1610 PR.03 Network Configuration Security

Revision Date: 
September 8, 2014

Overview

This document provides general procedures for configuring network access for computing device used for Yale business on Yale University networks. The network address ranges assigned to computing devices may vary with depending on campus location, the device owner’s role at the university, or the computing device’s function. Your local support provider can help explain these differences.

Definitions

Public IP Address – An IP address that can be accessed from the Internet. Devices with public IP addresses can communicate with other devices on the Internet with public IP addresses but not directly with devices with private IP addresses. Web servers are usually situated on public IP addresses if the hosted content is for general public consumption.  (See also, http://pcsupport.about.com/od/termsp/g/public-ip-address.htm.)

Non-routable (“Private”) IP Address – An IP address that cannot be accessed from outside of an organization’s network. Devices with private IP addresses cannot connect directly to the Internet. Yale uses Network Address Translation (NAT) to accept communication requests from the Internet at a set of common public IP addresses on behalf of devices with private IP addresses assigned by Yale. This Internet traffic is then directed to the appropriate device. Most home broadband routers function in this fashion. (See also,http://compnetworking.about.com/cs/tcpipaddressing/g/bldef_nat.htm andhttp://compnetworking.about.com/od/workingwithipaddresses/f/privateipaddr.htm.)

Remote Access — Any access to a device on the Yale University data network through a non-Yale controlled network, device, or medium, for example by DSL, cable modem or dial-up connection.

Web Server – A web server listens for and handles inbound client requests for content.. This means delivery of HTML documents and any additional content that may be included on a page, such as images, style sheets and scripts.

Network Internet Protocol (IP) Address Security

1. Applicability to Wired and Wireless Networks at Yale University

This procedure applies equally to wired and wireless networks at Yale University, irrespective of where on campus this connection is made. For example, this requirement applies equally within publically accessible areas of the University, within clinical areas, within research areas, within an ITS Data Center, and within student housing.

2. Responsibility for Obtaining an Appropriate IP Address

The device owner is responsible for ensuring each system has the appropriate type of IP address assigned to it. 

3. Default Network Internet Protocol (IP) Address Configuration — Non-routable IP Address

Any device (server, laptop, workstation, printer, research hardware, mobile computing device, smartphone, etc.) connected to the Yale network is to be assigned a non-routable (“private”) IP address.

4. Network Configuration for Devices Processing Credit Card Information

All devices used in the processing of credit card payments require special network address assignment. Please contact Information Security, Policy and Compliance for assistance.

5. Network Configuration for Devices Containing or Processing Protected Health Information

All devices containing or processing protected health information (PHI) require special network address assignment. Please contact Information Security, Policy and Compliance for assistance. (For a definition of protected health information, please refer to the Master Glossary of HIPAA Security Terms in the Definitions section within Policy 5100 (Link 1) Electronic Protected Health Information Security Compliance.)

6. Risk Mitigation

If Yale Information Security should determine that any Yale computer is under a persistent attack that places the University at risk in any way, the ISO can require that the computer be migrated to a private IP address.

7. Exceptions

As stated in Item #2 above, a device owner is ultimately responsible for using the correct type of IP address. The device owner may be asked to confirm in writing that they accept the risk associated with using a public IP address before any exception is granted.

Web servers and public-facing services may be assigned a public IP address behind a firewall or other network protection device designed to protect that type of service with the approval of Information Security, Policy and Compliance. Please contact Information Security, Policy and Compliance for assistance.

All other exception requests must be based on a clearly articulated University business need. A request for an exception to this policy should be made by a device owner’s IT support personnel to Information Security, Policy and Compliance via an Internal Service Request in ServiceNow. The Controller’s Office must provide final approval for any exception.

Contact Information

Topic

Contact

Contact Method

Network Address Assignment

Distributed Support Personnel (DSPs)

ITS Help Desk: 203-432-9000

Exception Requests

Information Security, Policy and Compliance

ServiceNow – Service Catalog – Internal ITS Request:https://yale.service-now.com;

ITS Help Desk: 203-432-9000