Internet-facing Systems and Services

Introduction

1. UBC Systems and services that are Internet-facing (i.e. visible or accessible from the Internet) are prime targets for exploitation. Without adequate security, these systems and services provide an avenue for malicious activity such as theft of UBC Electronic Information or the denial of service to UBC resources.
2. This document defines minimum standards to be followed by University IT Support Staff for the security architecture, protected network protocols, hardening/patching and monitoring/logging of UBC's Internet-facing systems and services to ensure they are adequately protected. This standard focusses on Web Servers because these are primary targets for exploitation and therefore pose the highest risk to the University. Servers that are not Internet-facing, such as intranet servers, should also follow this standard, wherever feasible.
3. The Chief Information Officer has issued this document under the authority of Policy 104, Acceptable Use and Security of UBC Electronic Information and Systems. Questions about this standard may be referred to information.security@ubc.ca.

Security Architecture Requirements

4. Ideally, web, application and database functions should be hosted on separate servers; however, it is acceptable to host all of these functions on the same server in the following circumstances:
1. High or Very High Risk Information is not being processed through these servers; and/or
2. hosting the functions on separate servers would not be technically feasible or would cause unreasonable business disruption (e.g. render the application unusable or unsupportable).
5. If functions are hosted on the same server, compensating controls must be implemented to commensurate with the risk, such as:
1. web application (layer 7) firewall;
2. file integrity monitoring;
3. Intrusion Detection Systems/Intrusion Prevention Systems; and
4. log monitoring (e.g. SIEM).
6. When web, application and database functions are hosted on separate servers, Web Servers are permitted to communicate with Application Servers but not with Database Servers.
7. All Internet-facing servers must be placed in a Demilitarized Zone (DMZ) configured as follows:
1. the DMZ must contain all Web Servers;
2. the DMZ may only contain Application Servers if they are combined with Web Servers;
3. the DMZ must not contain Database Servers that store or process High or Very Risk Information;
4. a firewall must be in place between the DMZ and the Internet as well as between the DMZ and the UBC internal network;
5. wherever possible the DMZ should be protected from the Internet by web application firewalls, as they are better equipped to protect web applications from threats;
6. firewalls must use ingress filtering at a minimum, and must also use egress filtering if the firewall is used to protect High or Very High Risk Information; and
7. firewalls must use access rules that restrict traffic to only the minimum necessary to conduct University Business; access rules must not be wide-open allowing any source to connect to any destination, as this defeats the security of the firewall.
8. Access to all Medium, High and Very High Risk Information on servers must be authorized and limited based on the User's role, following the principle of least privilege.

Network Protocol Requirements

9. Secure transmission of Medium, High or Very High Risk Information must comply with the following requirements:
   1. any form, application or service that requires some type of authentication, or that is used to collect or transmit information from User to server or between servers, must be encrypted using HTTPS with TLS version 1.2 at a minimum (or the equivalent, for non-web-based applications);
   2. information transmitted via SSH must be encrypted using a minimum of AES-256 bit encryption with mutual authentication between the server and User; and
   3. known weak network protocols (e.g. all versions of SSL, and TLS versions prior to 1.2) should be disabled.
10. Secure transmission of Low Risk Information is strongly recommended to be encrypted using HTTPS with TLS version 1.2 at a minimum.
11. Where HTTPS is used, it is recommended that all HTTP requests are re-directed to HTTPS.
12. Users frequently access desktops, laptops and servers remotely. Remote access covers a broad range of technologies, protocols and solutions (e.g. RDP, SSH, VNC, VDI, terminal services, etc.). Remote access transmissions must comply with the following requirements:
    1. remote access servers (e.g. terminal server, VDI, Remote Access Gateways, etc.) must be located in the DMZ and use strong encryption for server-to-User transmissions, e.g. RDP with Network Level Authentication, SSH with AES-256 bit encryption, etc.;
    2. host desktops, laptops or servers not located in the DMZ should only be remotely accessed via a Remote Access Gateway, VPN or SSH; and
    3. VPN connections must be encrypted and restricted at both ends to the minimum number of systems necessary; split tunneling must not be enabled.
13. Servers running other Internet-facing protocols must be located in the DMZ and must encrypt transmissions of Medium, High or Very High Risk Information.

Additional Requirements for Merchant Systems

14. University IT Support staff must configure remote access technologies, used in Merchant Systems, to automatically disconnect User sessions after a specific period of inactivity. 30 minutes is recommended.

Hardening and Patching Requirements

15. Servers must be hardened, patched and scanned in accordance with the Vulnerability Management standard.

Logging and Monitoring Requirements

16. Servers must be logged and monitored in accordance with the Logging and Monitoring of UBC Systems standard.

Related Documents

• Policy 104, Acceptable Use and Security of UBC Electronic Information and Systems
• Logging and Monitoring of UBC Systems standard
• Vulnerability Management standard