Network Terms of Service Standards
Overview of the Network Terms of Service
The Network Terms of Service (NTOS) are in place to protect the Yale University network. Applying the NTOS protects:
- The individual device connecting to the network
- Other devices connected through the Yale University network
- The integrity and availability of the Yale University network
Scope
Any device that connects to the Yale University Network must apply the NTOS. This is any device, independent of their location or ownership, including but not limited to:
- Personally owned devices, such as:
- Computers (e.g., laptops, desktops)
- Mobile devices (e.g., smartphones and tablets)
- Any addition to the network infrastructure
Certain devices are not permitted on the Yale University Network. This includes, but is not limited to:
- DHCP servers
- Private Wi-fi access points
- Private Internet provider circuits
Devices connecting to Yale’s guest Wi-Fi networks do not need to apply the NTOS.
In addition to everything outlined in the NTOS, use of the Yale Network is governed by Yale’s Information Technology Appropriate Use Policy and other applicable policies and procedures.
Requests for exceptions to the Network Terms of Service (NTOS) may be submitted via an exception request.
Standards Violations
The Information Security Office (ISO) is charged with detecting and reviewing failures to meet and maintain the NTOS. Corrective action may be taken up to and including blocking offending devices from the network.
Outline of the NTOS
The NTOS will follow the same formatting convention as Yale’s Minimum Security Standards (MSS). This includes:
- Standards group: Yale-NTOS-X
- These group standards based on their cybersecurity requirements.
- Standard: Yale-NTOS-X.Y
- These document Yale’s position for a group of cybersecurity requirements. They explain how to meet the requirements at Yale.
- Control: Yale-NTOS-X.Y.Z
- These provide details addressing specific cybersecurity requirements.
NTOS Outline
| Standards Group Number | Standards Group | Standards Group Description |
|---|---|---|
| 1 | Remote Access | Restrict remote access services from attackers on the internet. |
| 2 | Network Extensions | Ensure network extensions cannot undermine Yale’s protection, detection, and response capability. |
| 3 | Authentication to the Yale Network | Ensure secure access control for connections to the Yale network. |
Standards Group
YALE-NTOS-1: Remote Access
Reason for the standard:
It is critical we restrict remote access services from attackers on the Internet. Services that provide remote access to systems or to the University network are high-value targets for cyberattacks. When these services are open to the Internet, attackers may be able to:
- compromise credentials
- compromise the system, and/or
- put other systems at risk
All devices providing inbound remote access to the Yale Network must meet the MSS requirements for high risk servers in addition to the following controls.
YALE-NTOS-1.1: Use a private IP address if direct, inbound Internet access is not required.
Definitions:
- IP address – An IP address is a unique address that identifies a device on the Internet or a local network.
- Private IP address – Private IP addresses are only routable on a local network and not directly accessible from the Internet.
- Public IP address: A public IP address can be accessed directly from the Internet. Such a visible address entails an increased risk of cyberattack.
Note: Putting a device behind a reverse proxy is better than putting it directly on the Internet.
YALE-NTOS-1.1.2: Apply additional controls if inbound access from the internet is required.
Definitions:
Internet Accessible (IA) devices: Internet Accessible (IA) systems allow connections from the Internet without an additional layer of protection such as a Virtual Private Network (VPN). In general, if the normal way to access your system is through the Internet, the system is Internet Accessible.
Note: A Private IP with a public reverse-proxy (like a load balancer) is considered Internet Accessible.
YALE-NTOS-1.2: Enable and retain authentication and connection logs for all internet exposed remote access services.
Standard details:
This standard applies to all remote access services. Requirements for authentication and connection logs include:
- YALE-NTOS-1.2.1: Log both successful and failed login attempts to the remote access service.
- YALE-NTOS-1.2.2: Log the source IP address for connection attempts.
- YALE-NTOS-1.2.3: Retain logs for a minimum of 90 days. One year or more is recommended.
YALE-NTOS-1.3: Apply additional controls for internet exposed web servers
All web servers requiring internet access must apply the following controls:
- YALE-NTOS-1.3.1: All web pages with user logins must have Multifactor Authentication (MFA) via Yale Single Sign On (SSO) or other method.
