The U-M network backbone and local in-building networks are critical to the operation of the university. It is vital that we do everything possible to permit an open, unrestricted access network, while also protecting the business assets and sensitive institutional data from threats.
ITS network security and IA support the U-M Network Security Standard (DS-14) that supplements the Information Security (SPG 601.27) policy. The standard describes the requirements needed to ensure the confidentiality, integrity, and availability of network resources. See also the Network Security Standard Checklist.
The Network security standard applies to all network resources, including wired and wireless networks, communications equipment, physical infrastructure (cabling, routers, switches, firewalls hardware, and other network protection devices). This standard applies to all U-M; including Ann Arbor, Dearborn, Flint campuses, and Michigan Medicine.
ITS-NSO experts provide services to implement the standard and U-M security policies across U-M campuses. They also work to identify the requirements that unit administrators should take to meet these policies and mitigate security risks.
There are three ways to meet the U-M Network security standard:
- First, the ITS-NSO team can configure, run, and maintain compliant firewall services for units.
- Second, ITS-NSO team can help units run the firewalls themselves while maintaining a top administrative access to manage the service.
- Third, the team can provide guidance for units to run their own firewall services completely.
The best and most efficient way to engage ITS-NSO is to reach out by submitting a request to discuss your needs and the network security requirements for your unit.
Roles & Responsibilities
The following role-specific responsibilities are intended to help ensure that the confidentiality, integrity and availability of U-M network resources are maintained.
ITS-NSO staff members are responsible for:
- Monitoring and protecting the university networks, and their associated systems, services, and applications, from abuse, attacks, and inappropriate use;
- Taking prompt corrective actions to ensure satisfactory mitigation of identified risks to networks;
- Implementing safeguards to identify and mitigate threats to the network as a resource and as a platform of attack against U-M resources, property, or data;
- Effectively balance academic operational concerns and security challenges.
Authorized Campus Network Administrators
Authorized campus network administrators for the Ann Arbor, Dearborn, and Flint campuses and Michigan Medicine are primarily responsible for:
- Coordinating, managing, and maintaining network infrastructure, including campus backbone networks and unit-specific networks;
- Administering firewalls and intrusion prevention and detection systems;
- Ensuring that all Information Assurance (IA)-identified Network Security Management Standards (policy and technical) are applied to hosted services;
- Providing ongoing security monitoring for all installed wireless access points;
- Serving as the authoritative and responsible staff for the registration and management of all university-owned and unit-owned DNS domains;
- Serving as the authoritative and responsible unit for the registration and management of all university-owned public IPv4 and IPv6 address space, as well as all private IP address space used on U-M campuses.
- Ensuring compliance with U-M Network Security standard (DS-14) provided by ITS. In order to meet these compliance obligations, network administrators from units engaged in network administration are responsible for:
- Maintaining documentation including address space, security contact, and current network map;
- Publishing acceptable use notices upon access to networks that notify the end user that their access may be quarantined or disconnected at any time;
- Adopting current industry standards and accepted security protocols for wireless networks to ensure data integrity and confidentiality while connected to the wireless network;
- Identifying and documenting any and all guest networks as such;.
- Maintaining systems for IP address space management capable of producing logs for review and audit purposes;
- Restricting the ability to change network equipment to network administrators.
Authorized Campus Firewall Administrators
Units who directly run their local firewalls are responsible for compliance with U-M Network Security standard (DS-14) provided by ITS. In order to be compliant with these obligations, firewall administrators from these units are responsible for:
- Maintaining documentation including:
- An asset inventory of the hardware and software used to operate the firewall;
- A firewall service restoration plan;
- Procedures on how to define and manage unit firewall policies;
- A method of intake for support requests that provides traceability, accountability, auditability and metrics tracking shall be implemented;
- An authoritative list for all authoritative university-owned DNS domains by appropriate DNS administrators;
- Network maps and firewall/VPN configurations for interconnecting information systems;
- Historical record of firewall change requests.
- Aligning firewall devices and account management practices to Data Security Standard, including but not limited to:
- Collecting logs and monitoring for security incidents or impacts to availability;
- Securing using strong authentication and multi-factor authentication when available;
- Enabling secure encryption when and where possible.
- Ensuring unit firewall policies support granting access to ITS vulnerability scanners as needed;
- Leveraging an automated threat intelligence service, such as the MITN threat intelligence feed, on a regular basis (i.e. at least once per hour) as part of the firewall policy;
- Including a “deny all” statement at the end of the policy, to ensure that unaddressed traffic isn’t implicitly permitted;
- Designating on-call person to handle service impacting issues for each production network;
- Implementing continuous monitoring with notifications upon equipment failure. If the equipment failure results in negative impacts to services, notice shall be given to on-call personnel for remediation;
- Restricting changes to firewall administrators or systems built by firewall administrators;.
- Backing up equipment configurations on a regular basis, so that it is possible to restore service after a configuration error or a hardware failure;
- Placing printers on RFC1918 non-routable address space or behind a firewall that actively provides access control;
- Ensuring limited access to UMich resources in keeping with the principle of least privilege with VPN & Firewall Rules.