Communication Technologies (ComTech), working in conjunction with Security and Compliance (S&C), has developed a plan that allows campus local IT support staff to easily and quickly move traditional building networks to a protected network infrastructure — NCSU-PN.
- Adopting this policy and supporting the move to protected networks would be a large step toward mitigating attacks on campus.
- It is also in line with a larger university goal to secure the wired and wireless networks.
- This architecture allows us to enforce a simple yet effective security policy on customers’ devices to help protect them from off-campus threats without restricting access to needed resources.
- It has been designed to protect as many devices as possible with a general security policy.
- Because of the comprehensive nature of this network, no specialized security exceptions will be added to this instance.
- This one-time change can be accomplished with little overhead to the campus IT support staff.
- Each department’s traffic will be reviewed to ensure that any specific security and access needs are understood.
- If a system is moved to NCSU-PN and any required access is restricted, we will work with the customer to move that affected equipment to a network that will allow the needed connectivity.
Benefits of NCSU-PN
- Devices moved to NCSU-PN are no longer subject to attacks or scans from malicious entities on the internet.
- Departmental systems can be secured with a simple network modification that requires little work by local IT staff and no action by the customer.
As we move towards applying a more consistent security model for our campus networks, departmental devices should be secured from the internet. These could include:
- Desktop PCs
- Laboratory equipment
- Other devices with a wired connection to the network.
Devices that cannot be moved to NCSU-PN
- Devices needing to be accessed by an external vendor or other outside entity that lacks NC State VPN access.
- Departmental servers accessed from the internet; e.g., web servers.
- Polycom devices
- Specialized devices that already have their own secured networks; e.g., PCI, SCADA, COPY/PRINT.
Off-campus access to NCSU-PN
- Currently, certain types of remote access to equipment from off-campus require the use of the VPN (Virtual Private Network) client provided by ComTech.
- Once the network has been transitioned to NCSU-PN, all remote access will require the VPN client.
- If access to a device is required by non-NCSU affiliated individuals, then that device must be moved to an unprotected network.
NCSU-PN project phases
Every network on campus has its individual needs and security concerns. We will consider several factors before transitioning a network over to NCSU-PN architecture and will respond to requests in the following order:
- Customer networks fitting a very narrowly defined case and considered to be less complex
- Customers who request both additional IP address space and a move to NCSU-PN
- Customer networks that are in routed buildings
- Customer networks that are more complex, including those shared by more than one academic entity
Steps in transitioning a VLAN to the NCSU-PN
- A customer fills out the Protected Network Request form.
- A ComTech customer liaison initiates a request for Security and Compliance to complete a network scan of the customer’s VLAN.
- Within five business days, the customer liaison meets with the customer to review eligibility.
- If the customer is eligible, the customer liaison works with the NOC manager to assign a network analyst to manage the transition and schedule the move.
- Note: During the scheduled maintenance window for this move, all network services will be interrupted for approximately 10 minutes. Once the network is moved to the new environment, ComTech works with local IT support to ensure that all needed access is available.
- Five business days after the transition is complete the customer, customer liaison and NOC manager or NOC analyst meet for an after-action review.
Reporting a problem
- If there is an issue with system connectivity, first contact local IT support.
- If access has been removed from a particular system, ComTech will work quickly with the local IT support to resolve the issue.
Most traffic originates from a client PC to an external host.
Traffic originating from off-campus to a client PC is not the typical flow of traffic.
ComTech will work with local IT support to determine the departmental applications used, but some applications or devices may not work with the local IT support to resolve the issue.