2.03.01 Vulnerability Scanning and Network Security Exception Configuration

I. Purpose

This procedure documents Bradley University’s method of granting users access to network resources located on campus from any remote location, via VPN client software and a centralized concentrator.

Policy Supported

Supports 2.03 Vulnerability Scanning

II. Description

An electronic mail request for special network access to a device shall be sent to the Director of Systems Integration and Security by the person responsible for the administration of that device. The request shall include the business purpose for the request.

Upon receipt of the request, the Director of Systems Integration and Security shall take action as follows:

1) Request Approval or Denial:

The Director of Systems Integration and Security shall make the determination as to if the request shall be approved or denied. Criteria used in making this determination shall include but not be limited to:

1. Business Purpose – Will granting this request add a positive contribution to Bradley’s mission and goals?
2. Technical Resources – Does the requestor have all of the necessary resources available to them to effectively manage this new service?
3. Security Impact – Will granting this request create significant risk in compromising the integrity of any of the following for Bradley: systems, networks, data, reputation.

The Director of Systems Integration and Security shall notify the requestor if the request is not approved, and state the reason(s) why.

• If the request is approved, processing continues.
• If the request is denied, the requestor may escalate the request to the Director of Computing Services for review and discussion.

2) Vulnerability scanning Upon Approval:

1. Scan the said system with Computing Service’s approved vulnerability scanning solution

OR

1. Advise the requester to scan the system with the Computing Services approved self service scanner. Advise that they must Email the report back to Computing Services upon completion

3) If the system/network has known vulnerabilities at the time of the scan:

1. Advise the user that the vulnerability(s) must be fixed prior to granting the request
2. Forward the user the scanning report in Email and carbon copy other necessary parties
3. If necessary, make recommendations and offer guidance on remediating any vulnerability(s) on the system
4. If necessary, advise the user to read policy 2.03.

4) If the system/network is clean of known vulnerabilities at time of scan:

1. Configure the special access as requested, including a “remark” with the configuration
2. Document the request in the Server Manager server list area

5) Email the user back letting them know their request is complete. Carbon copy other network staff and the Director of Systems Integration and Security

6) Advise the user that the system with the network security exception is required to be scanned for new vulnerabilities by Computing Services, on an automatic ongoing basis.

This must be set up on a schedule that is mutually agreed upon by both the system’s administrator and the Director of Systems Integration and Security.

III. Scope

This scope includes the tasks necessary in order for Bradley technical staff to configure network security exceptions on the network firewall or routers which shall allow the requested special access to a system that would otherwise be blocked. Also included in this scope are procedures requiring vulnerability scanning of the said device prior to request processing and then again on an ongoing/automatic basis after the request is processed.

Definitions

Network Security Exception –Configuration in a network device such as a firewall or router that allows networks or systems to initiate traffic through the said network device to get to other networks/systems listening on TCP, UDP, or other IP ports that the network device would otherwise block.