Protected Subnet Guideline

NOTE: The Information Security Office recently updated the UC Berkeley's Data Classification Standard and Protection Profiles for the Campus. These number changes are reflected on this page.


UC Berkeley security policy mandates compliance with Minimum Security Standard for Electronic Information for devices handling covered data.  The recommendations below are provided as optional guidance for boundary defense requirements.


Resource Proprietors and Resource Custodians must implement core system devices on protected subnets.

Description of Risk

Attackers can discover and exploit vulnerabilities in services and applications that do not need to be open to untrusted networks. A compromised system may be able to send confidential data to unauthorized systems.


One method of controlling the security of large networks is to divide them into separate logical network grouping of covered devices called protected subnets. Each protected subnet must be secured by MSSEI managed firewall to segregate the covered devices from public internet and networks hosting non-covered devices.  Protected subnets can also host lower protection level devices (e.g., UC P2/3 and UC P1 devices) as long as all devices on a protected subnet complies with MSSEI controls required of the highest protection level devices.

In addition, a subnet cannot be deemed a "Protected Subnet" if it contains systems and applications that grant access solely based on an implicit trust. For instance, if a UC P4 system is isolated on its own network subnet, but allows access based solely on IP address (e.g. poor .rhosts configuration on a Unix system, or NFS file shares that grant access based solely on user ID or group ID), then the subnet is not a Protected Subnet.

Managed firewall and other networking devices (e.g. routers, switches, etc) used to secure protected subnets must also be secured from physical tampering.  That includes the following physical security controls:

  • Physical access to network equipment must be protected by a locked door and/or cabinet.
  • Physical access to open network ports connected to protected subnet must also be protected by a locked door and/or cabinet.  Unused open network ports connected to protected subnets should be disabled unless required for valid business purposes.
  • Key access to network equipment and open network ports must be limited to individuals who require access for valid business purposes.

Protected subnets must also not be attached to any wireless network. Specifically:

  • Wireless routers must not be physically attached to the any data port on the protected subnet, which includes networking devices (e.g. firewalls, routers, switches) connected to the protected subnet.
  • Covered devices connected to the protected subnet should not be simultaneously connected to a wireless network.

If covered devices reside in a protected subnet that utilizes Network Address Translation (NAT) technology, resource proprietor and resource custodian must also ensure the NAT device complies with the Security Policy for NAT Devices

On This Page