Drinking from the Fire Hose in 2011: Thoughts on Network Security on College/University Campuses
The campus network is home to thousands of student residents while at the same time hosting key administrative servers containing private personal information. Yet in most universities the network administrators are expected to maintain an "open network environment" that allows free access in and out of the campus.
With the winding down of this current semester in December and the holiday season nearly upon us, tens of thousands of students will return to campuses around the country in early 2011 with newly acquired consumer devices such as iPhones, iPads, iTouches, etc., and IT administrators are expected to support these new devices and deal with the security concerns that follow.
The nature of the average student's Internet usage -- gaming, file sharing, youthful recklessness -- puts them directly in harm's way. Matters are even worse at technical schools such as Georgia Tech where every student has a computer and knows how to use it to make mischief.
So after staring at university attack traffic for several hours the other day I thought "If I had to administer a university environment what would my Top 5 Security Initiatives look like? My list goes something like this...
- Students and faculty should read and understand a "Minimum Security Standards" policy for computers and WLAN-connected devices. Strong passwords, acceptable software lists, policies on unauthenticated services such as open HTTP proxies and SMTP relays, that sort of thing. UC Berkley has a great example here.
- Invest in an Intrusion Prevention System such as HP's Tipping Point technology. Inline IPS provide excellent front line defense for filtering Internet attack traffic while preserving the overall feel of an "open network". The IPS acts as a "scrubber" for whole campus. It doesn't defeat every attack but it cleans up a vast majority of the more popular attacks of the day.
- Build a vulnerability scanning system using an open source app such as Open VAS or invest in a commercial scanner such as Tenable System's Nessus. Use the information discovered in the scan to audit for compliance to Initiative #1.
- Make use of NetFlow or sFlow for network visibility and anomaly detection. Flow technology found in routers and switches can provide deep insight into network usage (what's a 512 takedown again??) while detecting DoS attacks, excessive bandwidth use, file sharing, botnets, and worms of all types.
- Be like Comcast and give away free anti-virus software such as Norton Security Suite. The Comcast folks figured out that spending a bit of cash to purchase a site license for all their subscribers was cheaper than the support calls generated by compromised machines. Smart move.
2011 promises to be a challenging time for IT administrators in keeping an ‘open’ environment while at the same time protecting against vulnerabilities to the network that can have a lasting impact. All IT administrators should be diligent about investing in technologies that give them the best chance to keep the hackers at bay and the campus network secure.
Adam Powers is a CTO at Lancope. He has a decade of operational and engineering experience in enterprise IP security technologies and commands a considerable amount of expertise in datacenter network design, IP flow analysis techniques, content delivery networks, and enterprise network security planning and management.