Network Infrastructure Management

Introduction

Safeguard 12 - Network Infrastructure Management

Procedures

All networks must conform to the policies below. If you operate a network that has access to Virginia Tech’s resources, please contact NIS to see if services can provided by the division of IT.

12.1 - Ensure Network Infrastructure is Up-to-date

Ensure network infrastructure is kept up-to-date. Review software versions monthly, or more frequently, to verify support.

12.2 - Establish and Maintain a Secure Network Architecture

Network service owners must establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum. NI&S and the ITSO provide the Restricted/Limited Access Network (RLAN) service for additional protection of network and computing environments with personally identifying information (PII). NI&S provides an RFC1918 addressed virtual LAN (VLAN) network segment which isolates hosts from the Internet and prevents direct inbound connection attempts from external hosts.

12.3 - Securely Manage Network Infrastructure

Securely manage network infrastructure using appropriate physical and logical access controls, MFA, and out-of-band management by connecting from only trusted and hardened management hosts.

12.4 - Establish and Maintain Architecture Diagrams

Establish and maintain architecture diagram(s) and/or other network system documentation. Review and update documentation annually, at minimum, or when significant changes occur.

12.5 - Centralize Network Authentication, Authorization and Auditing (AAA)

Centralize network AAA through a directory service, where supported.

12.6 - Use of Secure Network Management and Communication Protocols

Use only current industry standard management and communication protocols (SNMPv3, 802.1X, Wi-Fi Protected Access 2 (WPA2) Enterprise or greater, SSH, etc.) and do not use insecure protocols, such as Telnet, SNMP, HTTP unless operationally essential and with a documented exception and use of compensating controls.

12.7 - Ensure Remote Devices use a VPN and are Connecting to an Enterprise AAA Infrastructure

Connect to the Pulse Secure Remote Access VPN and authentication services prior to accessing on-campus assets and services.