The University IT infrastructure is an important shared platform for various cyber activities. Cyber security measures have been implemented at different levels to protect this infrastructure from possible cyber security threats.
By segregating the University network into three types of areas, protection is instituted between these types of areas. It can be considered as three network zones with firewalls in between.
1. Network Segregation and Zoning
The University network is conceptually divided into three types of areas based on risk classification:
- High-risk areas
- Central backbone network
- Special areas identified as “high-risk”
- Moderate-risk areas
- Network housing moderate-risk servers and end-points
- Office network
- Network for teaching venues
- Network for research laboratories
- Staff residential network
- Low-risk areas
- Student residential network
- Computer barns
- Network for public areas supporting unauthenticated guest access
2. Network Access Control
Connection to the University network can be through wired or wireless means.
- All wired connections need to be activated by prior registration of hardware address (i.e. MAC address) by authorized users.
- Wireless connections for the University community are established via a secure authentication process using authorized user accounts, and all wireless traffic are being encrypted to prevent eavesdropping. Wireless connection for specific purposes requires prior registration of hardware address by authorized users.
3. Identity & Access Management
Access to IT servers and applications are controlled with proper access control via various means to minimize risk exposure as deemed appropriate:
- Single Sign-On (SSO) is deployed where feasible to prevent unnecessary leakage of user credentials
- Virtual Private Network (VPN) technology is deployed for secure remote access to University applications from off-campus for general users
- VPN access is also enforced for systems administrators accessing crucial central servers from both on- and off-campus
- Privileged account management solution is also deployed to safeguard access to privileged accounts, and this is also complemented by a two-factor authentication solution to further strengthen system accounts access control
4. Network Firewalling & Intrusion Prevention
The University is an open and free environment for pursuit of academic excellence and innovations. As such, only very harmful traffic is filtered from the border of the University network. More stringent controls are implemented for network areas of different risk categories:
- Harmful traffic is filtered from low-risk areas
- Suspicious or harmful traffic is filtered from moderate-risk areas
- Only pre-defined or useful traffic is allowed for high-risk areas to minimize risk exposure to the greatest extent
Intrusion prevention capability is also made available at all network security gateways to detect possible network intrusion activities with real-time logging and blocking mechanism.
5. Traffic Management
Internet bandwidth is a scarce resource and needs to be properly managed to ensure adequate performance of related Internet applications related to research, study, and general business applications. Traffic management system is being deployed at the Internet border to safeguard overall Internet performance:
- Network bandwidth optimized and prioritized for research, teaching and learning activities
- Excessive traffic constrained within limits to protect normal activities and to avoid abusive use of Internet bandwidth
- Protection from denial-of-service (DoS) attacks
6. Antivirus Control
Virus infection is a common security problem and is liable to potential data leakage or instability of IT resources. Antivirus control measures are in place at different levels to safeguard IT resources in the University:
- Antivirus detection and filtering capability is available at the Internet security gateways level
- Antivirus scanning and quarantine at server and mail gateway level
- Antivirus detection and dis-infection at endpoint level
7. Automated Scan & Proactive Network Monitoring
Automated scan and proactive networking monitoring on the University network is conducted on a regular basis to uncover anomalies and exception scenarios:
- Unauthorized network connections, especially in the high-risk areas
- Malicious or abusive traffic based on cyber security intelligence
- Proactive detection of compromised endpoints based on their anomalous behaviors
- Vulnerabilities in IT resources like endpoints, operating systems, and server applications
For the protection of individual, units and the University, network access by compromised or vulnerable IT resources may be temporarily denied until the identified weakness is completed eradicated.
8. Patch Management
It is of utmost importance to eliminate software loopholes and vulnerabilities when and where feasible, and in a timely manner. An automated patch management solution is introduced for those crucial servers, as mentioned in the document Acceptable Practices for Server Patch Management.
9. Data Backup
Data backup according to industry best practice is being adopted especially for central servers:
- All central servers have their data backed up and archived with multiple backup versions to allow for data recovery in case of data loss or corruption
- Data replication technology is also adopted where feasible for real-time data replication
- Data encryption technology is applied on tape backup
- Off-site backup on a routine basis is also being practiced
- Endpoint backup solution is also available for those high-risk endpoints for backing up crucial documents
10. Data Centers
At present the University has a primary data center in Main Campus along with a secondary data center the LSK Campus. The data centers are designed with a rationale to enhance overall IT security:
- 24-hour air-conditioning to ensure proper operating temperature for data center equipment
- Fire suppression system with smoke detectors and water leakage detection
- Uninterruptible power supply (UPS) system
- Physical security through card access control system and surveillance cameras
- Both data centers are linked together with redundant fiber connectivity, and with resilient data center network fabric in each data center
- Serve as backup and disaster recovery purpose, with redundant data backup copies kept at both data centers
Related Links