Standard Number: 1.1.2.1.9
Category: Information Security
Owner: Information Technology Services
Effective: February 2, 2022
Revision History: None
Review Date: February 1, 2025
-
PURPOSE, SCOPE AND RESPONSIBILITIES
- Pursuant to the Information Security Policy, the University will secure the Campus Network. Integral to the security of Campus Network is limiting access privileges to those who need it by splitting it into sub-networks (“Network Segmentation”).
- The purpose of this Standard is to establish the guidelines for Network Segmentation across the University to protect the Campus Network from widespread cyber-attacks as well as enable better network performance by reducing the number of users in specific areas. This Standard is based on the NIST 800-171, “Systems & Communications” and “Security Assessment” control guidelines that outline network segmentation frameworks.
- This Standard applies to all Virtual Local Area Networks (VLANs) created to segment the Campus Network.
- The Chief Information Officer, supported by the Chief Security Officer and Executive Director for Enterprise Infrastructure, is responsible for the implementation and enforcement of this Standard.
- WVU Information Technology Services (“ITS”) Network Operations and Health Sciences Center Information Technology Services (“HSCITS”) Network Systems are responsible for approving the creation of new VLANs that control the flow of information into and out of the Campus Network and its segments.
- LAN Managers are responsible for identifying creation of new VLANs and requesting approval through Network Operations/Network Systems as well as authorizing any approved changes to ACLs.
-
Network Segments
- The University will segment its Campus Network through the use of Virtual Local Area Networks (VLANs) which are logical groupings of hosts in a similar broadcast domain.
-
VLANs will be created, and membership based on the following purposes:
- Physical location. VLANs may be created based on physical requirements such grouping by campus, building, and/or floor.
- Function. VLANs may be created based on functional requirements such as to conduct WVU business, to provide guests wireless access, Internet of Things devices, or for gaming in student residence halls.
- Compliance. VLANs may be created based on compliance requirements such as grouping by a specific department subject to compliance requirements.
- Security. VLANs may be created to protect access to Sensitive Data and to provide privileged access to University Information Systems.
- Each VLAN must have an identified LAN Manager responsible for managing and configuring it.
- When creating an approved VLAN, LAN Managers must:
- Identify each VLAN by a VLAN ID Number;
- Set a specific IP Address scope for each VLAN;
- Assign each port switch or route to be a member of a VLAN to allow receiving and sending traffic on that VLAN;
- Permit only selected, approved, and trusted devices and services to each VLAN based on an Access Control List. See Section 3.; and,
- Add VLAN to WVU ITS/HSC ITS DHCP Servers to ensure the VLANs receive the appropriate IP addresses.
- External systems authorized to connect to systems transmitting, processing, or storing Sensitive Data should be formally identified/approved.
- Static IPs will be allocated and provided when Network Operations/Network Systems or the LAN Manager determines there is a need to do so.
-
Firewall Rules
- The University will utilize Firewall Rules (e.g., Access Control Lists, NSX rules, Palo Alto rules) to determine the level of access required to network segments.
- Firewall Rules are managed by Network Operations/Network Systems; however, LAN Managers are authorized to approve any changes to VLANs.
- Firewall Rules must be based on the principle of Least Privilege.
- Users must only be permitted to access network segments that include Sensitive Data using University-Owned Devices.
- Firewall Rules must be reviewed regularly and updated. Pursuant to the Campus Network Firewall Review Procedure a comprehensive review must be conducted, at minimum, every six months. This review includes auditing ports to ensure they are only open to necessary areas.
-
DEFINITIONS
- Access Control Lists” means a list of permissions associated with an object. The list specifies who or what is allowed to access the object and what operations are allowed to be performed on the object.
- “Confidentiality” means preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
- “Dynamic Host Configuration Protocol (DHCP) Server” means a network server that automatically provides and assigns IP addresses, default gateways, and other network parameters to client devices.
- “Firewall Rules” means rules used to filter network traffic by either blocking or allowing packets based on defined rules that are assigned directly to a firewall.
- “Integrity” means guarding against improper information modification or destruction, including ensuring information non-repudiation and authenticity.
- “Internet of Things” means objects or devices not traditionally connected to the network that contain electronics, software, sensors, and actuators which allow them to connect, interact, and exchange data with the Campus Network such as appliances, automobiles, smart TVs, and smart speakers.
- "Least Privilege” means granting the minimum system resources and authorizations needed to perform its function or restricting access privileges of authorized personnel to the minimum functions necessary to perform their job.
- “Network Segmentation” is the process of splitting a network into sub-networks, for example, by creating separate areas on the network which are protected by firewalls configured to reject unnecessary traffic. Network segmentation minimizes the harm of malware and other threats by isolating it to a limited part of the network.
- “Privileged Access” means full rights granted to administrative account or user intended to be used only when performing management tasks such as installing updates, managing user accounts, modifying operating system and application settings.
- “University Technology Resource” means the Campus Network, University-owned hardware, software, and communications equipment, technology facilities, and other relevant hardware and software items as well as personnel tasked with the planning, implementation, and support of technology.
-
Related Documents