Dual Homed Network Policy
Version 1.1
Purpose
The purpose of this policy is to minimize potential exposure to the University from unauthorized access to the University’s IT Resources.
Scope
This IT policy, and all policies referenced herein, shall apply to all members of the University community including faculty, students, administrative officials, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.
Policy Statement
The use of multiple network interfaces into a single computer to facilitate “dual-homed” or “multi-homed” connectivity creates a bypass of network security and is prohibited[1].
[1] Policy scenario example: Web-facing applications should not have the Web Service and Database Service residing on the same physical server device. If the public-facing web server is compromised, the database contents will also be compromised. For example, many process control incidents involving the Slammer worm in 2003 were a result of dual-homed architectures. The worm infected the server via one NIC and then immediately started working on the computers located on the second NIC’s network.
Definitions
Dual Homing is defined as having concurrent connectivity to more than one network from a computer or network device.
IT Resources include computing, networking, communications, application, and telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and any related materials and services.
Implementation Information
| Review Frequency: | Annual |
|---|---|
| Responsible Person: | Director, IT Risk and Data Integrity |
| Approved By: | CISO |
| Approval Date: | May 16, 2017 |
Revision History
| Version: | Date: | Description: |
| 1.0 | 05/16/2017 | Initial Policy |
| 1.1 | 05/23/2018 | Updated disclaimer, scope, and definitions |
Policy Disclaimer Statement
Deviations from policies, procedures, or guidelines published and approved by the University Information Security Office (UISO) may only be done cooperatively between the UISO and the requesting entity with sufficient time to allow for appropriate risk analysis, documentation, and possible presentation to authorized University representatives. Willful failure to adhere to UISO written policies may be met with University sanctions.