Loyola University Chicago

- Navigation -

Loyola University Chicago

Information Technology Services

Router & Switch Security Standard

Scope

This standard describes a required minimal security configuration for all routers and switches connecting to a production network or used in a production capacity at or on behalf of Loyola University Chicago.

Purpose

All routers and switches connected to Loyola University Chicago production networks are affected. This document contains two sections; baseline standards for routers and switches, and standards for perimeter routers and switches. All routers and switches will be configured to the baseline standard, perimeter devices have additional required controls.

Standard

Baseline Standards for Routers and Switches:

a. IP directed broadcasts
b. TCP small services
c. UDP small services
d. All web services running on router
e. Switch interfaces set with “dynamic” port negotiation
g. FTP services

"This computer and network are provided for use by authorized members of the Loyola community. Use of this computer and network are subject to all applicable Loyola policies, including Information Technology Services Policies and Guidelines, and any applicable Loyola Handbooks. Any use of this computer or network constitutes acknowledgment that the user is subject to all applicable policies. Any other use is prohibited.

Users of any networked system, including this computer, should be aware that due to the nature of electronic communications, any information conveyed via a computer or a network may not be private. Sensitive communications should be encrypted or communicated via an alternative method."

Perimeter

a. Incoming packets at the router sourced with invalid addresses, such as RFC1918 addresses or the Loyola public IP space
b. Block IP packets that have the same source and destination
c. Outgoing packets at the router sourced with invalid addresses, such as RFC1918 addresses
d. All source routing
e. CDP on Internet connected interfaces
f. IP directed-broadcast
g. Telnet, FTP, and HTTP services

 

Policy Adherence

Failure to follow this policy can result in disciplinary action as provided in the Employee Staff Handbook, Student Worker Employment Guide, and Faculty Handbook.  Disciplinary action for not following this policy may include termination, as provided in the applicable handbook or employment guide.

Exceptions

Exceptions to this policy will be handled in accordance with the ITS Security Policy.

Review

This policy will be maintained in accordance with the ITS Security Policy.

Emergencies

In emergency cases, actions may be taken by the Incident Response Team in accordance with the procedures in the ITS Incident Response Handbook. These actions may include rendering systems inaccessible.

Appendix

References

www.nsa.gov/ia/mitigation_guidance/security_configuration_guides

(http://www.cisecurity.org/benchmarks.html) CIS_Cisco_IOS _Benchmark_v2.2.pdf CIS_FreeRADIUS_Benchmark_v1.0.pdf

History and Updates

September 12, 2011: Initial Policy
October 6, 2011: Revised
October 29, 2012: Annual Review for PCI Compliance
July 17, 2013: Annual Review for PCI Compliance
Author: UISO
Version: 1.1
 
 
PDF FILE DOWNLOAD

Loyola

Information Technology Services
1032 W. Sheridan Ave. · Chicago, IL 60660 · 773.508-4ITS

InfoServices@luc.edu

Notice of Non-discriminatory Policy