Placement of Computing Devices in Network Security Zones

The University provides network access to advance its educational, research, scholarship and healthcare missions. While intended for our community to pursue its various endeavors, the network also presents certain security risks that can lead to exposure of confidential information or undermine the operation of devices connected to the network. To preserve the integrity of this commons, “network security zones” have been created to help manage security risks while permitting open and free access for scholarship, research, and exploration. All servers, end user devices, and other computing devices that connect to the University’s network are appropriately placed in these security zones to facilitate a balanced approach to protecting them from external network attack while enabling their intended use. This policy applies to computing devices that connect to the University’s network regardless of their ownership.

Departments, Schools, Divisions, Institutes, the College, administrative units, or other parts of the University may also have policies regarding assignment of computing devices to network security zones that build on the baseline protections established by this policy.

I. Definitions

University’s Network

The University’s network is that accessed by any computing device to which is assigned an IP address in the University’s registered IP address space. These are:

IP addresses between 128.135.0.0 and 128.135.255.255,
IP addresses between 205.208.0.0 and 205.208.127.255, and
IP addresses between 192.170.192.0 and 192.170.223.255.

Inbound versus Outbound Traffic

In this document, network traffic that transits from a point outside of the University’s network to a point inside that network is called “inbound” and network traffic that transits from a point inside of the University’s network to a point outside of that network is called “outbound.” Network interactions initiated from the University network to a service outside it will typically result in inbound traffic, for example, to convey the contents of a web page that was requested. Other inbound traffic is called “unsolicited”; it is initiated by actions outside of the University network.

Supporting IP Address Plan

An IP address plan designed to support network security zones must be in place in a given location before computing devices there can be placed in security zones. As network infrastructure is updated, users will begin to be able to place computers in the appropriate security zone to afford optimal protection.  In the meantime, users will continue to operate with security equivalent to the “Unprotected” zone defined below.

Network Security Zones

Network security zones are defined by the combination of security controls applied to inbound network traffic at the border of the University’s network, including firewalls and other measures that selectively block network traffic that constitutes known threats or that are outside of the definition of the corresponding security zone. Outbound traffic and network traffic between zones within the University network is not limited by this policy. The most commonly used zones are listed below:

Protected

Computing devices in this security zone may initiate and maintain connections to computers outside of the University’s network without restriction. All unsolicited inbound traffic is blocked.

Servers

Computing devices in this network security zone may initiate and maintain connections to computers outside of the University’s network without restriction. Inbound connections supporting common services (except remote management) are also permitted. Other unsolicited inbound traffic is blocked.

Unprotected

Computing devices in this network security zone may initiate and maintain connections to computers outside of the University’s network without restriction. Unsolicited inbound traffic is also permitted without restriction outside of that blocked by long standing best practice.

Other

Other zones may be defined and populated at the discretion of IT Security in IT Services to provide for the University’s diverse needs. For example, zones are defined to block remote management to computers that are otherwise Unprotected, and to provide remote management to machines that are otherwise Protected. Such additional zones may be used for dedicated devices with special requirements as well as to better protect specific classes of machines.

The capacity of the University’s network border to operationally sustain security zones additional to those defined above is limited; hence, any request to do so must be authorized by the University’s Chief Information Officer in consultation with IT Security in IT Services.

II. Criteria

While a supporting IP address plan is in place, the criteria below are used to determine to which network security zone a computing device should be assigned. Exceptions to these criteria for specific computing devices can be requested. Such requests must be approved by IT Security in IT Services, the Information Security Office in the Biological Sciences Division, or the Information Security Office in the University of Chicago Medical Center.

