|
|
Issue
32 - June 2002
|
After
Server Registration - Where Do We Go From Here?
By
Raymond Poon
|
|
|
The Computing
Services Centre (CSC) so far has received over 456 server
registrations from 50 departments. The largest groups
of servers are from MEEM, IS, and DCO having 111, 63
and 34 servers respectively. Apparently many of these
servers in the academic departments are accessed by
staff and students for projects or learning purposes
while the rest are accessed by external parties for
information with some or no access control. Almost all
kinds of network protocols are utilised and every conceivable
service is provided including some critical yet high
risk ones such as: SMTP, FTP, DHCP, DNS, IIS, etc.
By analyzing
the data collected from the server registrations, the
CSC has come to a conclusion that, since there are simply
far too many servers out there offering disparate services
under different operating systems on the campus network,
it would be impossible for the CSC to offer direct help
and secure to each and every one of them (a commitment
which the CSC is always trying to achieve but now finally
realizes infeasible). In fact, what we really need
now are, on one hand, to rely on server owners and administrators
to help minimize the security risks of their own servers
thereby improving the overall security of the entire
campus network and, on the other hand, to introduce
some campus-wide measures to assist them in managing
their servers effectively. While the CSC is still trying
hard to sort out the technical as well as procedural
arrangements for the reinforcement of the total campus
network security, the following measures are now planned
to be implemented in the next few months:
-
Any
unregistered server and/or service will be immediately
filtered from the network as soon as it is discovered
and no advanced notice will be given.
-
Any
server when found to have been infected by virus,
conducted illegal activities, posed serious threats
to the security of the campus network, complained
by external parties with compelling evidence, violated
existing policies, etc., its network card address
and/or IP address will also be immediately filtered
from the network and no advanced notice will be given.
-
For
servers with repeated violations that cause substantial
damages to other users on the campus network, an expert
from one of the CSC-approved organizations will be
hired, on their behalf at their expenses, to conduct
such risk assessments as: vulnerability scans, penetration
tests, etc. to ensure their fitness for network access.
These servers will not be allowed to connect to the
network unless they have passed all the tests recommended
by the expert and shown sufficient threat prevention
measures are or will be in place.
- All incoming access to the
CityU servers (both central and departmental servers)
with non-CityU IP addresses will be blocked by firewall
at the perimeter of the campus network. As such, students
and staff at home or abroad must therefore use VPN clients
to access these servers.
- For services offered to
the general public and provided by multiple servers, depending
on the security requirements and the nature of services,
some servers may be placed before or behind the firewall.
In general, servers offering services utilizing critical
or dynamic information will be placed behind the firewall
for maximum or specially tailored protection while those
utilize otherwise will be placed before the firewall (so
called De-Militarized Zone, DMZ for short) with minimum
or no security protection.
- For services offered to
the general public and provided by a single server, if
security is a concern and when situation warrants, its
services and/or functions may need to divide between or
among two or more servers so that Point e) can apply.
If not, it can be placed either before (under-protected)
or behind the firewall (over-protected) according to the
dynamic of the information it utilizes.
The details
of the implementation plan will be announced as soon
as it is ready. We hope with the help and the cooperation
of our users, server owners and administrators, the
negative impacts of the above-mentioned measures could
be reduced to a minimum and our campus network can be
still rich in services offered by many different parties
yet made secure.
|
|
|
|
|
|
|