vpn security standards by tareq hanaysha
DESCRIPTION
TRANSCRIPT
1110 | P a g e
VPN Security Standards Assignment # 2 Concordia University College VPN Security Standards developed based on Concordia`s VPN security Policy.
200
8
Tareq Hanaysha Abid Jamal Siddiqi
Hitesh Chugh Arjun Yadav
3/20/2008
Page | 1
Is it a Policy, a Standard or a Guideline?
What's in a name? We frequently hear people use the names "policy", "standard", and "guideline" to refer to documents that fall within the policy infrastructure. So that those who participate in this consensus process can communicate effectively, we'll use the following definitions.
A policy is a document that outlines specific requirements or rules that must be met. In the information/network security realm, policies are usually point-specific, covering a single area. For example, an "Acceptable Use" policy would cover the rules and regulations for appropriate use of the computing facilities.
A standard is collections of system-specific or procedural-specific requirements that must be met by everyone. For example, you might have a standard that describes how to harden a Windows NT workstation for placement on an external (DMZ) network. People must follow this standard exactly if they wish to install a Windows NT workstation on an external network segment.
A guideline is typically a collection of system specific or procedural specific "suggestions" for best practice. They are not requirements to be met, but are strongly recommended. Effective security policies make frequent references to standards and guidelines that exist within an organization.
Standards Name: VPN Security Standards
Release Date: 20/03/08
1. AUTHORITY Concordia University College Chief Information Officer and Security Officer shall develop,
implement and maintain a coordinated plan for information technology (IT) including the
adoption of technical, coordination, and security standards for the university virtual private
network.
2. PURPOSE
To provide a secure, cost effective and efficient virtual private network infrastructure that will
serve Concordia university college of Alberta. This network will provide us with a wide-area
network services to better serve faculties, departments, the library, and the students using
common, proven, pervasive, and industry-wide standards.
Page | 2
3. SCOPE This standard applies to Concordia University College Virtual Private network Clients and administrators, general personal computer that is connected to Concordia University College of Alberta network that are not used in classroom activities. Computer labs that are used for classroom activities must follow the network infrastructure and connectivity Security Standard .Computer facilities that are open to the public (i.e., non-CUCOA users) must follow the Public network Facility Security Standard.
4. STANDARDS Virus Protection and System Security: All devices connected to the University network are
required to use approved, current virus protection. All devices are also required to incorporate
available security updates and patches.
Simple Network Management Protocol (SNMP) & IPSec: If SNMP is required for a network device
to function on the University network the Read and Read/Write community strings must be set
to something other than the default setting of “Public”. In instances where SNMP is not needed
the service must be disabled.
New Printer installations: When a new printer is added to the University network, to the
greatest extent possible all unnecessary network services (for example, web and FTP services)
will be disabled. Those services that are required to administer the device must be password
protected.
Default web services: When a new network device is added to the University network special
attention must be paid to the software installation to protect against the existence of a default
web page. Default web pages can allow for unauthorized persons to exploit the University
network. In instances where no default web services are needed, these services must be turned
off.
Protection from Unauthorized Access to Network Devices: When a new network device is added
to the University network, the device must be protected. Usernames and passwords must be
protected from unauthorized access based on the principle that each user is responsible for all
activity that occurs in his/her account.
Physical Security of Network Devices: Any device attached to the University network must have
adequate physical security in place to prevent unauthorized access to the device. The physical
location of servers and other devices providing critical university services will be determined by
the Chief Information Officer.
Use of non-university devices on the university network: Any device that is not owned by
Concordia University College of Alberta must comply with the standards set by the IT Division
before the device is attached to the university network.
Page | 3
Violations of these standards may be evident during routine network security scans performed
by the IT Division. If violations are discovered, IT staff may disable the network connection
immediately, if necessary to protect the security of the network. The Division of Information
Technology recommends consultation with IT staff prior to the purchase of any device not
already approved by the Division. To request assistance related to these standards, please send
a request to the IT Help Desk. IT consultants will work with you to find a solution that can then
be forwarded to the Chief Information Officer for approval if a standards exception is required.