Network Standards

• Account Management
• Network Access
• Network Equipment
• Network Management
• Server Equipment
• System Administration
• Server Backup
• System Monitoring and Logs
• Application Administration
• Reporting and Responding to Security Violations

Account Management

All departments managing servers and/or applications connected to the USF network must comply with the following standards for account management.

1. Designate personnel with appropriate skills and experience to be responsible for account creation and account management.
2. Establish and maintain an account management process that includes the following characteristics:

   2.1 Tracking of privileged accounts.

   2.2 Timely deletion of privileged accounts when an individual's affiliation with the University changes.

   2.3 Tracking of user accounts.

   2.4 Timely deletion of user accounts when user access to an application is no longer appropriate.

3. Password Requirements

   3.1 Both system and application password utilities should restrict password choices to avoid security vulnerabilities associated with passwords that are easy to guess and/or can be found in a dictionary. The utility used should require that a password be at least six characters in length and contain at least one letter and one digit.

   3.2 Both system and application password utilities should require that passwords be changed regularly. The new password should be different from the current password.

Network Access

1. Access to USF Intranet services and resources from the outside is limited to USF-authorized entry points and facilities.
2. All entry points into the USF network must be authorized including T1, DSL, ISDN, modems, and other types of connections.

Network Equipment

1. Network equipment must be housed in USF-approved equipment rooms, spaces, or classrooms.
2. An inventory of all network equipment must be maintained including configuration, IP address, physical location, and maintenance and warranty information.
3. Only USF-authorized network equipment may be deployed on the USF network. Authorization requests must be submitted via e-mail to the Director of Client Computing & Network Services (CCNS).
4. Hubs should only be placed on the USF network by ITS in cases where cabling is insufficent to support switches or for temporary use.
5. Wireless access points not supported by ITS must meet the following requirements.

   5.1 Be authorized by ITS Communication & Network Services (send email to itshelp@usfca.edu).
   5.2 Be configured to require authentication for each user and device.

   5.3 Have DHCP disabled on LAN interface.

   5.4 Be configured with the default password changed.

Network Management

1. Access to equipment rooms must be limited to authorized personnel.
2. Distribution of keys to equipment rooms must be documented and tracked.
3. Accounts on switches, routers, and other network equipment must be limited to authorized personnel and distribution of these accounts must be documented and tracked. When staff members with accounts leave or change positions, their accounts must be deleted in a timely manner.
4. Network management tools should provide support in the following areas.

   4.1 Maintaining an inventory of all network equipment.

   4.2 Configuring network equipment from a central management console.

   4.3 Upload and download of network equipment configurations from a central management console.

   4.4 Tracking software versions on network equipment.

   4.5 Track changes in network equipment configuration.

   4.6 Monitor and log network equipment behavior.

   4.7 Monitor and log all access to network equipment.

5. Whenever possible, remote sessions with network equipment must be encrypted.
6. Network security should include the following mechanisms.

   6.1 Firewall mechanisms for network access control, restriction of unencrypted data transmissions, content security (e.g., virus protection), and detecting and preventing denial of service attacks.

   6.2 Access control lists.

   6.3 Intrusion detection mechanisms for detecting unauthorized network activity.

   6.4 Network Address Translation (NAT).

7. Network management should include the following network traffic and performance monitoring activities:

   7.1 Monitoring network configuration and connectivity.

   7.2 Monitoring network traffic.

   7.3 Monitoring network performance levels and diagnosing network performance problems.

8. Firewall protection is required at the following points in the USF network.

   8.1 Campus network connection to the Internet.

   8.2 Interface between the administrative network and the residence hall network.

   8.3 Entry points to campus Intranet.

   8.4 Connections to department networks whose research and/or instructional network activities could potentially interfere with the proper functioning of the campus network.

Server Equipment

1. Server equipment should be housed in a protective environment that includes an alarmed room, UPS, and environmental conditions, including temperature and humidity levels, that do not impede the continuous operation of the servers.
2. Access to server rooms must be controlled using the One-Card system or by limiting and tracking the persons authorized to have keys.
3. Server equipment must have auto-shutdown capabilities, if appropriate, and include an Uninterruptible Power Supply (UPS) with at least 15 minutes of battery backup.
4. Servers must be located in an appropriate designated network zone. See Network Zones.
5. Server hardware and software configurations should meet the following minimum standards:

Unix | Windows | Macintosh

Unix

• SUN Systems should meet the following minimum requirements:
  • Solaris 9 is recommended and supported in ITS.
  • UltraSPARC processor.
  • 1 GB memory.
  • 36-GB hot-swap hard disks.
• Linux systems should meet the following minimum requirements:
  • The following versions of Linux are supported in ITS:
    • Mandrake Linux 9.0.
    • Red Hat Linux 8.0.
    • SuSE Linux 8.1.
  • The server hardware for a Linux-based server must meet the same minimum requirements as a Windows-based server.
• Only utilities required for services supported on a server should be enabled. For example, web utilities should only be enabled on web servers.
• Require secure login (SSH).
• Inherently unsecure applications such as Telnet, FTP, Route D, RSH, and RCP, should be disabled.
• Server security must include a host-based IDS, data integrity validation (e.g., Tripwire), and TCP Wrappers.

