Colleges and universities continue to find themselves the targets of large-scale cyberattacks. Some of these come from foreign sources, such as Iranian hackers targeting university professors or Chinese attackers seeking out sensitive defense-related research. Others are more mundane, such as the phishing attack that compromised two East Tennessee State University employees’ email accounts.
No matter the source, the bottom line is clear: higher education institutions have valuable information and resources, and attackers are actively working to steal those valuable assets.
Institutions around the country are turning to intrusion detection and intrusion prevention technology to play an important defensive role against these cyberthreats. The University of Michigan and Temple University both recently deployed intrusion prevention technology to protect their networks from attack. Other institutions are either actively deploying or evaluating intrusion prevention solutions in an effort to build stronger network perimeters that actively defend against cybersecurity threats — and help keep their name out of the headlines.
Let’s take a look at the role of intrusion prevention systems on a campus network, some of the challenges raised by this technology and strategies that institutions can use to evaluate IPS options.
The Role of Intrusion Prevention Systems in University Cybersecurity
IPS technology works by monitoring network traffic and system actions for signs of malicious activity such as intrusions. Most IPS technology relies on signature detection technology that consults a database of known attack patterns and flags any activity that matches those patterns. When the IPS detects a match, it selects an automated response from a set of options, ranging from logging the activity and alerting an administrator to automatically blocking the traffic to prevent it from entering the network.
In a typical IPS deployment, the institution places a dedicated IPS network device in line with the external internet connection. This requires a device that is capable of keeping up with the scale of the institution’s network traffic. The device then inspects each network packet as it passes and blocks suspicious activity before it enters the network.
This approach allows rapid, automated responses to security threats on campus networks. That shifts the incident response posture from the typical reactive approach used when investigating a suspected incident to a proactive approach that blocks the incident from occurring in the first place.
Challenges to Intrusion Prevention System Deployment
While IPS technology does play an important role in protecting a network from attack, the use of IPS solutions may have drawbacks as well. One major operational challenge comes from the fact that no security technology is foolproof. IPS can make errors and incorrectly flag legitimate traffic as potentially malicious.
This type of error, known as a false positive alert, may cause significant operational impact because of the proactive nature of an IPS. The system is designed to respond immediately and automatically, without any human intervention. The end result is that false positive alerts will automatically block network activity that was actually legitimate, potentially disrupting critical business functions.
The second challenge is scaling IPS to accommodate the bandwidth demands of a modern educational network. IPS devices deployed in line with a network become a choke point for network activity and must be capable of handling the peak throughput of the network. Otherwise, they risk throttling network activity and disrupting legitimate use.
Of course, there’s a trade-off here because IPS devices that are capable of handling high throughput are also extremely expensive. In addition, the implementation of a single IPS device introduces a single point of failure into a network design, prompting most organizations to deploy redundant solutions, further increasing the cost of an IPS deployment.
Kicking off an Intrusion Prevention System Evaluation
While colleges should be cognizant of the challenges posed by IPS technology, these should be seen simply as design considerations rather than absolute barriers to deployment.
False positives are extremely problematic for IPS deployments and can derail a pilot project if they are not carefully managed. For this reason, administrators planning an IPS deployment should first implement the technology in alert-only mode.
This strategy, also known as intrusion detection, lets cybersecurity teams see how the IPS functions and what type of traffic it alerts on — without disrupting real-time network activity. Pilot teams can use alert mode as an opportunity to fine-tune the IPS deployment to reduce the number of false positive alerts before deploying the device in intrusion prevention mode.
The challenge of scaling an IPS solution to meet the bandwidth demands of a campus internet connection can be even greater if funding isn’t available to purchase appropriately sized devices. In this case, cybersecurity professionals may approach a pilot project by implementing IPS technology on a smaller-scale network. Instead of placing the initial IPS device at the campus internet border, it might be deployed to protect a smaller, more sensitive network.
For example, an IPS might be used at the perimeter of a campus data center to segment off a sensitive research network or to filter traffic headed to a medical center. This initial deployment can add proactive defense to a high-risk area and serve as a proof of concept for a larger deployment.
Intrusion prevention technology plays an important role in building a robust, defense-in-depth approach to cybersecurity. Campuses not currently using an IPS should consider a pilot deployment that allows them to evaluate the technology in a real-world setting.