56.10.06 - Network Configuration
PURPOSE:
To define network access and devices requirements .
REVIEW:
This policy will be reviewed once a year by the director of Systems and Network Operations (DIT) and will be approved by the chief information officer (CIO).
POLICY/PROCEDURE:
This policy describes the requirements and constraints for attaching a computer, system, network devices, or videoconferencing system to the TTUHSC El Paso network. The intent of this policy is to ensure that all connections to the TTUHSC El Paso network are maintained at appropriate levels of security and interoperability, which should be at CIS Level I, without impeding the ability of TTUHSC El Paso faculty, staff, or students to perform their work.
Responsibilities
The CIO is the central authority for all network issues. The CIO may appoint and/or delegate management of certain aspects of network administration as deemed necessary.
The DIT oversees administration of TTUHSC El Paso local area networks (LANs), as well as wide area networks (WANs), and is the contact person for all connectivity issues.
The DIT is the liaison between Facilities Planning Construction and Physical Plant and Support Services at TTUHSC El Paso for all new construction and major renovation projects involving computing systems.
Wide Area Network Connectivity and Routing
All routers within the TTUHSC El Paso WAN will be selected, operated, and maintained
by personnel designated by the CIO. Subnet IP routing on the TTUHSC El Paso WAN will
be performed in accordance with delegated IP address space. Routing of private IP
address space (as defined by the Internet Engineering Task Force Request for Comments document #1918 - Address Allocation
for Private Internets) across the TTUHSC El Paso WAN must be approved by the CIO or their designee.
Firewall Access Standard
All internal TTUHSC El Paso computers are protected from outside network access by security controls. All incoming network requests not known or defined are denied and are not passed through to the internal campus network. This section describes the procedures to allow special access through the firewall in instances where certain services and/or applications are required to maintain workflow and provide services.
Standard
Approval for outside network access to TTUHSC El Paso computing resources will be based on the following criteria:
- The connection is required for TTUHSC El Paso business.
- The connection does not represent an unnecessary security risk to TTUHSC El Paso.
- The connection does not use an insecure protocol where a more secure alternative exists.
- The connection does not involve unnecessary replication of functionality.
When the connection has been approved by TTUHSC El Paso IT Security, firewall access will be granted when the following have been completed:
- The machine is properly registered with Information Technology by filling out the Special Firewall Access Request Form under Information Technology (IT) Security Services in TeamDynamix.
- The target machine passes a vulnerability assessment performed by IT Security. This assessment consists of remotely scanning the target machine for common problems that could result in a security risk.
- The target machine has a reserved IP address.
Registration ensures that the target machine has an administrator known to IT. The administrator will perform the necessary tasks to keep the system up-to-date and in a secure state, with the assistance from the IT Security group. Registration will be renewed once a year. Renewal notices will be sent via email by IT Security.
IT Security will perform routine security scans on machines registered for special access.
Procedures
All firewall rule requests will be submitted through TeamDynamix.
Request for changes to the firewall must come from the administrator of the target machine. Requests received from anyone else will be forwarded to the machine’s administrator for approval.
All requests will be sent to the TTUHSC El Paso Help Desk. The request will be forwarded to the IT Security group for final approval by the Information Security Officer (ISO). Once approved, the IT Security group will make the necessary changes to the firewall. The Help desk may require that network configuration of the destination computer be modified prior to approving access.
IP Address Allocation Standards and Procedures
IP Addressing
All addresses will be handled by Systems and Network Operations. Systems and Network Operations will be responsible for administration and registration of all IP addresses and subnetworks within the delegated address range(s), according to the standards and guidelines approved by the CIO. All hosts in the TTUHSCEP domain must obtain a valid IP address from Systems and Network Operations. No host on the intranet should broadcast dynamic routing information, with the exception of specially configured gateway or router devices.
To ensure efficient IP address utilization, TTUHSC El Paso will allocate its assigned IP addresses to reflect the requirements of each building location, wiring closet, or network service. This ensures compliance with the American Registry for Internet Numbers (ARIN)’s requirements for utilization of public IP address space.
Reserved IP Address Standards
Reserved IP addresses are available to the following hosts:
- Server systems that provide file sharing, printer sharing, or other application services to multiple client systems.
- Printers with a direct network attachment.
- Hosts with a directly attached printer, where print jobs will be accepted from client systems on the network.
- Hosts providing services or resources to clients outside the TTUHSC El Paso network. This host must be approved by IT Security before allowing connection from outside clients.
All other hosts will use dynamic addresses allocated by Dynamic Host Configuration Protocol (DHCP) services at each regional campus. Reserved address requests for hosts that do not correspond with the above list must be approved by the appropriate regional site coordinator.
Refer to the HSC OP 56.10.07 Server Hardening for additional requirements that must
be met before a server can be assigned a reserved IP address.
Reserved IP Address Allocation Procedures
All reserved IP addresses must be properly authorized and recorded before they are issued. The following outlines the procedure for requesting and allocating reserved IP addresses:
- IP records are managed by Systems and Network Operations.
- Upon receipt, the network technician creates a work order and verifies that the attached information is complete.
- Using the TTUHSC El Paso IP address management application, the host is assigned to the correct VLAN and subnet. The next available address is selected, and the information provided by the requestor is entered into the system.
- The assigned IP address, hostname, and hardware address are entered into the DHCP server(s), and records are kept in Solarwinds IPAM.
- If requested, domain name service/system (DNS) aliases are entered into the DNS configuration file to translate domain names into numeric IP addresses.
- The assigned IP address is sent to the requestor via email.
- The technician updates and closes the work order.