAN to the Protected Network
- Filling out the Protected Network Request form is the first step to moving VLAN to the Protected Network.
- A Customer Liason will initiate a request for Security and Compliance to complete a network scan on the customer’s VLAN.
- The Customer Liason will meet with the customer within five business days to review eligibility.
- If the customer is eligible, the Customer Liason will work with NOC Manager to assign a Network Analyst to manage the transition and schedule the move.
Note: During the scheduled maintenance window for this move, there will be a brief interruption of all network services of approximately 10 minutes. Once the network is moved to the new environment, we work with local IT support to ensure all needed access is available.
- Five business days after the transition is complete an After Action Review meeting with the Customer, Customer Liason, and NOC Manager or NOC Analyst.
How to Report a Problem
Your local IT support is your first point of contact if there is an issue with your system connectivity. In the event that some access has been removed from a particular system, we would work quickly with the local IT support to resolve the issue.
Note: Most traffic originates from the Client PC to an external host. Traffic originating from off-campus to our client PCs is not the typical flow of traffic. Although we will work with the local IT support to determine the departmental applications used, there may be applications or devices that may not work with the local IT support to resolve the issue.