Appendix A: Definitions
DEVICE
- A device is either a physical device, e.g. desktop computer, laptop, server, PDA, or a logical device, e.g. virtual machine, web virtual host.
- A device is identified on the network by a unique MAC address.
FIREWALL
- The IRIS Firewall blocks specific TCP and UDP ports at the IRIS network border.
PROHIBITED DEVICES AND SERVICES
- DHCP or BOOTP servers
- Dynamic DNS (DDNS) clients or servers
- Modems or Modem Pools
- NAT servers (as a service for other physical devices)
- Broadcast NTP servers
- RAS servers
- RIS servers
- Routers or routing between networks
- WINS servers
- Wireless Access Points or any devices which may interfere with 2.4GHz or 5GHz WiFi networks
- Ethernet Hubs
- Managed switches
- Spanning Tree Protocol
ROOT COMPROMISE
- If there is any indication of administrative access to a host by unauthorized personnel, the host MUST be considered root compromised unless a system administrator who is a specialist experienced in forensics for that operating system can explain the activity and conclusively prove security was not compromised.
OS REINSTALLATION PROCEDURE
In the event of a root compromise:
- The device MUST be disconnected from the network immediately.
- An attempt SHOULD be made to identify the vulnerability exploited to obtain administrative privileges.
- The disk partition(s) containing the operating system MUST be formatted.
- A clean operating system MUST be installed from read-only media.
- The operating system and applications MUST be patched and properly configured before being reconnected.
- People with compromised passwords MUST be notified.
PRIVATE NETWORK
- A private network provides separate administrative control over a section of the network.
- Examples of typical private network uses include connecting a customer’s own hubs, switches or routers, running special protocols, or anything else which might cause disruptions if not isolated from the production network or production services.
- Requests for private networks will be evaluated on a case-by-case basis and specific policies will be outlined in a Memorandum Of Understanding (MOU) with the IRIS network group.
RESTRICTED NETWORK
- The Restricted Network is available for servers located in machine rooms (226 BWRC; 165 Cory; 287, 288, 290, or 340 Soda).
- The Restricted Network has strict firewall protection; inbound traffic from outside the IRIS network is allowed only to specific ports explicitly needed by hosted services. On the Restricted Network, system administrators may also request exemptions to the standard firewall rules.
- Requests for Restricted Network access and configuration will be evaluated on a case-by-case basis.
Last updated: 2021/08/13