YALE-NTOS-1.4: Apply additional controls for internet exposed SSH
The use of SSHd service exposed to the Internet is prohibited. All devices seeking an exception must meet the following additional controls at a minimum.
- YALE-NTOS-1.4.1: Password authentication must use MFA, key authentication, or certificate authentication instead of passwords.
YALE-NTOS-1.5: Apply additional controls for internet exposed RDP
The use of the RDP service exposed to the internet is prohibited. All devices seeking an exception must meet the following additional controls at a minimum.
- YALE-NTOS-1.5.1: Must use Multifactor Authentication (MFA).
YALE-NTOS-1.6: Apply additional controls for internet exposed database servers
Exposing a database server to the Internet is prohibited. All devices seeking an exception will be subject to additional controls determined during the exception process. Controls will be determined based on the platform.
YALE-NTOS-1.7: Apply additional controls for internet exposed Virtual Network Computing (VNC)
The use of Virtual Network Computing (VNC) is prohibited. All devices seeking an exception must meet the following additional controls at a minimum.
- YALE-NTOS-1.7.1: Must use Multifactor Authentication (MFA)
- YALE-NTOS-1.7.2: Must use encryption.
YALE-NTOS-1.8: Apply additional controls for internet exposed consumer desktop tools like TeamViewer and Logmein
To use consumer desktop tools like TeamViewer and Logmein, you are required to apply the following additional controls:
- YALE-NTOS-1.8.1: Must be configured with highest security settings available from vendor.
- YALE-NTOS-1.8.2: Must use Multifactor Authentication (MFA).
YALE-NTOS-1.9: Apply additional controls for internet exposed VPNs
Non-ITS-Managed VPNs are prohibited. All devices seeking an exception must meet the following additional controls at minimum.
- YALE-NTOS-1.9.1: Must be configured with the highest security settings available from the vendor.
- YALE-NTOS-1.9.2: Must use Multifactor Authentication (MFA).
YALE-NTOS-1.10: Prohibit internet accessible system management tools
Examples of system management tools include Red Hat Cockpit, consumer NAS management interfaces, Dell DRAC, HP ILO and other lights out management. All devices seeking an exception to use these tools will be subject to additional controls determined during the exception process.
Standards group
YALE-NTOS-2: Network Extensions
YALE-NTOS-2.1: Protect Network Extensions
A network extension occurs when one device proxies the traffic of other devices. This limits Yale’s ability to manage and monitor connected devices. When deploying a network extension, you are responsible for implementing all the security controls that are otherwise free on the Yale network.
These controls include, but are not limited to:
- Enable and retain logging of authentication and connection activity
- Monitor logs for suspicious activity
- MFA for user and administrator access to the network extension device
- Register the network extension device
- Physically secure the network extension device
YALE-NTOS-2.2: Control use of High Impact Network Extensions
High Impact Network extensions also include an alternate route into or out of Yale’s network, bypassing Yale’s security controls.
Examples include:
- Internet exposed VPN
- Vendor provided support appliance that provides a reverse tunnel to the vendor
- Non-ITS-managed wireless access points
High Impact Network Extensions require an exception. To be granted an exception you must maintain, at a minimum:
- All the security controls that are available for free on the Yale network (see YALE-NTOS-2.1).
- Access must be limited by ITS (e.g., through an ITS-managed network device) to specific devices on the Yale Network.
- Meet the MSS for high-risk servers.
Standards Group
YALE-NTOS-3: Authentication to the Yale Network
YALE-NTOS-3.1: All access to the Yale Network must be authenticated.
There are three ways to authenticate:
- Authenticated wireless
- Wireless connection must use Yale-ITS managed wireless services.
- Authenticated wired (secure W2 or an AD bound machine)
- Yale ITS managed devices automatically authenticate to the wired network through the Next Generation Network (NGN).
- Devices not managed by ITS must either:
- Configure manually
- Use Secure W2 dissolvable client
- Documentation for Secure W2 on Windows, Mac, and Linux:
Installing the SecureW2 application for the Yale Next Generation Network - Additional Linux documentation for Secure W2:
Configuring a device running the Linux Operating System to authenticate on the wired Next Generation Network
- Documentation for Secure W2 on Windows, Mac, and Linux:
- Devices incapable of authentication
- Devices incapable of authentication must use a wired connection and must be added to the MAC Authentication Bypass list (MAB).