Oct 08 2008

Enemy at the Gates

Universities protect their network gateways with heavy defenses.

Swarming botnet attacks, spam overloads and stealthy unauthorized-access techniques have university and college IT managers fortifying their electronic defenses, looking for any advantage to stop problems before they make it into the schools’ systems.

“There are so many people in the system nowadays, including more hackers, and we’re also much more reliant on technology to store sensitive data,” says Kevin Bubb, chief information officer at Lansing Community College (LCC) in Michigan.

All types of users (from hackers looking to create mischief or steal information to students seeking to alter their grades) see the treasure trove of combined information resources as a target. So Bubb and a growing number of university technology leaders fortify their network gateways using a variety of hardware, software and strategies that serve the unique needs of educational institutions, specifically the active exchange of information.

Traditional protections such as firewalls no longer meet that requirement, says Johannes Ullrich, chief technology officer for the SANS Institute’s Internet Storm Center, a major provider of network security training. “Fifteen years ago you could say, ‘I only want to accept traffic on certain ports.’ Because of the web, though, you need other ways to inspect traffic,” Ullrich says.

LCC’s enterprise resource planning system contains everything, from student addresses and Social Security numbers to academic and financial-aid records, and operates under the Family Educational Rights and Privacy Act, which strictly protects education records, Ullrich says.

At the same time, IT directors must measure growing security requirements against one of their primary objectives as university IT administrators: “You have to balance security with ease of access to data,” Bubb insists. “People still have to do their jobs.”

Strengthen the Perimeter

LCC’s 32,000 students, faculty and staff do not want their e-mail encumbered by spam or infected with viruses and worms, says Bubb.

In August, LCC launched a perimeter defense project to block unwanted e-mail, installing two IronPort C350 Email Security Appliances and Dual C350 three-year, antispam licenses. As additional protection for e-mail, the school installed an IronPort M650 Security Management Appliance to centralize reporting and statistics from the C350s. The network consists of three p-Class HP blade servers and Cisco Catalyst 6500 series switches with a Multilayer Switch Feature Card.

“Many spam messages a day were making it through our filter,” says Bubb, adding that spam accounted for as much as 95 percent of what reaches student mailboxes. “It did have a large impact on our system’s capability. And there was always a danger that one would get through and someone would open an attachment that had a virus. Now our spam will virtually go down to zero,” he says.

The appliances, which took a day to install and a week to test, reside inside the network’s Cisco Adaptive Security Appliance firewall. Using Sophos virus protection and a regularly updated reputation filter with a sender base gleaned from more than 100,000 networks worldwide, the devices are disposing of 95 percent of all incoming e-mail. The remainder goes through a spam-scrubbing engine, which quarantines another 2 percent as suspicious e-mail for recipients to inspect; the last 3 percent moves on to the school’s e-mail servers.

“You can essentially determine at the edge of your network whether a message is good or not,” says Scott Schafer, a senior network analyst at LCC.

“It reduces network usage and the impact on our mail servers,” adds Bubb, who says it also increases the visibility of his department. “Many people think of us as just a cost center. We also want to communicate that we are being vigilant and that the entire campus can see an improvement in e-mail processing.”

More Data Means Harder Security

“A faculty research network is the toughest to administer as far as security goes,” confirms the SANS Institute’s Ullrich. Ullrich and Richard Kogut, chief information officer at University of California, Merced, point out that not only is there widespread sharing of ideas and data within university walls, there is also vital back-and-forth communication with other schools, research facilities and industry partners. UC Merced also runs mailing lists, wikis and websites on which outsiders collaborate regularly.

Kogut accepted his network security mandate as a chance to put together best practices in a single installation. “We are starting legacy-free,” he notes. As an example, he points to the installation of a centralized directory for identity management — especially important because individuals connected to universities possess multiple identities, whether as students, alumni, staff, faculty or others. In contrast, Kogut points out, many other university IT departments have to deal with different directories from the various schools within their universities.

The identity management system is only part of a security solution that Kogut describes as “a more open approach of secure islands to filter bad traffic” and “defense in depth” on multiple levels. The university’s most sensitive data functions reside behind a firewall consisting of Juniper NetScreen-500 security systems. Before anything touches that firewall, though, it comes through the large Extreme Networks Black Diamond 6804 border routers for each of the two California Research and Education network connections, and then through Black Diamond 10808 core switches configured redundantly.

“The routers block protocols that we know we don’t use and ports on which we know hacker attacks occur,” Kogut explains. The core switches prefilter incoming data and send any suspicious transmissions to a set of Extreme Networks Sentriant hardware-assisted intrusion prevention devices, which examine the contents for everything from probes to denial-of-service attacks.

Regardless of all the new high- powered security hardware and software, Kogut and other university technology officials stress that basic security efforts make a big difference. “The ultimate defense is that every server and individual computer needs to be secure with properly configured antivirus software and an internal firewall,” Kogut says, adding that Windows XP and Vista have firewalls built in.

The computers at LCC employ the Windows screen saver that times out periodically and requires users to resubmit passwords. Lansing’s CIO Bubb also recommends using antivirus programs from two different manufacturers simultaneously. While the school’s IronPort devices use Sophos, the computer fleet is equipped with McAfee. Good network policies and common sense ward off trouble, says Kogut. Network gateways are the front-line defense in a world that can be hostile to networks designed to be open to as many people as possible. Protecting them is essential.

Watch the Wireless

Nets At DePaul University in Chicago, the growth of the wireless network — more than 300 access points distributed across six campuses — altered the school’s security strategy. Using the standard Wired Equivalent Privacy (WEP)-encrypted service set identifier forced authorized users to go through the cumbersome steps of getting a complex hex key from the web server and individually configuring their notebooks, according to network administrators.

“It was a very manual process, and we were looking for an easier option,” network engineer Nicola Foggi recalls. Mistakes in that process and lost hex keys clogged the help desk, especially as DePaul made Wi-Fi available in the school’s residence halls.

So almost three years ago — and for little more than $100,000 — DePaul deployed two SonicWall Aventail E-Class EX-2500 appliances, which run an enhanced Secured Sockets Layer (SSL) VPN platform. Those trying to log on to the wireless system enter a segregated network and, once authenticated, connect to the main network through closed VPN tunnels using an internal network IP address. Each user connection is also individually encrypted using the SSL protocol.

Administering the new system has become easier as well, Foggi adds. Wireless connectivity still uses WEP encryption but with a shared encryption key that PCs and Macs automatically detect upon login and that deploys the VPN agent. And the tunnel’s Layer 3 connectivity allows DePaul’s IT staff to manage security centrally on a single appliance.