TTUHSC IT Policies
1.4.11 NETWORK CONFIGURATION
This policy describes the requirements and constraints for attaching a computer, system,
or network devices, or videoconferencing system to the TTUHSC network. The intent
of this policy is to ensure all connections to the TTUHSC network are maintained at
appropriate levels of security and interoperability, while at the same time not impeding
the ability of TTUHSC faculty, staff, and students to perform their work.
The Chief Information Officer (CIO) is the central authority for all network issues.
The CIO may appoint and/or delegate management of certain aspects of network administration
as deemed necessary.
TTUHSC regional campuses administer local area networks (LAN), under direction of
the CIO and the Managing Director of Technology Services. Each regional campus or
location must designate a Regional Site Coordinator (RSC) to serve as the administrator of all LANs at that campus. The RSC is the contact
person for all connectivity issues between the regional campus LANs and the TTUHSC
wide area network (WAN).
The Managing Director of Technology Services is the main point of contact with Facilities
Planning and Construction and Physical Plant at all campuses for all new construction
and major renovation projects involving computing systems. Minor renovations will
be handled at the local level.
Wide Area Network Connectivity and Routing
All routers within the TTUHSC WAN will be selected, operated, and maintained by personnel
designated by the CIO. Subnet IP routing on the TTUHSC WAN will be performed in accordance
with delegated IP address space. Routing of private IP address space (as defined
by the Internet Engineering Task Force Request For Comments document #1918 - Address Allocation
For Private Internets) across the TTUHSC WAN must be approved by the CIO or their designee.
Firewall Access Standard
All internal TTUHSC computers are protected from outside network access by a firewall. All incoming network requests not known and defined are denied and are not passed
through to the internal campus network. This section describes the procedures to
allow special access through the firewall to employees and third parties/vendors in
instances where certain services and /or applications are required to maintain workflow
and provide services.
Approval for outside network access to TTUHSC computing resources will be based on
the following criteria:
- The connection is required for TTUHSC business,
- The connection does not represent an unnecessary security risk to TTUHSC,
- The connection does not use an insecure protocol where a more secure alternative exists,
- The connection does not involve unnecessary replication of functionality
When the connection has been approved by the CIO, firewall access will be granted
when the following have been completed:
- The machine is properly registered with Information Technology by filling out the
Special Firewall Access Request Form at http://www.ttuhsc.edu/it/forms/firewallreq.aspx and sending it to the I.T. Solutions Center.
- The target machine passes a vulnerability assessment performed by I.T. Security (ITS).
This assessment consists of remotely scanning the target machine for common problems
that could result in a security risk.
- The target machine has a reserved IP address.
Registration ensures that the target machine has an administrator known to Information
Technology. The administrator will perform the necessary tasks to keep the system
up to date and in a secure state, with the assistance from the Information Technology
Security Group. Registration will be renewed once a year. Renewal notices will be
sent via email by the ITS.
The ITS will perform routine security scans on machines registered for special access.
The firewall access form should be submitted through the web to firstname.lastname@example.org
Depending on the request, it may take up to two business days for the request to be
completed. If the request is considered urgent, and the two-day timeline is not sufficient,
please state that the request is Urgent. Include in the email message the reasons
why the request is time critical.
Request for changes to the firewall must come from the administrator of the target
machine. Requests received from anyone else will be forwarded to the machine’s administrator
All requests will be sent to the Regional Site Coordinator (RSC) at the campus where
the machine resides. Once the RSC has checked to make sure the machine has a reserved
IP address, the request will be forwarded to the Information Technology Security Group
for final approval by the Information Security Officer. Once approved, the Information
Technology Security Group will make the necessary changes to the firewall. The RSC
may require that network configuration of the destination computer be modified prior
to approving access.
IP Address Allocation Standards And Procedure
All address delegation with the regional campuses and any supported LANs will be coordinated
between the CIO or their designee and with the appropriate RSC. The RSC will be responsible
for administration and registration of all IP addresses and sub-networks within the
delegated address range(s), according to the standards and guidelines approved by
the CIO. All hosts in the TTUHSC domain must obtain a valid IP address from the RSC. No host on the
intranet should broadcast dynamic routing information except specially configured
gateway or router devices.
To ensure efficient IP address utilization, TTUHSC will allocate their assigned IP
addresses to reflect the requirements of each building location, wiring closet, or
network service. This ensures compliance with the American Registry for Internet
Numbers (ARIN) requirements for utilization of public IP address space.
For regional IP addressing strategy, RSC’s should refer to the IP Address Allocation Strategy.
Reserved IP Address Standards
Reserved IP addresses are available to the following hosts:
- Server systems that provide file sharing, printer sharing, or other application services
to multiple client systems
- Printers with a direct network attachment
- Hosts with a directly attached printer, where print jobs will be accepted from client
systems on the network
- Hosts providing services or resources to clients outside the TTUHSC network. Refer
to the Firewall Access Standards for details on requesting this type of access.
All other hosts will use dynamic addresses, allocated by Dynamic Host Configuration
Protocol (DHCP) services at each regional campus. Reserved address requests for hosts
that do not correspond with the above list must be approved by the appropriate Regional
Refer to the Server Hardening Section for additional requirements that must be met before a server can be assigned
a reserved IP address.
Reserved IP Address Allocation Procedures
All reserved IP addresses must be properly authorized and recorded before they are
issued. The following outlines the procedure for requesting and allocating reserved
- Complete the Reserved IP Address Request form and send to the Regional Site Coordinators at the respective campuses.
- Upon receipt, the network technician creates a work order, and verifies the attached
information is complete.
- Using the TTUHSC IP Address Management application, the host is assigned to the correct
VLAN and subnet. The next available address is selected, and the information provided
by the requestor is entered into the system.
- The assigned IP address, hostname, and hardware address are entered into the DHCP
- If requested, Domain Name Service/System (DNS) alias entries are entered into the
DNS configuration file to translate domain names into numeric IP addresses.
- The assigned IP address is sent to the requestor via email.
- The technician updates and closes the work order.