Windows

• Operating system must be Windows 2000 or higher.
• The following table gives the hardware requirements and recommendations for Windows-based servers.
• Windows 2000 Servers should meet the following Minimum Hardware Requirements:
  • Dual processor capable motherboard
  • *Single - Pentium III 1 GHz processor
  • *512 MB RAM ECC (Error Checking and Correction)
  • *SCSI Ultra-2 or Ultra-3 controller
  • Hardware RAID Level 5
  • Hot-swappable backplane
  • Hot-swappable hard drive bays
  • *72 GB capacity using hot-swappable SCSI hard drives
  • 10/100 Ethernet network adapter
  • CD-ROM, CD-R/W or DVD-ROM drive
  • 1.44 floppy drive
  • Standard video adapter (included in standard server package)
  • Redundant power supply
  • DLT tape backup
  • 3-year on-site warranty
  • You may purchase server hardware directly from the application vendor to ensure full application support from the vendor. If you have the option or if you prefer to purchase server hardware separately, ITS requires a 2 unit rack mount system similar to the Dell PowerEdge 2650 in order to host the server in the central server room.
    
    * Denotes minimum. Actual size depends on application requirements.
• Only utilities required for services supported on a server should be enabled. Remove unnecessary or unused services such as IIS, MDAC (remote data services), NetBios, and anonymous logon (null sessions).
• Security on the server should include TCP filtering and/or a server-based firewall, host-based IDS, data integrity validation (e.g., Tripwire), and virus scanning.
• Maintain server in a secure network behind a firewall.
• Watch for security hotfixes from Microsoft.

Macintosh

• Operating system must be Mac OS 10.4 or higher.
• Hardware should meet the following minimum requirements:
  • G4 Tower - 533 MHz processor
  • *256 MB RAM
  • *60 GB Ultra ATA Hard Drive
  • 10/100/1000 Ethernet Network Adapter
  • CD-ROM, CD-R/W, or DVD-ROM Drive
  • Standard Video Adapter
  • DLT or AIT Tape backup
  • 3-year AppleCare Warranty
  • Recommendation: Order systems direct from Apple.
  • Recommended System: Apple XServe G5
    * Denotes minimum. Actual size depends on application requirements.
• Only utilities required for services supported on a server should be enabled. Remove unnecessary or unused ervices such as NTP, Sendmail if the server is not a mail server, SNMP, and NFS if the server is not providing file sharing services.
• Enable the firewall included with the operating system.
• Security on the server should include host-based IDS, data integrity validation (e.g., Tripwire), and virus scanning.
• Maintain server in a secure network behind a firewall.
• Watch for security patches.

System Administration

All departments managing servers connected to the USF network must comply with the following standards for system administration. A staff member with the role of System Administrator may also have the role of Application Administrator. If this is the case, the System Administrator should also adhere to the Standards for Application Administration.

1. Designate a system administrator responsible for management of the server hardware and operating system. This system administrator should be either an ITS system administrator or a departmental staff member with appropriate skills and training. Appropriate skills and training will be determined by the ITS Systems Manager, in consultation with UNAS and the school, college, or department. Departments who choose to have a departmental staff serve as their system administrator should budget funds for the ongoing training of that staff member.
2. Ensure that system administrator(s) reads and signs a Confidentiality Agreement prior to receiving administrative access to servers and applications.  The department must maintain a copy of the signed agreement in its file and submit the original to Human Resources.
3. Designate qualified substitute(s) for handling system administration responsibilities when the primary system administrator is not available.
4. Include a current member of UNAS with similar experience and responsibilities on the hiring team for system administration personnel.
5. Ensure that the system administrator responsible for the management of a server complies with the following procedures.

   5.1  Ensure compliance with the Standards for Account Management.

   5.2  Performs regular backups and secures backup media according to the Standards for Server Backup and documents backup and recovery procedures and schedules.

   5.3  Configures servers to conform to Standards for System Monitoring and Logs.

   5.4  Documents system configuration, including network operating system, stores documentation in a location separate from the system, and updates documentation to reflect configuration changes.

   5.5  Integrates security software such as virus scanning, intrusion detection software, and security scan diagnostics as recommended by the Campus Security Team.

