Campus Network Segmentation Policy

To protect the campus network against unauthorized access and malicious lateral activities, the University’s Information Technology Services (ITS) has established the Campus Network Segmentation Policy (the “Policy”). This policy is designed to strengthen digital security and ensure full compliance with the stipulations set forth in the ordinance. 

Background

A ransomware incident in February 2024 highlighted the urgent need for comprehensive network segmentation at the University, as attackers exploited vulnerabilities across faculties. ITS recommends a centralized security framework to limit inbound external connections and strengthen detection and response to threats campus-wide. 

The Policy aims to: 

  • Ensure compliance with the PCPD Enforcement Notice 
  • Reduce attack surfaces internally and externally 
  • Enhance cyberattack detection and response among faculties 

Internet Network Services

Firewalls have been installed on the campus network boundary, i.e. Internet, to ensure data integrity. All inbound Internet-facing network services are blocked by default. If a department needs certain devices to access these services, they must be assigned with a fixed IP address and be registered their network services. 

Outbound Internet services are generally permitted, except in two cases: 

  • When a computer or device is involved in computer abuse; 
  • When the destination network is classified as malicious and is banned by ITS. 

Servers Connected with Campus Network Must Be Registered

A server is any network device that listens on a TCP/UDP port and is accessible for providing services for its network neighbours, which is listed but not limited to the following examples: 

  • Windows/Linux/AIX Servers 
  • Network Attached Storage (NAS) 
  • Firewalls 
  • PC workstations used for Remote Access  

Departments must register their servers connected to the Campus network by submitting CF59 form according to the University’s Server Compliance Program and the servers must be properly managed to reduce security risks to the HKU network environment. Only registered servers may offer inbound network services within the Campus network.  Internet-facing services require a separate application, as external connections are denied by default. 

Network Segmentations

To ensure effective segmentation of network traffic across faculties and departments, ITS has deployed firewalls within campus networks, adhering to the following policies: 

  • By default, outbound network traffic is permitted, except when involved in computer abuse incidents or when the destination network is restricted by ITS for the reasons of cybersecurity, 
  • In cases where IP subnets are designated to specific departments, intra-departmental subnet traffic is authorized. 
  • Segmentation firewalls regulate and restrict traffic between departments and across different subnets. 

Please note that IP subnets and fixed IP addresses are centrally assigned by ITS. Departments are not permitted to assign fixed IP addresses without prior authorization. 

Remote Access Protocol

The February 2024 incident exposed vulnerabilities in the remote access protocol. In response to prevent brute-force attacks via remote access, ITS restricts remote access by default on both external and internal campus networks. Any department that requires remote access must submit an application and obtain approval from ITS.  

For details on the “Campus Wide Remote Desktop Policy”, please visit the ITS website: Campus Wide Remote Access Policy 

HKU WiFi, HKU VPN and Dynamic IP addresses

HKU WiFi and HKU VPN are centrally managed by ITS and they are treated as external to departments, so network traffic originating from these sources is subject to segmentation firewall controls. Similarly, devices using campus ethernet with IPs dynamically assigned by ITS, a.k.a. DHCP, are also considered external and restricted by the same firewall rules. 

Other Network Devices in Campus Network

The Policy is applicable solely to computer devices connected to campus ethernet networks, which are distributed across various departments. Peripheral devices such as printers, copiers, Smart TVs, door locks, or IoT gadgets fall outside the scope of the Policy unless they function as servers. Any device providing network services as servers and accessible by other devices on the network must comply with the Policy requirements. It is essential to maintain an updated inventory of all network-connected devices to facilitate troubleshooting and incident investigation. 

Conclusion

The Campus Network Segmentation Policy improves digital security and helps keep all faculties compliant. According to the Policy, we anticipate a straightforward rollout and beneficial results for HKU members. If you have any questions, please reach out to the ITS Helpdesk at ithelp@hku.hk.