Privately Managed Network Standard

1 PURPOSE 

The Â̾ÞÈËÊÓƵ (Â̾ÞÈËÊÓƵ) must provide a secure network for our educational, research, instructional and administrative needs and services. Protection of the University System’s networks is critical to ensuring the confidentiality, integrity, and availability of institutional information and to the ongoing support of all component institution operations. The following Standard is designed to inform members of the Â̾ÞÈËÊÓƵ community who have a business need for a privately managed network space about the security controls required to protect Â̾ÞÈËÊÓƵ networks from accidental, or intentional damage, and from alteration or theft of information while preserving appropriate access and use by the Â̾ÞÈËÊÓƵ community.

The purpose of this Standard is to define the minimal acceptable configuration for connecting privately managed networks to any Â̾ÞÈËÊÓƵ network. An unsecured network creates conditions that increase the risk of denial-of-service attacks, malware infections (viruses, Trojans, etc.) and other attacks aimed at compromising the integrity of the network and any devices connected to it. Damages from these types of attacks could include the loss of sensitive and restricted data, interruption of network services, and damage to critical internal systems, resulting in loss of reputation/brand damage, loss of productivity, and significant financial cost. Therefore, individuals who connect network hardware to a Â̾ÞÈËÊÓƵ network must follow specific standards and take specific actions.

The minimum acceptable configuration is designed to:

• Minimize exposure to the University System, its component institutions, and our community from the potential damages (including financial, reputational, loss of work, and loss of data) resulting from servers and network hardware that are not configured or maintained properly

• Ensure that devices on Â̾ÞÈËÊÓƵ networks are not taking actions that could adversely affect network performance.


2 SCOPE 

The mandated procedures and practices outlined here apply to all UNH community members who support network switch and routing technologies.


3 STANDARD 

As outlined in each institution’s Acceptable Use Policy/Computer and Network Use Policy, the use of network equipment and software is prohibited unless specifically authorized by the Network System Administrator.

Enterprise Technology & Services (ET&S), as the Network System Administrator of each institution’s network, is responsible for providing reliable network services at each of the Â̾ÞÈËÊÓƵ Institutions. As such, individuals or departments shall not run any service which disrupts or interferes with centrally provided services.

These services include, but are not limited to:

• Privately managed networks

• DNS (Domain Name System)

• DHCP (Dynamic Host Configuration Protocol)

• Domain Registration

3.1 PRIVATELY MANAGED NETWORK REQUIREMENTS

In some circumstances, an exception can be granted per the process outlined below. For an exception to be granted:

• Specific network configuration elements must be deployed within the privately managed network

• Personnel in requesting departments must demonstrate competence with managing the privately managed network to the expected minimum configuration.

3.1.1 Required Privately Managed Network Oversight

All privately managed networks must be overseen by a Â̾ÞÈËÊÓƵ employee. Students and sponsored users cannot request or oversee a privately managed network.

3.1.2 Required Network Configuration Elements

ET&S uses multiple methods to protect the Â̾ÞÈËÊÓƵ institutional networks, including monitoring for external intruders, scanning hosts on the network for suspicious anomalies, and blocking harmful traffic.

To ensure these protections extend to all privately managed networks, the following elements must be deployed and meet the standards set by the Network System Administrator, when operating a privately managed network:

• Boundary Protection via Firewall as outlined in NIST SP 800-53 SC-7

• Vulnerability Scanning as outlined in NIST SP 800-53 RA-5

• Network Access Controls as outlined in NIST SP 800-53 AC-2

All these configuration elements shall have a current vendor support contract in place.

All network equipment shall be configured to log to a central log repository.

All network traffic passing in or out of a Â̾ÞÈËÊÓƵ network to/from the privately managed network shall be monitored by an intrusion detection system (IDS) for signs of compromises.

3.1.3 Required Network Protection Activities

Personnel approved to operate privately managed networks shall:

• Review all alerts from the IDS in a timely fashion and report all confirmed events to Cybersecurity Ops, Engineering, & IAM via the Cybersecurity Incident Reporting process.

