Duke IT Security Logo just a line

Computer Vendor FAQ for the Duke Network

A number of departments and people on campus have decided to place 3rd party hardware on the Duke Network. Making use of an external company can save on time and heart-ache for the common, day to day systems administration tasks. However, if one isn't careful, this could increase the risk of being the victim of a hacking incident. If you're thinking of hiring or leasing equipment, or if you already have such equipment in your possesion, you should ask the following questions:

  1. Is there one person (or one department) at the company who has responsibility for the systems administration of the machine? What about its security?
      The company should have someone or a department that takes responsibility for the machine. If it doesn't, this should be stated in the contract.
  2. What operating system is on the machine? Which version?
      Hopefully it is a fairly recent OS that has been vetted by the computer community. For example, you don't want the machine to be running Windows 3.1 or Linux 5.1.
  3. Does the operating system get patched regularly? If not, why not? If so, what's the schedule?
      Specify that the machine receives patches within a reasonable time period after a vulnerability has been announced. The machine should also receive the standard OS patch releases in order for the machine to function more reliably.
  4. How is the machine protected from external threats? From internal threats?
      Vendors need to be aware that Duke University does not have a firewall between its network and the Internet as a whole. This is -extremely- important information because vendors tend to assume that everyone runs a border firewall. The machines they place on our network need to have their own defenses which not only protect it from the Internet as a whole, but also subnets from within Duke that do not need to be communicating with it. The machine needs to be protected against TCP, UDP, and ICMP attacks and probes. The defenses on the machine need to be specified, as well as the person who is going to be responsible in maintaining them.
  5. Who has responsibility for auditting the machine, Duke or the vendor?
      In order to maintain consistent security, the machine needs to be auditted periodically for security weaknesses. It might have missed a patch, or some software may have been installed that shouldn't have been, or something else could have happened which circumvented its security policy. Machines need to be scanned and checked by authorized parties to verify their status at a specific time. A primary auditor should be specified prior to the machine being placed on the network. It should also be noted that the Duke IT Security office regularly scans the network for vulnerabilities and sends vulnerability reports to the subnet contact of record. However, we do not have the responsibility of correcting problems found on machines which we do not operate. If the vendor does not want us to scan their machine, than we will need to know its IP address and have it in writing that they will be running periodic audits on that machine and will repair problems found.
  6. If there is a specific software application running on the machine, does it require privileged access? If yes, why?
      Software applications should not have privileged access or be run as a privileged user. If they do, then they become another item that an administrator or security auditor must note. The more applications which run with special privs, the more doors to the machine. If the vendor says that the application does need such access, ask why. It might be simply because it needs a port lower than 1024, but if you press the issue, you might discover an option that allows the application to communicate at a higher port.
  7. If your technical staff requires access to the machines, how is that access granted and protected?
      If they are going to be the ones installing patches and responsible for the upkeep of the machine, then they will definitely need access. Specify that this access -must- be done over an encrypted channel such as ssh, or some ssl-enabled application. Their staff should have individual accounts on the machine, not some general "engineering" account with a simple password. Find out their password changing policy. They should have one and it must include the use of something similar to cracklib, if not that library itself.
  8. Who has root/admin privileges?
      As few people as possible. And the passwords must pass a run through a password cracking utility such as crack, john the ripper, or l0pht's windows cracker
  9. Does the system use, store, or transfer, confidential information?
      Confidential information can be defined as any Duke Netid, SSN, credit card numbers, or any personally identifying information. If the system or software does handle such information, please contact the IT Security Office for assistance in evaluating such products.