SummarySecurity breaches are a persistent threat for all institutions. To prevent breaches or effectively contain and mitigate one if it occurs at UConn, University Information Technology Services (ITS) proposes a two-component approach to improve the University’s security posture. (1) ITS will collaborate with university IT professionals to create and share a comprehensive inventory of infrastructure. (2) ITS will segment server and client networks into appropriate locations. ITS will collaborate with university IT professionals to enact this plan, and changes will be performed and sequenced in a way that minimizes disruption to our community.
IntroductionAt a higher education institution, an open and collaborative environment is crucial for the free exchange of ideas that lead to advancements in education and research. Security is also a priority, however, and when controls are relaxed to allow greater access, exposure also increases. Therefore, the University strives to implement security strategies that facilitate openness while also ensuring that critical data is appropriately protected. One strategy for achieving this balance between risk and access is to implement the industry best practice of network segmentation. With this implementation choice, network clients and network servers are separated into independent networks with distinct security policies and operating practices. This strategy protects clients by blocking unnecessary inbound connections that could introduce malicious software to our network and lead to data theft. At the same time, the server network has the access needed to operate effectively but is protected by hardening practices, such as firewalling, patch management, vulnerability scanning, log management, and two factor authentication. Network segmentation also helps contain a security breach, should one occur, which minimizes the impact and loss of institutional data. The first step to executing this initiative is creating an accurate inventory of all institutional IT assets, which will contain physical location data, device classification, and administrative contacts. While gathering this data, ITS will implement firewall changes to better protect generic clients, such as phones, tablets, and laptops, using the wireless network, which is client-only by design. We will then pursue better compartmentalization of networks and encourage migration to appropriate locations. ITS will work closely with departmental IT staff to identify critical infrastructure and implement changes while mitigating negative impacts.
GoalsThe goals of this initiative are to (1) protect institutional data and critical services and (2) improve incident response times. These goals will be accomplished by pursuing the following activities that will lead to outcomes designed to protect servers and clients. Table 1. Activities of the Server Inventory and Data Protection initiative will lead to outcomes that better protect university client and server networks.
|Audit networks for server assets and catalog server function and data types stored||Create an accurate inventory of institutional IT assets and critical data|
|Block inbound connections at the border to create a logical perimeter around client networks while making exceptions for adjacent servers||Drastically limits attack surface, which will reduce instances of client compromises such as; ransomware, data exfiltration, botnet participation, and spam|
|Place administrative and research infrastructure into dedicated server networks||Migrating servers into dedicated server networks behind firewalls will make protecting them – and the data on them – easier|
|Implement two-factor authentication
Run vulnerability scans against all server/critical infrastructure
Enroll servers into patch management software
|These server hardening standards will greatly reduce incidents of compromise.|
|Install Splunk Forwarders on systems for log management
Monitor servers for signs of compromise with Vectra
|Monitoring capabilities will reduce incident response time and remediation.|
Assessment and InventoryAn effort must be made to collect and maintain a record of the critical assets on our network. ITS will work to provide as much information as practical to departmental IT for evaluation. The information will be gathered from the sources (below) and disseminated to the departmental IT contacts for review:
- Existing known server networks as maintained by ITS
- Nessus Scans of host with open server ports
- Information gathered from DNS
- Work with their faculty and staff to identify any devices not included on the list.
- Evaluate the information and make any corrections.
- Return the accurate information to ITS
Network SegmentationLogical Segmentation and Firewall Policy Implementation The firewall will be leveraged to provide the initial segmentation of clients and servers; we will utilize firewall policies at our Internet border to provide isolation of devices to/from the Internet. This work will require close collaboration between the ITS, IT administrators, and users to ensure that data/infrastructure is protected but that no functionality is lost or service impacts occur.
Security Controls ImplementationKey management tools (below) that align with the server management standards will be implemented once the servers have been identified and the firewall policies implemented.
- Vulnerability Scanning – ITS runs a vulnerability scanning service using the Tenable Security Center. All servers will be scanned monthly, and the reports will be distributed to designated IT contacts.
- Log Management – ITS runs a logging and analytics service using Splunk. All servers will forward their logs to Splunk. ITS will ensure that access to Splunk, for log review and searching, is provided to all IT administrators that require it.
- System Monitoring – ITS will configure any system IP address or network for review using the VECTRA post-compromise detection hardware. This system monitors traffic passively and is completely non-invasive.
- Work with IT staff to ensure all clients, servers, and IT assets are correctly identified.
- Create appropriate networks and route as necessary.
- Reconfigure servers to utilize DHCP reservations and ensure DNS records are updated. This will provide the functionality of static IP address assignment but provide configuration flexibility.
- Work with ITS to create appropriate firewall rules.