Network Security

skip to section links

Skip to page content

TU Home
About TU
Administration & Finance Division
OTS
Getting Connected
Information Security & Viruses
Guidelines & Standards

Desktop Security

Firewall Management

Network Security

Server Security

HIPAA Security Standards

Password Management Standards

OFFICE OF TECHNOLOGY SERVICES

Guidelines and Standards

The following are minimum set of security standards required for all network devices on the Towson University (TU) campus network.

General Obligations

Network users and engineers are subject to the Guidelines for Responsible Computing published on the campus web site.

Physical Security

All network devices must be secured at all times to prevent unauthorized access to network resources. Devices must be protected behind secured rooms that require access using biometrics or card swipe device. Room keys may be temporarily used until one of the approved methods mentioned is obtained. Keys to network devices must be secured and stored away from devices to prevent unauthorized personnel from tampering with device. Physical access to network devices must be limited to network engineers or those with the responsibility to maintain the network device.

Passwords

Utilize strong passwords to ensure that only authorized users can access the system. Passwords must be changed when someone leaves that has access to network devices. All passwords must follow:

Length minimum eight characters in length
Not be a dictionary work
Must not be related to the individual such as spouse or kids names or dates
Do not write passwords down anywhere
Change passwords every 45 days or less
Do not include passwords in any electronic mail message

Change passwords immediately if you suspect someone else may have guessed it.

Default passwords are not used.

Software Patching and Updates

All security patches and updates must be automatically installed as made available from the vendor. All server patches and updates should be reviewed by network and security personnel prior to installation.

Firewalls and Network Devices

All unused services and ports on firewalls, routers, switches, and network security devices must be disabled. All network devices must be configured to deny all traffic (ingress and egress) unless expressively authorized as part of an access control list (ACL). De-Militarize Zones (DMZ) will be established and utilized for all publicly accessible web servers. Firewall rule sets will be devised and maintained on all firewall configurations.

Banners

A banner text must be displayed at all server system authentication points where initial user logon occurs. Banners must be Towson ITU approved or state approved wording.

Authentication

All users accessing the TU network must be authenticated. All others will be quarantined from the network. Access to network devices will utilize encryption.

Remote Access

Remote Dial-in facility to network devices at TU is disabled and not authorized. Use of remote access software like PCAnyware is not authorized on network devices systems. Access to network devices is limited to encrypted remote logins using VPN. No Telnet access is allowed.

Network Device Accounts

Remove all unnecessary accounts. All network devices must authenticate all system users. Guest accounts on network devices must be disabled. Network engineers must use complex passwords and must change their password every 45 days or less. Login accounts must be locked out after 3 tries.

Wireless

All wireless access must be protected from intruders and unauthorized access. Firewall and intrusion prevention system technology will be utilized to protect the network. Also encryption utilizing Internet protocol Security will be utilized. The Secure Set Identifier (SSID) on all access points must be changed from the factory default. The beacon interval on these access points must be set to its highest value. Disable broadcast SSID feature and change default cryptographic keys. Must utilize SMNPv3 or disable SNMP function. Disable Dynamic Host Control protocol (DHCP) on all access points and use static IP addresses. Open-system authentication, WEP and WEP2 are prohibited.

System Logging and Monitoring

System Activity logging is enabled on all critical network device. All syslog information will be sent to a centralized syslog server and monitored by information security personnel. Security logs will be reviewed daily and maintained for minimum1 year.

Unnecessary Services

Network devices must only allow critical services. All non-critical services must be blocked and vulnerabilities eliminated.

Backup, Recovery and Disaster Plan

All network configurations must be backed up at least weekly to tape and stored off-campus. Additional copies may be stored at another campus location for quick retrieval.

A disaster recovery plan has been created and periodically tested. Backup measures should be integrated with disaster recovery plans.

Information Security Office
Office of Technology Services
Cook Library, 4
Hours: Monday - Friday, 8:30 a.m. to 4:00 p.m.
E-mail: infosec@towson.edu

Administration and Finance Questions

Passwords using dictionary words are easier to crack than non-dictionary ones.

	© 2012 • Towson University	Last Updated: Wednesday, June 22, 2011
	Towson University • 8000 York Road • Towson, Maryland • 21252-0001 • 410-704-2000	Copyright Information \| Privacy Statement \| Clery Report \| Contact Us