Steven Ferguson says a layered security approach that includes a firewall, access-control software, monitoring tools and gateway filters keeps the Technical College System of Georgia's network secure.

Aug 05 2011

Network Gatekeepers Keep Malware and Spyware at Bay

As malware grows in volume and sophistication, colleges and universities add new layers to their security defenses.


Statistics can be manipulated, exaggerated or pulled out of thin air. Yet even the harshest skeptic would have a hard time dismissing a June 2011 survey by the Ponemon Institute and Juniper Research reporting that 90 percent of organizations have experienced a security breach within the past year. Even with an enormous margin of error, that figure is daunting.

Further underscoring the potential threat is a 2010 Trend Micro study indicating that malware hit education harder than any other sector. The good news is that institutions are fighting back – and many are winning. The key, experts say, is a layered approach to network security that evolves as threats become variable.

"It's no longer just people writing code for fun," says Steven Ferguson, senior network engineer at the Technical College System of Georgia (TCSG) in Atlanta, speaking of cybercrime. "They're writing it for profit. It's a business."

Initially, IT departments worried about web security, explains Ferguson. Then e-mail was the big threat, followed by phishing schemes. The same threats exist today, but they are magnified by social networking and mobile devices. "People share too much," he says.

To slow the information overload, more institutions are employing application control and implementing granular user- or group-based access to some targeted Web 2.0 applications, according to John Grady, a senior security products analyst for IDC. For instance, students can access Facebook, but they can't share files or chat on a site.

Other security layers include redundant equipment, well-planned refresh cycles, encryption, intrusion prevention products and data loss prevention suites, says Grady.

As cyber breaches become less a question of if than when, those layers are critical. "All it takes is one disenchanted person with connections or the skill set to break in and wreak havoc," says Grady.

A Delicate Balance

TCSG has 13,000 employees and more than 160,000 students (traditional and online) throughout 26 colleges. That translates into a lot of vulnerabilities.

"The biggest overall threat is malware and spyware, and that comes from students, instructors and staff," says Ferguson. "In an ideal world, everything would be locked down, but that's not feasible. We have to balance usability and functionality against security. You can't kill everything."

Rather than stifling legitimate network traffic, TCSG uses various tools to render attackers powerless. A strong firewall and access-control software limit who can get onto the network, then desktop and server antivirus software and various monitoring tools protect against breaches.

TCSG uses various web security products from Barracuda Networks while leveraging a different manufacturer for e-mail security. "If one manufacturer misses something, the other one catches it," explains Ferguson.

The tools watch traffic as it enters the network, then look for anomalies within and on the way out. That way, even if malware gets past the firewall, it can't do its job and report out information.

While such tools help Ferguson sleep at night, he believes a comprehensive user education program is the foundation for network security. And, he says, users need to be reminded of safe practices again and again. "It's one of the most important pieces."

Know Thine Enemy

What you don't know won't hurt you. It's a catchy saying, but not a fitting mantra when it comes to network security.

Ohio's Cedarville University had long used iptables, the standard firewall built into Linux. It blocked IP addresses or ports, but it didn't have malware protection or antivirus, says Nathan Hay, network engineer. Plus, it was difficult and time consuming to manage. "We hadn't had any issues," he says, "but we really didn't know what was going on."

In 2006, Cedarville moved to the SonicWALL PRO 5060, an Internet security platform that scans for peer-to-peer file sharing and can detect people trying to hack into the network.

The school bought two units, so if one went down, the other could pick up the load. Aside from added security, the PRO 5060's virtual private network client gave ­Cedarville its first remote desktop capabilities.

To accommodate the steady increase in Internet traffic, Cedarville upgraded to SonicWALL E7500 network security appliance devices in summer 2009. The features are similar to the old solution, but the new devices are faster and can handle more bandwidth. They also have Secure Sockets Layer VPNs, so remote users can access the network via web browsers.

Policy Wonks

Years ago, when a faculty member at Sinclair Community College in Dayton, Ohio, brought in a personal wireless access point, he inadvertently shut down the school's network. The access point had a Dynamic Host Configuration Protocol server on it, and it responded to DHCP requests with incorrect IP addresses, blocking access to the network.

That would be impossible today because Sinclair's network policies prohibit PCs from sending IP addresses to other PCs. The school has similar policies in place with regard to mail and web traffic. Essentially, PCs, wireless access points, printers and other devices are blocked from performing functions that are atypical for them. So, for instance, viruses that turn PCs into mail servers can't operate on the network.

"The network doesn't block PCs from trying to talk to a server," explains Scott A. McCollum, director of IT services. "It blocks PCs from trying to be a server."

Creating policies that prohibit unnecessary communications is one of the easiest, most effective ways an institution can protect itself, says McCollum. The college uses Enterasys equipment to identify users and devices and assign policies based on those identifications. Known users and devices get the highest level of access. Known users with unknown devices, such as a professor using a personal tablet, can access mainly web-based services on the network. Unknown users and devices can only access a separate guest network.

Sinclair blocks peer-to-peer file sharing on campus and, 15 years ago, was one of the early adopters of firewalls in higher education. Another tool in its security arsenal is a standardized PC image. Sinclair uses Microsoft Application Virtualization so that users can log in to any computer on campus to access the applications they need.

Strong tools can only go so far, says Cedarville's Hay. A well-planned strategy is essential. Even if your school doesn't have a full-time security person, he says, "you need to think about security from the very beginning – don't do it after the fact."

Ship-Shape Network

For two-month stretches, scientists aboard the JOIDES Resolution research vessel drill deep into the seafloor. They capture rock, volcanic lava and sediment dating back 80 million years to learn about the Earth's formation and changes in climate, sea levels and marine life. Then the ship returns to port for five days before a new team sets out on another expedition.

Five days – that's how long the IT department at Texas A&M's Integrated Ocean Drilling Program (IODP), which operates the ship, has to connect all of the new users and devices to its wireless network. It's a challenge that's all too familiar at college and university IT departments. But instead of enrolling thousands of new students each year, the IODP has about 100 users, each with their own computers, to set up every other month. "The numbers are different, but the same principles apply," says Grant Banta, IODP marine computer specialist.

In the past, the IODP IT staff manually checked each computer during port call and connected it to the network. But in 2009, they automated the process with the Enterasys Network Access Control solution. "It has saved us many, many, many staff hours," says Banta.

Before each expedition, passengers get credentials to connect to the network and instructions to install the Enterasys agent on their computers. Once installed, the system scans their devices to ensure that their systems meet IODP's acceptable usage policy, which requires that users' firewalls be enabled and that they have up-to-date antivirus software. If not, users are given a quarantined role with access to instructions or links to resolve the problems, such as a page where they can download McAfee antivirus. Once connected, users are divided into groups with different sets of policies based on their needs. Banta can prohibit certain processes and applications, such as Skype, and have the system scan
for them at regular intervals.

Most expeditions have at least one educator who hosts a video conference so that students and teachers at schools and museums around the world can interact with the scientists and learn about the research vessel's mission. With the Enterasys platform, Banta created a wireless network used solely for video conferencing so that, if need be, he can move all the users aboard the ship to a group with no Internet access, freeing up bandwidth for the video conference.

"There are all sorts of options, depending on what you're dealing with," he says.

<p>Quantrell Colbert</p>