Computer Protection Program Berkeley Lab
Computer Protection Program at Berkeley Lab Security
Ernest Orlando Lawrence Berkeley National Laboratory
Emergencies | Site Index | Contact Us
CPP Home
Contacts
Policy Guidelines 
Minimum Security Requirements
Employee Guidelines
Computer Protection Agreement
RPM
DOE Notice to Users
Scan Information
Training
System Procedures
Tools & Services
Recent CPP Actions
CPP Intranet
 
  POLICY GUIDELINES  
CNAMEs and IPs that point outside LBL  

Summary

Pointing IPs and CNAMEs outside LBL space can help Berkeley Lab projects make the best use of external resources. However, there are risks associated with making outside systems appear to be within LBL control.

Policy

All externally facing CNAMEs and other IP records must be approved and must have short TTLs to facilitate redirection in the event of a security issue.

 

Category 1: Approved by LBLnet (LBLnet notifies CPP)

1. Points to any LBL domain name (NERSC, es.net, jgi, etc).

2. Points to any UC campus *.berkeley.edu, *.ucdavis.edu

3. Points to another national laboratory.

4. Requested by an IT Division Service Owner for a pilot or production service approved by management (e.g. Google, Zimride, Status, etc).

 

Category 2: Approved by CPP

Anything else.

 

Criteria to be used by CPP:

1. Reputational Risk

2. Quality of security arrangements (high level).

3. Compensating controls.

 

1.28.2010 - adstone