Oct 31 2006

Is Your Network Secure?

Three institutions share their best practices that ensure uninterrupted operation of their networks.

The network of a typical institution of higher education has grown tremendously in the past decade. Dozens of schools may be connected to the same system on campus, and hundreds of research centers, government departments and other partners may be tied into the system. Thousands of devices may be attached, and tens of thousands of individual users may be on the system—working, playing and, occasionally, mischief-making.

Consider California State University Monterey Bay (CSUMB), which has joined a local network of public and private organizations. Its mission includes not only collaborative on-campus learning, but also “service learning,” in which students work with city agencies, nonprofit organizations and other schools in the community. They often go onsite at those locations and need access to the same networked information they’d be able to get on campus.

That access is facilitated by a three-year-old city network to which CSUMB and more than nine other government, research and educational institutions are connected. This community network came about when the city, in the course of its negotiation of a new cable franchise, required the communications provider to provide dark fiber for the city’s use. (Dark fiber is excess fiber left unused by the provider after installation.) The city, in turn, provided dark fiber capacity to the university at favorable rates. However, this interconnection increases the work for network planners and administrators.

Security remains a decentralized concern. “It’s an issue we’re all wrestling with,” says Gilbert Gonzales, CSUMB’s CIO. Currently, each connection to the network is managed by the owner of that connection. “There is a gray area, or the common part of the network, [for which] we’re looking at different tools.”

Everyone’s Connected

Network security requires individual users and network managers to ensure that no one uses their systems to interfere with or damage anything on another connected network.

“If we can keep [other schools’] machines safer, that helps us,” says Charles Perkins, co-team leader of information services at Barton County Community College (BCCC) in Great Bend, Kan. Like CSUMB, BCCC is also linked into a wider network known as KanREN (Kansas Research and Education Network), and BCCC connects straight into its backbone.

“Students traditionally have time on their hands, and given large Internet connections like we and KanREN have ... students can use that for [malicious] activity,” says Perkins. To protect BCCC’s system and the systems of the other organizations connected to KanREN, Perkins and his co-team leader, Amy Oelke, put a new security regime in place.

That regime includes being prepared for future challenges by updating firewalls to handle the security protocol of the new version of Internet Protocol known as IPv6. Perkins notes that Internet Protocol version 6 probably has new security issues that are as yet unknown, and he wants to find them now before IPv6 is widely rolled out.

Barton has an information technology staff of only seven people managing 14 physical and 30 logical network segments. To help them work more effectively, the team installed a Check Point Software Technologies system to simplify network management with a dashboard interface for easy status viewing of various elements. It also gave Barton an easy way to view activity logs on the network, something it can now do within a couple of seconds, but which was “more or less impossible” previously, according to Oelke.

For example, with Check Point, Oelke can better identify patterns of inappropriate system activity before they harm her school or another KanREN institution. “We didn’t want the other schools saying, ‘One of your students is hacking into our system,’” she says.

Oelke explains that having ready access to logs and the information contained in them—including being able to look into a data packet and see if there is malicious code in it—allows her team to prevent dangerous code from infecting the system.

Knowing Who Does What

Even when the network in question is a local one and not communitywide, the challenges require around-the-clock monitoring.

The University of Florida (UF) in Gainesville has to support its faculty and more than 49,000 students with more than 50,000 connected devices. There are actually a handful of networks that work together, including networks serving student housing, a teaching hospital, a health science research center and the general campus.

The following steps will help keep a network up and reduce security breaches:

1. Isolate servers based on function. UF separates parts of the server network that have radically different uses. During the past five years, the housing network has been reimplemented and separated from the campus network in terms of firewalls and network traffic.

“Everything there is now done in a different way to isolate traffic and enforce different policies on the dorm network from the campus network,” explains Mike Conlon, UF’s director of data infrastructure.

Separation of that traffic helps protect administrative and research systems from viruses and other threats that come with student file sharing.

2. Implement intrusion detection. The data center team beefed up UF’s intrusion detection and response capabilities so they can spot and take immediate action within minutes of intrusion-detection alarms going off. “There are people monitoring the network full time,” he says.

For five years, UF has had a team devoted 100 percent to security, working on intrusion detection and response, education and training of system users on security matters, and maintaining records of server usage. Conlon says he’s found that a lot of the university’s departments have data and applications at risk. He adds that, in the past, UF had an awareness of its security challenge, but now it has “awareness, monitoring and response.”

