REDDnet Remote Site Security Overview

From ReddNet
Jump to: navigation, search

Security overview

REDDNet's current security plan maintains a level of security that balances security requirements with the service and academic freedom our users expect. We are capable of enforcing stricter security measures than those outlined in this document should a specific need arise.

Security contacts

Role Name Phone
Primary Mathew Binkley Phone: (615) 322-5857
Secondary Alan Tackett Phone: (615) 322-1028

Physical security

Locations at remote sites depend on user requirements. It is strongly suggested that access to the room be restricted by key, pass card, or another token. The room should not be accessible to the general public. Only administrative and technical contacts as defined in the MoU will be granted restricted login rights to the depots for maintenance purposes.

Network security

Remote depots require several network ports open to either Vanderbilt or the world for proper functioning and monitoring. A list of required ports may be found at:

http://www.reddnet.org/mwiki/index.php/REDDNet_Site_Requirements

Remote sites must ensure that these ports are open as described, both at a departmental level and at your organization's perimeter firewall.

Remote depots will have an IPTables firewall to limit connections by port and by source/destination to only those required for operation. This will be maintained by REDDNet staff.

OS security

REDDNet monitors CERT, CryptoGram, and other security forums daily for new security errata. We use apt-get to keep all depots up-to-date with security fixes at least once a week (and usually every 1-2 days). All machines are updated as soon as Ubuntu/Debian releases a security update.

When critical vulnerabilities are discovered, we may disable services or install our own custom update until such time as the vendor releases their own update.

Application security

Due to firewall restrictions we cannot perform Nessus scans of remote depots. We encourage local sites (either departmentally or globally) to perform their own regular Nessus scans on remote depots. When a weakness is discovered at any depot, REDDNet staff will propagate the fix to all other depots.