CS Services Security Policy

Definitions

A service is a process that listens on a port; other systems connect to it across the network. Internet access means users connecting from beyond cs.uchicago.edu.

To Manage a system means to have root access on the system, and to be responsible for keeping the system alive and secure.

Principles

• Least privilege
• Isolation of vulnerable services
• CS departmental research/instructional/administrative use gets priority. Requests for other use may be denied.
• Start tight, make exceptions as needs arise. This is for reliability: if, for security reasons, we need to further restrict a service, service behaviour might be affected.
• Mounting of NFS home directories is a liability: if someone takes control of a machine NFS can be used to attack our network. Therefor we do not allow NFS home directory mounts on more vulnerable servers.
• In general, we want to only allow http and ssh access from the Internet (outside cs.uchicago.edu) Exceptions detailed below.

Techstaff managed systems

1. Production departmental services, including CS, CSPP business services

Only techstaff can log into these servers.

A service intended for CS account holders only will be accessible from the Internet via ssh and/or http only.

CS account holders may be able to use ssh tunneling to access service from the Internet

2. Servers owned by a CS faculty to whom we are solely responsible to for the service, that requires access to the Internet beyond ssh or http

No NFS home directories. May be a NFS server.

CGI servers

• 3. Regular users

  Off-the-shelf cgi systems are not permitted. Hand coded cgi is permitted, but user registration is required.

• 4. CS faculty, grads, or users with CS faculty sponsors

  Off-the-shelf cgi must run on isolated server.

Non-Techstaff managed systems

5. Systems managed by people eligible for a CNET account

No NFS home directories

6. Systems managed by people not eligible for a CNET account

Requires approval of NSIT and CS, and a CS sponsor

No NFS home directories

Firewall required to prohibit access to uchicago.edu

Subject to removal at any time by NSIT or CS

[ About Us | Education | People | Research | Facilities & Computing | Search this site | View Page Source | Contact Us | Site Map | Login ]
©2004 The University of Chicago® The Department of Computer Science
1100 East 58th Street, Chicago, IL 60637 :: ph 773.702.6614 :: fax 773.702.8487