Network Security

Printer-friendly versionPrinter-friendly version

The purpose of this document is to establish a standard set of requirements and procedures for safeguarding the district network from:

  • Unauthorized access to district computers by unknown individuals
  • Unauthorized and inappropriate use of computer disk space and CPU resources
  • Unauthorized access to or acquisition of confidential district data
  • Use of a computer for outward bound attacks on others on the Internet

These standards apply to the users of all devices connected to the district network for the transmission and reception of electronic communications.

1. Standards

  • 1.1. Network Access
    • The District will offer network access to the Internet unless those services have been determined to be unacceptable. Network Services will work to maintain a catalog of services that have been identified as unacceptable and therefore blocked. Wireless users of the district network will need to authenticate when attempting to access the district network. Additionally, users will be required to have a district approved, updated anti-virus software package and current security related operating system patches installed. If a user's host is found not to meet these minimum admission criteria, then that host will be blocked from district network access until it meets the above minimum admission criteria.
    • The district hosts non-district network connections for simple peering with the district and for connection to the Internet. All such networks will be outside the district secure perimeter unless the connection would adversely impact the entities relationship with the district. Any network that is connected inside the district network perimeter will adhere to the same standards as the district network.
  • 1.2. Network Infrastructure
    • Network Services provides voice and data connectivity from all devices to District resources and to the Internet. The infrastructure supporting voice and data connectivity and the maintenance of these connections is provided by Network Services as a central service.
    • All switches, access points, cabling, and patch cords must be purchased from and installed by Network Services. All traffic destined for district resources using a wireless access point shall be encrypted. Use of 4Jwireless or 4jauth will be used to accomplish this.
    • Computers that house confidential district data must be:
      • secured through the use of both personal and district firewalls
      • physically secured, only allowing access required to conduct the business of the district.
    • The district will host all voice communications centrally. This includes Voice over Internet Protocol (VoIP) services. All voice communications will be operated in accordance with all applicable laws and will meet Network Reliability & Interoperability Council (http://www/nric.org) best practices and standards (including but not limited to compliance with the 911 Act and the Communications Assistance for Law Enforcement Act).

2. Operational Rules

  • 2.1. Authorization
    • Network Services will work with staff to determine the need for required Internet services to be opened at the border via rules on a firewall or filter. Staff must describe what service is needed, the precautions taken to secure the device offering the services and the probable sources of requests for the service.
  • 2.2. Scanning
    • Network Services may scan machines or whole subnets at both announced and unannounced times to look for vulnerabilities or compromised machines.
  • 2.3. Port Throttling
    • Port throttling or blocking may occur to prevent or alleviate either attacks or excessive bandwidth consumption.
  • 2.4. Service Disconnection
    • Devices or networks of devices are subject to service disconnection by Network Services if such devices:
      • pose a security threat to the district network
      • significantly impact the functionality of the district network in a negative manner
      • violate Federal or State law or district policy
    • Examples of grounds for service disconnection include, but are not limited to:
      • rogue DNS or DHCP servers
      • malware infected devices
      • spam senders/relays
      • unauthorized probing of other network devices
    • Common forms of service disconnection include, but are not limited to:
      • by device or port,
      • or in extreme circumstances, by VLAN, subnet, or building.
  • 2.5. Prohibited Protocols
    • Authorized off district users needing to access services on campus must do so in a secure manner. Use of Microsoft Windows File Sharing (WFS) will be blocked at the district border. For services needing district network access to facilities in district a VPN connection to the district must be used. Using the VPN, a user will be authenticated on the network before gaining access to the district network resources. When using the VPN the network address assigned to the user's computer will be within the Internet Address range of the district. This will allow authorization for access to services and follow the rules for network admittance to other district networks and Internet services.