Ames Policy<= BR>Directive

APD 2810.1
Effective Date: February 9,= 2001
Expiration Date: February 9, 2005


Network Security Policy

Responsible Office

JT/ Applied Information Technology Division, Mail Stop 233-17

  1. Applicability
  2. This document applies to all individuals and IT (Information Technology)= resources located on Ames-managed networks. This includes civil service,= contractor, tenant, and outsource personnel. It also applies to all= computers, routers, peripherals and other devices.

  3. Purpose
  4. All Information Technology (IT) resources at Ames, such as data,= information, applications, and systems, are considered to be valuable and= sensitive to some degree. This document covers network and computer= security for ARCLAN to protect Ames IT resources from threats and attacks= originating primarily from outside the Ames environment.

  5. Policy
    1. Network Structure
    2. ARCLAN will have three separate Local Area Networks (LANs), with= different levels of access security defined as: Private Network, Public= Network, and Open Network. Each network will be protected by a combination= of Firewalls, Intrusion Detection Systems, and host level system security.= In addition, a Border Router will further insulate all three networks from= the Internet. The ARCLAN Configuration Control Board (CCB) provides overall= policies for network design and architecture. The Firewall CCB is= responsible for overseeing the Firewall rules that define ports and= services into Ames. The Firewall CCB works in conjunction with the ARCLAN= CCB and organizational Computer Security Officers (CSOs) to review and= approve changes to the Firewall rules. (A list of the Ames CSOs is= available at: http://computer-security.arc.nasa.gov/people.html)

    3. General Networking (for all Ames-managed networks)
      1. Any system or service that poses an unacceptable risk as determined by= Ames IT Security Manager or CCB to any other Ames system or service on an= Ames network will be disconnected. Violations may be subject to review by= Ames Management, the NASA Inspector General or other law-enforcement= agencies.
      2. All devices that connect to an Ames-managed network must be registered= with a proper IP address. Users can contact their Network Administrator or= the IT Support Center, 4-2000, for assistance.
      3. Users must get approval from their civil servant line management prior= to adding or moving a computer system that connects to an Ames network.= Line management must certify to their CSO that the system meets the= following criteria:
      4. Network scanning is restricted to the IT Security Office, Ames Network= Operations Group, and CSOs. With approval from their CSO, Network= Administrators can conduct scanning of their organizational networks.
      5. The use of computer and network attack tools is strictly prohibited= unless an explicit waiver is obtained by the Ames IT Security Manager.
      6. Wireless systems on the Ames Networks are subject to provisions in this= policy.
      7. All networking devices, i.e., hubs, switches, routers, etc., will be= placed in authorized locations such as communication closets or other areas= approved by the ARCLAN CCB. Only the ARCLAN CCB may grant an exception to= this policy.
      8. Ames personnel (civil servant, contractor, tenant and outsource) that= connect non-NASA computers or other IT systems to Ames networks must also= comply with the provisions of this policy.
      9. Visiting personnel may not connect their computers to the Private or= Public LANS; their connections are only allowed on the Open LAN.
      10. Users must report any computer compromise immediately to the IT= Security Office, 4-1234. See: http://computer-security.arc.nasa.gov

    4. Private Network
    5. This network contains the Center=D5s critical resources (such as= mission-critical systems, restricted group servers, nonpublic servers, and= (end-user computer systems), that require strong security protection from= the Internet.

      1. External access (i.e., connections from remote dialup or networks) is= restricted to Ames Chief Information Officer (CIO)-approved access methods= that require user authentication and encryption.
      2. (2) All accounts for external access into the Private Network must be= approved in writing by civil servant line management. Users can apply for= this service at: http://app= liedit.arc.nasa.gov/vpn/
      3. Dialup into the Private Network is restricted to the central Ames= Remote Access System (RAS) which resides outside the Private Network.
      4. Computers on the Private Network are prohibited from using modems,= computer faxes, T1 lines, and similar links. (This would create a bridge= between the Private Network and an outside network.)
      5. Multihomed connections (computers with multiple network cards) are= prohibited from directly connecting (bridging) to networks outside the= Private Network.
      6. Computers that require access by the public-at-large are prohibited.
      7. Visiting personnel may not connect their computers to the Private Netwo= rk.

    6. Public Network
    7. This network is intended for highly visible information servers that= must be accessible by the public-at-large or collaborators, but requires= very substantial protection to assure uncompromised information integrity= and service availability. This includes Public Web Servers, File Servers,= E-mail Servers, Directory Services, and various Collaborative Services.

      1. The system owners will define access rules for their servers on the= Public Network with approval from their civil servant line management and= CSO.
      2. System owners or administrators are responsible for maintaining their= servers.
      3. Remote System Administration must be done using CIO-approved secure= methods. Where this is not possible, the system must be administered from= its console.
      4. Computer Systems on the Public Network must be dedicated as servers= (with exceptions for security, network, backup, and peripheral systems).
      5. User workstations are not permitted on the Public Network; further,= Public Network servers may not serve in a dual capacity as user= workstations.
      6. Computers that do not require public access are not permitted on the= Public Network.
      7. Computers on the Public Network are prohibited from using modems,= computer faxes, T1 lines and similar links.
      8. Multihomed connections (computers with multiple network cards) are= prohibited from directly connecting (bridging) to networks outside the= Public Network.
      9. Visiting personnel may not connect their computers to the Public Networ= k.

    8. Open Network
    9. The Open Network contains computer resources that need to be freely= accessible by the scientific community or the public-at-large and cannot= function under the security rules of the Private and Public Networks. These= resources require protection in terms of data integrity and availability,= rather than extensive security measures that might hamper collaboration or= other communications.

      1. This network has limited security and is considered =D2untrusted=D3. <= /li>
      2. Modems, T1 lines, computer faxes, and other similar connections are= permitted on the Open Network.
      3. Multihomed connections from the Open Network to the other external= networks are permitted, but are not allowed to the Private and Public= Networks.
      4. Access from the Open Network to the Private Network is treated as an= =D2external untrusted connection=D3 and requires user authentication and= encryption.
      5. Computers and services on the Open Network are permitted upon the= written approval of the civil service line management that certifies to= his/her CSO that he/she has accepted the risks.

  6. Responsibilities
    1. The Ames CIO is responsible for enforcing this policy.
    2. The IT Security Manager is responsible for the Center IT Security= Program. This includes implementing, monitoring and reporting compliance= with the Network Security Policy.
    3. Supervisors and mangers will report IT Security concerns and incidents= to the IT Security Managers, and promote IT Security awareness.
    4. Employees, contractors and visitors will comply with ARC IT Security= policies and procedures, and report IT Security incidents or unauthorized= access to the IT Security Office at 4-1234.

  7. References
  8. Public Law 100-235 Computer Security Act of 1987
    NPG 2810 NASA Procedures and Guidance for Security of Information= Technology
    NASA-STD-2813 Firewall Strategy, Architecture, Standards and Products


Thomas J. Moyles
Acting Director of Center Operations