Network Infrastructure Management
Safeguard 12 - Network Infrastructure Management
All networks must conform to the policies below. If you operate a network that has access to Virginia Tech’s resources, please contact NIS to see if services can provided by the division of IT.
12.1 - Ensure Network Infrastructure is Up-to-date
Ensure network infrastructure is kept up-to-date. Review software versions monthly, or more frequently, to verify support.
12.2 - Establish and Maintain a Secure Network Architecture
Network service owners must establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum. NI&S and the ITSO provide the Restricted/Limited Access Network (RLAN) service for additional protection of network and computing environments with personally identifying information (PII). NI&S provides an RFC1918 addressed virtual LAN (VLAN) network segment which isolates hosts from the Internet and prevents direct inbound connection attempts from external hosts.
12.3 - Securely Manage Network Infrastructure
Securely manage network infrastructure using appropriate physical and logical access controls, MFA, and out-of-band management by connecting from only trusted and hardened management hosts.
12.4 - Establish and Maintain Architecture Diagrams
Establish and maintain architecture diagram(s) and/or other network system documentation. Review and update documentation annually, at minimum, or when significant changes occur.
12.5 - Centralize Network Authentication, Authorization and Auditing (AAA)
Centralize network AAA through a directory service, where supported.
12.6 - Use of Secure Network Management and Communication Protocols
Use only current industry standard management and communication protocols (SNMPv3, 802.1X, Wi-Fi Protected Access 2 (WPA2) Enterprise or greater, SSH, etc.) and do not use insecure protocols, such as Telnet, SNMP, HTTP unless operationally essential and with a documented exception and use of compensating controls.
12.7 - Ensure Remote Devices use a VPN and are Connecting to an Enterprise AAA Infrastructure
Connect to the Pulse Secure Remote Access VPN and authentication services prior to accessing on-campus assets and services.