Oct 18 2021

Next-Generation Firewall and IPSs Offer Proactive Protection for Higher Ed Networks

As ransomware attacks reach record highs, universities and colleges use intrusion prevention systems to automate threat detection and response.

With increasingly destructive ransomware attacks targeting higher education, it is critical for IT leaders to strengthen their defense-in-depth design this academic year. The current threat landscape requires schools to secure remote operations as well as physical campuses.

"Not only do you worry about what kind of endpoints are out in the wild but you still have to pay attention to what’s happening in the on-premises environment,” says Duke University CISO Richard Biever. “Are servers getting patched? Are vulnerabilities being addressed? Can you detect signs of an intruder coming in?”

In today’s highly distributed technology environment, visibility is crucial for any cybersecurity framework. However, during the rush to emergency remote learning, many schools lost that capability. “I think it’s safe to say many educational institutions are playing catch-up and just now grappling with ramping up their cybersecurity infrastructure,” says Lisa Plaggemier, interim executive director of the National Cyber Security Alliance.

In a Twitter poll posted September 1, EdTech: Focus on Higher Education asked readers to rank the solutions that are most critical for bridging cybersecurity gaps. Nearly 40 percent said next-generation firewall (NGFW) and IPSs.

Here’s a look at how two institutions with strong security postures — Duke University and the University of Michigan — are using these tools to monitor a sprawling attack surface.

Click the banner below to see CDW's roadmap for a multifaceted cybersecurity program.

Using Deep Packet Inspection to Detect New Forms of Threats

NGFWs differ from traditional firewalls because they can use threat intelligence information to identify and prevent unknown attackers from breaking into networks. NGFWs combine multiple security technologies — such as intrusion prevention, application visibility and web security capabilities — into a single platform.

If you create firewall rules based on IP addresses or ports in traditional firewalls, “You are implicitly trusting that all the traffic traversing between those IP addresses and over those ports is fine,” Biever says. “But how do you know that the traffic coming over port 80 is just a user browsing your website, versus an attacker sending an exploit to gain access to your underlying content management system?”

NGFWs can address this issue by offering additional context via deep packet analysis. “IPSs are designed to look at Layer 7 and perform deep packet analysis to say, ‘This traffic coming in is not what we expected to see. It matches up with these indicators of compromise, these definitions or these block lists. Therefore, let’s drop it,’” Biever says.

Click the banner below to get a free checklist on preventing and remediating zero-day exploits.

University of Michigan Director of Networks Eric Boyd says it’s one reason the tool still plays an important role in securing his campus today. “By giving us that additional context, they can help us better detect new forms of threats,” he says.

According to Boyd, one of the major benefits that NGFWs and IPSs provide is visibility and scale. “They provide a single console that allows us to view multiple firewalls at once,” he says.

Getting Visibility into Higher Ed Cloud Environments

As hybrid learning and work become permanent fixtures in higher education, more institutions are migrating to the cloud. “One thing the pandemic has taught us is you might want your servers, services or applications in a cloud environment,” Biever says.

Through Software as a Service, universities can run Office 365Google Workspace, Canvas, Slate and other application in the cloud, which allows schools to benefit from cloud resiliency. With redundant workloads in the cloud, many servers and storage systems can continue operations even if a network goes down.

“Even when building apps internally, we don’t have to run it on a sever internally. We can push those workloads into the cloud and have more resilience, more capabilities,” Biever says.

Virtual IPS solutions also play an important role in bringing visibility to higher education’s cloud environment. “If you’re spinning up resources in AzureAmazon Web Services or Google Cloud, you can take CiscoPalo Alto Networks, or Fortinet — whatever your favorite IPS vendor is — and spin up a virtual instance of it in the cloud,” Biever says.

CYBERSECURITY AWARENESS: Explore data security issues, tools and solutions.

The downside is it may not always be cost-effective to do so. “The more of these you deploy, the more licensing costs you could incur. You have to find that balance,” Biever says.

To do so, it is important to identify and classify an institution’s most sensitive data.

“You have to go back to the idea of identify, protect, detect and respond,” Biever says. “Do you have an inventory of the resources you’re putting out in the cloud? Do you know what data you are pushing to cloud environments?”

Once the data flow is mapped out, universities can place microperimeters around their most sensitive data and use NGFWs to enforce them.

At the end of the day, however, no solution is a silver bullet.

“We know we’re going to be targeted so we plan and prepare to respond to attacks,” he says. “One way to do that is to have good log information about what’s touching and hitting your network, whether it’s on-prem, or in a cloud environment.”

Photo by solarseven/Getty Images