3. Establish a “quick response” chain of command. The University of Alaska in Fairbanks (UAF) established a 24 x 7 rapid-response team spread across its seven campuses to deal with problems and threats to the network.

“Organizationally, we have a clear chain of command across the system for making decisions that may involve pulling network access for an individual, a department, a campus or the system,” says Steve Smith, UAF’s chief information and technology officer.

4. Allow “free exchange” within policy guidelines. Smith places a high priority on identity management. He stresses the need to strike a balance between stability and “not locking things down so tightly that we lose the essential nature of a university environment, which is as free an exchange of information as possible between a broad community.”

Local vs. Enterprisewide

UF’s Conlon adds that universities have “outgrown the kind of mom-and-pop approach” to handling servers and networks that was common 15 years ago. Back then, the expertise tended to be better at the local level than at the institutional level.

Today, administrators need a lot of training to handle applications and systems that are more complex than older systems. Newer skills may include object-oriented programming or understanding Web services. IT leaders report providing that training with internal IT department instruction, the campus’s computer classes and off-campus industry training seminars.

“You used to have one or two servers,” Conlon says. “Now you have departments with 15 to 20 servers.” E-mail, too, used to be a local concern, but today there are local and centralized mail servers, and users are accessing e-mail from their desktop, home and on the road. That means more equipment, more software and more administrative attention.

Several years ago, when Ralph Michaelis first came to Carleton University in Ottawa, he was the project director for an effort to redo the campus network. The university agreed on an aggressive schedule to rearchitect the network and add related services over a three-year timeframe.

If the network revamp had been done slowly, it would have taken many more years than the schedule that was decided on. There had been growth in the academic use of the network, and the pressure was being especially felt from the expansion of researchers’ use of the system.

Adding to the strain on the network, just two years earlier, the institution had replaced its administrative systems, moving from a mainframe to a Web-based client-server enterprise resource planning system and “a much higher reliance on the network, because everything went from being very centralized to being very distributed,” says Michaelis, who was promoted to CIO in 2003.

Carleton replaced its flat single-layered network with a traditional three-layer network, with a core, an edge and an access layer. “That allows us to manage it more easily and to extend and modify—not at the port level, but as we need to modify the network, we can do it within a building,” says Michaelis.

Carleton and other institutions of higher education are using these tools and many others to support their role as defenders of crucial campus networks. With a focus on easy-to-use technology for managing their systems and watching for—and correcting—problems, they can guard their own systems and be good partners with the many other institutions with which their campus systems are increasingly interacting.


Here are some best practices that can ensure the stability and security of your networks:

PRACTICE: Isolate traffic on different servers.
BENEFIT: Separating parts of the campus that have vastly different uses for a system can help you provide higher security where it is needed (such as with administrative databases or research programs) and lower security where ease-of-use is more highly prized (such as residence hall networks).

PRACTICE: Study your network traffic.
BENEFIT: By reading security system traffic logs and peering inside data packets, you can look for patterns of abuse and for malicious code that might not be visible with less-intrusive methods.

PRACTICE: Update firewalls.
BENEFIT: Protective software that works with your current network is tuned to deal with the here and now. Keep those programs updated with the latest virus and malicious code data, and plan ahead for larger changes, such as the introduction of Internet Protocol version 6, which will bring a new set of security issues.

PRACTICE: Set up an emergency response team.
BENEFIT: By having a team that is tasked with watching for and reacting immediately to threats on the network, you reduce the amount of time that dangerous code or a malicious visitor has to wreak damage.

Managing Your Network

These three key steps can help you manage your campus network more effectively.

1. Leverage your partnerships. When staff or students work offsite with research or business partners, they get valuable insight into how the decisions you make on your network will impact the other organizations connected to it. “These are opportunities to build up pilots and understand the implications of design decisions,” says Gilbert Gonzales, CIO of California State University Monterey Bay.

2. Build a feedback loop. When Ralph Michaelis, CIO at Ottawa’s Carleton University, began putting together a plan to redesign his institution’s network, he met with as many departments and divisions as he could to learn how they were using the system. During the implementation period, communicating the progress of the implementation was high on the list of priorities, and managing communication within the building was critical.

3. Balance centralization and localization. As networking technologies grow increasingly complex and intertwined, many smaller departments may be less likely to handle local network management. But that does not mean local IT managers will become extinct. Mike Conlon, director of data infrastructure at the University of Florida in Gainesville, notes that local knowledge is key for many network management responsibilities.

John Burton is a San Francisco-based freelance writer who specializes in technology.