  1. Computing devices that do not need to expose online services directly to points outside of the University’s network are placed in the Protected network security zone. All new devices will initially be assigned to the Protected network security zone.
  2. Computing devices intended to provide online services directly to points outside of the University’s network are placed in the Servers network security zone.
  3. Protected and Server security zones each have a variation that permits remote management access. Requests to place computing devices in one of these security zones must be approved by IT Security in IT Services, the Information Security Office in the Biological Sciences Division, or the Information Security Office in the Medical Center. In general, the University’s VPN service should be used for remote management access to computing devices in the Protected and Servers security zones.
  4. Certain dedicated function computing devices require most ports to be unblocked in order to function properly. These devices will be placed in compatible network security zones as directed by IT Security in IT Services.
  5. Computing devices required to expose a broad range of services or ports to points outside of the University’s registered network are placed in the Unprotected network security zone. Faculty, staff, and students may elect to place their computing devices in the Unprotected security zone. IT Security in IT Services, the Information Security Office in the Biological Sciences Division, and the Information Security Office in the Medical Center may review these elections and intervene where there is a concern of creating a security risk.

Frequently Asked Questions

What parts of the University have security policies that overlap this standard, and which of them must be followed?

All policies that pertain to a given department, division, school, unit or activity must be followed. At the time of this writing, the Biological Sciences Division requires all of its departments to place all of their non-server computing devices in the Protected network security zone defined in this policy.

How should I think about the “Protected” and “Server” zones?

The Protected zone is similar to being behind a firewall inside a home with a typical broadband connection. Most users will find the Protected zone affords complete network access for all their activities. The Server zone is designed for machines that serve web pages and other common internet services. Cf. “Which ports are blocked or permitted for each network security zone?” below.

What security controls selectively block network traffic that constitutes known threats? How are such threats “known”?

The University operates an Intrusion Prevention System (IPS) that provides the capability to block inbound and outbound network traffic based on per-threat bespoke algorithms and reputation scores of external sites. Data underlying these algorithms and reputation scores are gathered from a wide range of global sources by independent security organizations. The University’s IPS is operated to only block network flows that have been identified with high confidence as a threat.

What is an IP address plan?

An IP address plan is an element of network architecture that provides a systematic way to assign IP addresses to computing devices to facilitate a variety of network management and network security needs.

Can I change zones without changing IP addresses?

Changing zones will necessarily mean changing IP addresses.

How can it be determined whether a specific building or facility has an IP address plan that supports placement in network security zones?

Local IT staff should be aware of this status.

How is placement of a computing device in a network security zone accomplished?

There are three ways this may occur. The first is in conjunction with the upgrading of a building’s network equipment and IP address plan by IT Services. A step in that upgrade process is to gather information about each computing device and network connection so that they can be appropriately configured into the campus network. Outside of such upgrade projects, local IT staff can facilitate the IP address changes that may be needed to implement placement of a computing device in a specified network security zone. Finally, an end user can do so themselves by submitting a corresponding request to IT Services online.

How should requests for non-default assignments to network security zones be submitted?

Such requests can be placed by visiting the IT Services request site.

How are department-wide requests for exceptions to this standard to be handled?

Heads and administrators of departments and units and their local IT staff confer with the Information Security Office about prospective exceptions.

What network security zones apply to devices with “private” IP addresses?

Private IP addresses are those that, by Internet standards, are restricted for use internal to a single network, so network security zone does not pertain to them. However, the level of protection afforded by having a private IP address is greater than Protected.

What network security zones apply to computing devices connected to campus wireless or VPN services?

They are in the Protected network security zone.

What are examples of dedicated function computing devices that are placed in other network security zones?

At the time this is written, some audio-visual, printers, and multi-function devices require that most ports are unblocked. Some of these device types also implement poor security controls on their remote management ports. This category of device motivated the creation of a network security zone called “Unprotected without Remote Management,” and devices are placed into this zone only under the direction of IT Security in IT Services.

Which ports are blocked or permitted for each network security zone?

All network security zones implement long standing best practice by blocking inbound traffic to a specified set of ports associated with services that are either discontinued or designed for use only within the University’s network. These ports, together with those permitted or blocked as indicated by the definitions above, are identified on the Network Border Firewall Security Zone Policy page (login required).

Category: Security
Policy Owner: Chief Information Security Officer