1610 PR.03 Network Configuration Security

Revision Date: 
December 2, 2019

Contents

1.     Overview

2.     Definitions

3.     Network Internet Protocol (IP) Address Security

1.  Overview

This document provides general procedures for configuring network access for computing devices used for Yale business on Yale University networks.  The network address ranges assigned to computing devices may vary with depending on campus location, the device owner’s role at the university, or the computing device’s function.  Your local support provider can help explain these differences.

2.  Definitions

Public IP Address

An IP address that can be accessed from the Internet.  Devices with public IP addresses can communicate with other devices on the Internet with public IP addresses but not directly with devices with private IP addresses.  Web servers are usually situated on public IP addresses if the hosted content is for general public consumption.

Non-routable (“Private”) IP Address

An IP address that cannot be accessed from outside of an organization’s network.  Devices with private IP addresses cannot connect directly to the Internet.  Yale uses Network Address Translation (NAT) to accept communication requests from the Internet at a set of common public IP addresses on behalf of devices with private IP addresses assigned by Yale.  This Internet traffic is then directed to the appropriate device. Most home broadband routers function in this fashion.

Remote Access

Any access to a device on the Yale University data network through a non-Yale controlled network, device, or medium, for example by DSL, cable modem or dial-up connection.

Web Server

A web server listens for and handles inbound client requests for content.  This means delivery of HTML documents and any additional content that may be included on a page, such as images, style sheets and scripts.

3.  Network Internet Protocol (IP) Address Security

1. Applicability to Wired and Wireless Networks at Yale University

This procedure applies equally to wired and wireless networks at Yale University, irrespective of where on campus this connection is made.  For example, this requirement applies equally within publicly accessible areas of the University, within clinical areas, within research areas, within an ITS Data Center, and within student housing.

2. Responsibility for Obtaining an Appropriate IP Address

The device owner is responsible for ensuring each system has the appropriate type of IP address assigned to it. 

3. Default Network Internet Protocol (IP) Address Configuration — Non-routable IP Address

Any device (server, laptop, workstation, printer, research hardware, mobile computing device, smartphone, etc.) connected to the Yale network is to be assigned a non-routable (“private”) IP address.

4. Network Configuration for Devices Processing Credit Card Information

All devices used in the processing of credit card payments require special network address assignment.  Please contact the University Information Security Office (“ISO”) for assistance.

5. Network Configuration for Devices Containing or Processing Protected Health Information

All devices containing or processing protected health information (PHI) require special network address assignment. Please contact the Information Security Office for assistance.  (For a definition of protected health information, please refer to the Master Glossary of HIPAA Security Terms in the Definitions section within Policy 5100 Electronic Protected Health Information Security Compliance.)

6. Risk Mitigation

If Yale Information Security should determine that any Yale computer is under a persistent attack that places the University at risk in any way, the ISO can require that the computer be migrated to a private IP address.

7. Exceptions

As stated in Item #2 above, a device owner is ultimately responsible for using the correct type of IP address.  The device owner may be asked to confirm in writing that they accept the risk associated with using a public IP address before any exception is granted.  A policy exception can be submitted using the University policy exception process.

Web servers and public-facing services may be assigned a public IP address behind a firewall or other network protection device designed to protect that type of service with the approval of the University Information Security Office (ISO).  Please contact the ISO for assistance.

All other exception requests must be based on a clearly articulated University business need.  A request for an exception to this policy should be made by a device owner’s IT support personnel to the University ISO via the University policy exception process.  The Controller’s Office must provide final approval for any exception.