Those who manage networks across the university and/or within units are responsible for the following in accordance with Network Security (DS-14):
- Proactively implementing safeguards to identify and mitigate threats to the network as a resource, and prevent its use as a platform of attack against U-M or other resources, property, or data.
- Monitoring and protecting the networks, associated systems, services, and applications, from abuse, attacks, and inappropriate use.
- Taking prompt corrective actions to ensure satisfactory mitigation of identified risks to networks or devices using them.
Additional guidance for authorized campus network administrators is available at Network Protection.
Network Security Basics
- Update software and firmware regularly and whenever security updates are made available.
- Incorporate appropriate network security safeguards regardless of the environment: on-premise, virtualization, and the cloud.
- Isolate trusted networks from non-trusted networks.
- Obtain appropriate authorization before extending any U-M networks.
- UM-Ann Arbor. See Extensions to the University Network.
- Segment devices that do not need to be accessible from the internet by using private, non-routable IP addresses.
- Use access control lists to limit network and device access.
- Implement default-deny and least-privilege policies on network firewalls.
- Restrict remote access provided to vendors to the smallest segment feasible.
- Configure access so that only appropriate subnets can reach network-connected printers and follow the Network Printing Best Practices.
- Encrypt wireless network traffic.
- Implement appropriate physical security controls to protect network equipment.
- Create layered security with technologies such as firewalls and intrusion prevention systems (IPS).
Network firewalls are most helpful in protecting networks containing static resources. Examples include:
- Hosts storing sensitive data
- High-value or mission-critical assets
- Machines bound by contractual obligations
- Machines bound by compliance requirements
Network administrators are responsible for keeping accurate and up-to-date network documentation, including:
- Network interconnects to non-UM entities, including those to external, non-UM third entities such as virtual private networks (VPN).
- Contracts with third-party providers who have access to the U-M network. Third-party vendors handling U-M data classified as Restricted or High should get remote access to only a limited segment of the network.
- All approved extensions to the network.
Information Assurance network security staff are available for consultation on appropriate network-based protection by contacting the ITS Service Center.