   5.6  Coordinates with Application Administrator to encrypt all sessions between a server and other systems, in which sensitive information such as user IDs, passwords, social security numbers, or credit card numbers is transmitted.

   5.7  Applies security patches as recommended by the Campus Security Team.

   5.8  Avoids using system tools that are inherently not secure.

   5.9  Avoids system configurations that introduce security vulnerabilities.

   5.10  Contacts the Campus Security Team immediately if unauthorized access, a security threat, or a security attack is detected.

   5.11  Attends UNAS meetings on a regular basis.

   5.12  Responds to ITS requests or notices to UNAS members in a timely manner.

Server Backup

Backups must be performed on a regular basis on all servers. Backup procedures as well as recovery procedures must be documented. Procedures must include backup of both OS and data, provisions for off-site storage of backup tapes, and daily, weekly, and monthly backup components. Backup media must be clearly labeled.

The following is an acceptable backup standard.

1. Perform full backup of both OS and Data drives once a month.
2. Store monthly backup tapes in a separate location, off site if necessary. Monthly backup tapes must be held for a minimum of 3 months.
3. Perform full back up of data drives once a week.
4. Maintain weekly backup tapes for at least one month.
5. Perform daily incremental or differential backup of data drives.
6. Maintain incremental or differential backup tapes for at least one week.
7. Schedule backup processes that use the network during low usage time periods.

System Monitoring and Logs

Server system logs connected to the USF network must be maintained for a period of one year. After one year, these logs must be purged.

1. Required logs:

   1.1 Logins and logouts.

   1.2 Login failures.

   1.3 Access to administrative accounts.

2. Recommended logs:

   2.1 Creation of accounts.

   2.2 Actions initiated from administrative accounts.

   2.3 Access to designated files and printers.

3. System monitoring should include the following usage statistics:

   3.1 CPU.

   3.2 Memory.

   3.3 Disk space.

   3.4 Individual applications.

   3.5 Network traffic.

It is recommended that these usage statistics be monitored on a regular basis. It is also recommended that alert levels be set to notify the system administrator of unusual usage levels.

Application Administration

All departments who own the application on a server must comply with the following Standards for Application Administration. A staff member with the role of Application Administrator may also have the role of System Administrator. If this is the case, the application administrator should also adhere to the Standards for System Administration.

1. Designate an application administrator to be responsible for management and control of the application. This application administrator may be either an ITS staff member or a department staff member with appropriate skills and training. Appropriate skills and training for the application administrator can be determined by the application vendor or developer.
2. Ensure budgeting of funds for the ongoing training of the application administrator.
3. Ensure that application administrator(s) read and sign a Confidentiality Agreement prior to receiving administrative access to applications. The department must maintain a copy of the signed agreement in its file and submit the original to Human Resources.
4. Designate qualified substitute(s) for handling application administration responsibilities when the primary administrator is not available.
5. Ensure that the application administrator responsible for the management of an application complies with the following procedures.

   5.1  Ensure compliance with the Standards for Account Management.

   5.2  Coordinate with system administrator for special backup procedures, like databases, which may be different from the normal system backup.

   5.3  Documents application configuration, stores documentation in a location separate from the system, and updates documentation to reflect configuration changes.

   5.4  If applicable, encrypt all sessions between an application and other systems, in which sensitive information such as user IDs, passwords, social security numbers, or credit card numbers is transmitted.

   5.5  When applicable, applies security patches as recommended by the application vendor.

   5.6  Avoids using applications that are inherently not secure.

   5.7  Avoids application configurations that introduce security vulnerabilities.

   5.8  Coordinate as the primary contact with the Campus Security Team immediately if unauthorized access, a security threat, or a security attack is detected.

Reporting and Responding to Security Violations

1. Detected incidences of security violations must be reported immediately to the Campus Security Team by either calling the Help Desk at x6668 or sending email to abuse@usfca.edu.
2. If appropriate, a member of the Campus Security Team will inform Public Safety of security violations.
3. Public Safety is responsible for involving the appropriate campus and outside law enforcement agencies as necessary.
4. Public Safety is responsible for coordinating the University's response to security violations with outside agencies.
5. Compromised systems or systems interfering with the functioning of the network will be immediately disconnected and will remain disconnected until the system has been appropriately secured.
6. The Campus Security Team will make every effort to contact the system administrator responsible for the compromised or interfering system to inform them that the system has been disconnected and to involve them in the process of analyzing and securing the system.
7. The Campus Security Team is responsible for submitting a report describing the incident, action taken, and resolution to the CIO. The CIO is responsible for distributing the report to other members of the Leadership Team as appropriate.
8. Disciplinary actions will be conducted through existing disciplinary procedures detailed in the Fogcutter Student Handbook, the Staff Handbook, and the faculty Collective Bargaining Agreement.