Date: June 5, 2012
To: Brown University Technical and Web Developer Community
Re: ISG Position Paper – Access to Web Publishing Servers via Non-Brown IP Addresses
Brown’s Web Publishing servers (both institutional and student-focused) have been prone to compromises from external sources. Such compromises lead to numerous man-hours for incident response, blacklisting by ISPs and websites, malware propagation, reputation damage, and more. The Information Security group and CIS Web Services has analyzed the architecture and recent events, and has identified that Internet access by non-Brown IP space to the servers leads to the highest probability for any vulnerability to be compromised.
With this in mind, the following ISG position paper has been developed to further protect the servers, and to lower the risk posture of the University.
Mandated Security Actions to Increase the Security of Web Publishing at Brown:
In order to mitigate the continuing compromises of the University web publishing server, ISG is mandating the following actions:
- Internal access to the web publishing servers will be available to all Brown internal IP addresses while on campus
- Access to the web publishing servers from anywhere off campus must be through the Brown official VPN solution
- For both on-campus and off-campus via VPN, SSH must be used to access the web publishing servers
- Firewall rules will be modified to reflect these changes by 6/27/12
- Brown web publishers should not synchronize their web server password with their LDAP password, as this creates a single point of failure
- Web Services will have the task of contacting the Web Publishing community by 6/27/12, in order to alert them of this new position statement
While ISG appreciates the enthusiasm, capabilities and contributions that the Brown web publishing community makes to the University, the challenges and attacks that emanate from the Internet on web servers cannot be overlooked. This position paper provides balance to the needs of Brown and the web publishing community, while more importantly focusing on the continuing security of the University and reducing its overall risk.
Chief Information Security Officer
Questions or comments to: ITPolicy@brown.edu