• Ensure those networks are routinely scanned for vulnerabilities and that vulnerabilities are remediated according to the appropriate institution’s Vulnerability Management requirements.

• Monitor network traffic and log data, investigate, and, when appropriate, report anomalies as identified above.

• Students or sponsored users can assist in management of privately managed networks with oversight by a specific, named Â̾ÞÈËÊÓƵ employee.

Owners of privately managed networks must submit documentation to CS&N annually verifying their privately managed network still conforms with this standard. Network Administrators and/or CS&N can request an audit of any privately managed network, at any time, to confirm compliance.

3.2 PROHIBITED WITHIN PRIVATELY MANAGED NETWORKS

Privately managed network operators are prohibited from deploying wireless networks to ensure seamless uninterrupted service for all Â̾ÞÈËÊÓƵ centrally managed wireless networks.

3.3 FAILURE TO ADHERE TO THIS STANDARD

The Network System Administrators shall take ALL necessary steps to protect each Â̾ÞÈËÊÓƵ network from improperly configured or managed privately managed networks. At the discretion of the Network System Administrators, privately managed networks that exhibit the behaviors indicated below may be shut down, throttled, or otherwise impacted, if required to protect Â̾ÞÈËÊÓƵ or institutional information and information technology resources and/or to allow normal traffic and central services to resume on the impacted Â̾ÞÈËÊÓƵ network.

• Imposing an exceptional load on a campus service

• Exhibiting a pattern of network traffic that disrupts other services

• Exhibiting a pattern of malicious network traffic associated with scanning or attacking others

• Exhibiting behavior consistent with host compromise

• Failure to identify, investigate, and/or report a cybersecurity event occurring within the privately managed network

3.4 LEGACY NETWORK COMPLIANCE GRACE PERIOD

Any previously sanctioned Privately Managed Networks already connected to Â̾ÞÈËÊÓƵ Networks will be given a temporary compliance grace period. The intent of this temporary grace period is to allow the managers of each Privately Managed Network to work with Cybersecurity & Networking on:

• assessing existing security controls in those networks

• making any necessary security control improvements of modifications to bring those networks into compliance with this Standard

• certifying compliance of those networks

• or transitioning management of those networks to CS&N

As each Privately Managed Network will require differing levels of effort to achieve compliance, a grace period expiration date will be established for each Privately Managed Network after the security control assessment has been completed.

To maintain this status for the length of the established grace period, managers of Privately Managed Networks shall make a good faith effort to participate in the CS&N assessment process and address any mandatory improvements prior to the expiration date established for their network. Failure to do so may result in the Chief Information Security Officer (CISO) rescinding the compliance grace period for that Privately Managed Network. Loss of these protections prior to certification may result in a Privately Managed Network being shut down, throttled, or otherwise impacted.


DOCUMENT HISTORY

  • Approved by: CHIEF INFORMATION SECURITY OFFICER, T NUDD, 19 AUG 2021 V2 UNH INFORMATION SECURITY COMMITTEE, 19 DEC 2019, v1.1
  • Reviewed by: CHIEF INFORMATION SECURITY OFFICER, T NUDD, 19 AUG 2021, v2 Â̾ÞÈËÊÓƵ INFORMATION SECURITY COMMITTEE, JAN 2019, v1.1 UNH INFORMATION SECURITY COMMITTEE, 19 DEC 2019, v1.1
  • Revision History: REVISED, CHIEF INFORMATION SECURITY OFFICER REVIEW, v1.2
    • REVISED, ELEVATE TO USNH STANDARD, R BOYCE-WERNER, 30 JAN 2020, v1.1
    • REVISED, UNH INFORMATION SECURITY COMMITTEE FEEDBACK, 19 DEC 2019, v1.1
    • DRAFTED, D CORBEIL, 20 NOV 2019 (Private Network Standard v1)
    • REVISED, D YASENCHOCK 08 MARCH 2023
    • REVISED formatting, K SWEENEY, 30 MAY 2024