CalREN Network Security Policy

The NOC is empowered to take necessary steps to protect the services delivered on the CalREN networks. This may include placing global filters on addresses or protocols. In general, this will be done in as minimal a fashion as practical, consistent with the protection of the network infrastructure. These filters will be announced on the appropriate mailing lists.

The NOC will not place global packet filters on CalREN routers other than:

• as detailed in the first paragraph,
• when necessary to mitigate an ongoing attack on a campus, or originating from a campus./
• when consistent with Internet best practices (for example, filtering RFC1918 space).

Upon request by an authorized campus representative, the NOC will place packet filters on CENIC routers (preferably on the campus-facing interface) to protect a specific campus from an ongoing or imminent attack or threat. It is expected that these filters will be removed when the attack or threat has been mitigated, but in no case shall remain in place for more than fourteen days without approval from the Director of Network Engineering or his designee.

Campuses requiring longer-term packet filters are expected to acquire their own firewalls, or to approach CENIC to discuss a requirement for an augmented service offering that does not impact other sites.

Existing packet filters maintained by 4CNet or the CalREN-2 NOC will be continued on CalREN routers for a period not to exceed 180 days after the adoption of this policy.