Ames Policy<= BR>Directive
APD 2810.1 Effective Date: February 9,= 2001
Expiration Date: February 9, 2005
SubjectNetwork Security Policy
Responsible OfficeJT/ Applied Information Technology Division, Mail Stop 233-17
This document applies to all individuals and IT (Information Technology)= resources located on Ames-managed networks. This includes civil service,= contractor, tenant, and outsource personnel. It also applies to all= computers, routers, peripherals and other devices.
All Information Technology (IT) resources at Ames, such as data,= information, applications, and systems, are considered to be valuable and= sensitive to some degree. This document covers network and computer= security for ARCLAN to protect Ames IT resources from threats and attacks= originating primarily from outside the Ames environment.
- Network Structure
ARCLAN will have three separate Local Area Networks (LANs), with= different levels of access security defined as: Private Network, Public= Network, and Open Network. Each network will be protected by a combination= of Firewalls, Intrusion Detection Systems, and host level system security.= In addition, a Border Router will further insulate all three networks from= the Internet. The ARCLAN Configuration Control Board (CCB) provides overall= policies for network design and architecture. The Firewall CCB is= responsible for overseeing the Firewall rules that define ports and= services into Ames. The Firewall CCB works in conjunction with the ARCLAN= CCB and organizational Computer Security Officers (CSOs) to review and= approve changes to the Firewall rules. (A list of the Ames CSOs is= available at: http://computer-security.arc.nasa.gov/people.html)
- General Networking (for all Ames-managed networks)
- Any system or service that poses an unacceptable risk as determined by= Ames IT Security Manager or CCB to any other Ames system or service on an= Ames network will be disconnected. Violations may be subject to review by= Ames Management, the NASA Inspector General or other law-enforcement= agencies.
- All devices that connect to an Ames-managed network must be registered= with a proper IP address. Users can contact their Network Administrator or= the IT Support Center, 4-2000, for assistance.
- Users must get approval from their civil servant line management prior= to adding or moving a computer system that connects to an Ames network.= Line management must certify to their CSO that the system meets the= following criteria:
- Is Registered at Ames (i.e., it has a valid IP address);
- Has Antivirus software installed (http://arclib.arc.nasa.gov/);
- Adheres to the NASA Banner Requirement (http://computer-security.arc.nasa.go= v/policies/banners/);
- Has been scanned for computer vulnerabilities by the local Network= Administrator or the IT Security Group (4-1234).
Network scanning is restricted to the IT Security Office, Ames Network= Operations Group, and CSOs. With approval from their CSO, Network= Administrators can conduct scanning of their organizational networks. The use of computer and network attack tools is strictly prohibited= unless an explicit waiver is obtained by the Ames IT Security Manager. Wireless systems on the Ames Networks are subject to provisions in this= policy. All networking devices, i.e., hubs, switches, routers, etc., will be= placed in authorized locations such as communication closets or other areas= approved by the ARCLAN CCB. Only the ARCLAN CCB may grant an exception to= this policy. Ames personnel (civil servant, contractor, tenant and outsource) that= connect non-NASA computers or other IT systems to Ames networks must also= comply with the provisions of this policy. Visiting personnel may not connect their computers to the Private or= Public LANS; their connections are only allowed on the Open LAN. Users must report any computer compromise immediately to the IT= Security Office, 4-1234. See: http://computer-security.arc.nasa.gov
This network contains the Center=D5s critical resources (such as= mission-critical systems, restricted group servers, nonpublic servers, and= (end-user computer systems), that require strong security protection from= the Internet.
- External access (i.e., connections from remote dialup or networks) is= restricted to Ames Chief Information Officer (CIO)-approved access methods= that require user authentication and encryption.
- (2) All accounts for external access into the Private Network must be= approved in writing by civil servant line management. Users can apply for= this service at: http://app= liedit.arc.nasa.gov/vpn/
- Dialup into the Private Network is restricted to the central Ames= Remote Access System (RAS) which resides outside the Private Network.
- Computers on the Private Network are prohibited from using modems,= computer faxes, T1 lines, and similar links. (This would create a bridge= between the Private Network and an outside network.)
- Multihomed connections (computers with multiple network cards) are= prohibited from directly connecting (bridging) to networks outside the= Private Network.
- Computers that require access by the public-at-large are prohibited. = li>
- Visiting personnel may not connect their computers to the Private Netwo= rk.
This network is intended for highly visible information servers that= must be accessible by the public-at-large or collaborators, but requires= very substantial protection to assure uncompromised information integrity= and service availability. This includes Public Web Servers, File Servers,= E-mail Servers, Directory Services, and various Collaborative Services.
- The system owners will define access rules for their servers on the= Public Network with approval from their civil servant line management and= CSO.
- System owners or administrators are responsible for maintaining their= servers.
- Remote System Administration must be done using CIO-approved secure= methods. Where this is not possible, the system must be administered from= its console.
- Computer Systems on the Public Network must be dedicated as servers= (with exceptions for security, network, backup, and peripheral systems).
- User workstations are not permitted on the Public Network; further,= Public Network servers may not serve in a dual capacity as user= workstations.
- Computers that do not require public access are not permitted on the= Public Network.
- Computers on the Public Network are prohibited from using modems,= computer faxes, T1 lines and similar links.
- Multihomed connections (computers with multiple network cards) are= prohibited from directly connecting (bridging) to networks outside the= Public Network.
- Visiting personnel may not connect their computers to the Public Networ= k.
The Open Network contains computer resources that need to be freely= accessible by the scientific community or the public-at-large and cannot= function under the security rules of the Private and Public Networks. These= resources require protection in terms of data integrity and availability,= rather than extensive security measures that might hamper collaboration or= other communications.
- This network has limited security and is considered =D2untrusted=D3. <= /li>
- Modems, T1 lines, computer faxes, and other similar connections are= permitted on the Open Network.
- Multihomed connections from the Open Network to the other external= networks are permitted, but are not allowed to the Private and Public= Networks.
- Access from the Open Network to the Private Network is treated as an= =D2external untrusted connection=D3 and requires user authentication and= encryption.
- Computers and services on the Open Network are permitted upon the= written approval of the civil service line management that certifies to= his/her CSO that he/she has accepted the risks.
- The Ames CIO is responsible for enforcing this policy.
- The IT Security Manager is responsible for the Center IT Security= Program. This includes implementing, monitoring and reporting compliance= with the Network Security Policy.
- Supervisors and mangers will report IT Security concerns and incidents= to the IT Security Managers, and promote IT Security awareness.
- Employees, contractors and visitors will comply with ARC IT Security= policies and procedures, and report IT Security incidents or unauthorized= access to the IT Security Office at 4-1234.
Public Law 100-235 Computer Security Act of 1987
NPG 2810 NASA Procedures and Guidance for Security of Information= Technology
NASA-STD-2813 Firewall Strategy, Architecture, Standards and Products
Thomas J. Moyles
Acting Director of Center Operations