1110 | P a g e

VPN Security Standards Assignment # 2 Concordia University College VPN Security Standards developed based on Concordia`s VPN security Policy.

200

8

Tareq Hanaysha Abid Jamal Siddiqi

Hitesh Chugh Arjun Yadav

3/20/2008

Page | 1

Is it a Policy, a Standard or a Guideline?

What's in a name? We frequently hear people use the names "policy", "standard", and "guideline" to refer to documents that fall within the policy infrastructure. So that those who participate in this consensus process can communicate effectively, we'll use the following definitions.

A policy is a document that outlines specific requirements or rules that must be met. In the information/network security realm, policies are usually point-specific, covering a single area. For example, an "Acceptable Use" policy would cover the rules and regulations for appropriate use of the computing facilities.

A standard is collections of system-specific or procedural-specific requirements that must be met by everyone. For example, you might have a standard that describes how to harden a Windows NT workstation for placement on an external (DMZ) network. People must follow this standard exactly if they wish to install a Windows NT workstation on an external network segment.

A guideline is typically a collection of system specific or procedural specific "suggestions" for best practice. They are not requirements to be met, but are strongly recommended. Effective security policies make frequent references to standards and guidelines that exist within an organization.

Standards Name: VPN Security Standards

Release Date: 20/03/08

1. AUTHORITY Concordia University College Chief Information Officer and Security Officer shall develop,

implement and maintain a coordinated plan for information technology (IT) including the

adoption of technical, coordination, and security standards for the university virtual private

network.

2. PURPOSE

To provide a secure, cost effective and efficient virtual private network infrastructure that will

serve Concordia university college of Alberta. This network will provide us with a wide-area

network services to better serve faculties, departments, the library, and the students using

common, proven, pervasive, and industry-wide standards.

Page | 2

3. SCOPE This standard applies to Concordia University College Virtual Private network Clients and administrators, general personal computer that is connected to Concordia University College of Alberta network that are not used in classroom activities. Computer labs that are used for classroom activities must follow the network infrastructure and connectivity Security Standard .Computer facilities that are open to the public (i.e., non-CUCOA users) must follow the Public network Facility Security Standard.

4. STANDARDS Virus Protection and System Security: All devices connected to the University network are

required to use approved, current virus protection. All devices are also required to incorporate

available security updates and patches.

Simple Network Management Protocol (SNMP) & IPSec: If SNMP is required for a network device

to function on the University network the Read and Read/Write community strings must be set

to something other than the default setting of “Public”. In instances where SNMP is not needed

the service must be disabled.

New Printer installations: When a new printer is added to the University network, to the

greatest extent possible all unnecessary network services (for example, web and FTP services)

will be disabled. Those services that are required to administer the device must be password

protected.

Default web services: When a new network device is added to the University network special

attention must be paid to the software installation to protect against the existence of a default

web page. Default web pages can allow for unauthorized persons to exploit the University

network. In instances where no default web services are needed, these services must be turned

off.

Protection from Unauthorized Access to Network Devices: When a new network device is added

to the University network, the device must be protected. Usernames and passwords must be

protected from unauthorized access based on the principle that each user is responsible for all

activity that occurs in his/her account.

Physical Security of Network Devices: Any device attached to the University network must have

adequate physical security in place to prevent unauthorized access to the device. The physical

location of servers and other devices providing critical university services will be determined by

the Chief Information Officer.

Use of non-university devices on the university network: Any device that is not owned by

Concordia University College of Alberta must comply with the standards set by the IT Division

before the device is attached to the university network.

Page | 3

Violations of these standards may be evident during routine network security scans performed

by the IT Division. If violations are discovered, IT staff may disable the network connection

immediately, if necessary to protect the security of the network. The Division of Information

Technology recommends consultation with IT staff prior to the purchase of any device not

already approved by the Division. To request assistance related to these standards, please send

a request to the IT Help Desk. IT consultants will work with you to find a solution that can then

be forwarded to the Chief Information Officer for approval if a standards exception is required.