Tightening IT Security
Viruses and worms have attacked every college and university network. Predictably, almost all colleges and universities use some virus protection software, spam filtering and or firewalls to try to protect IT networks. Still, the attacks keep coming, as do the security breaches.
A recent security breach at Carnegie Mellon University (Pa.) may have compromised the personal information of 5,000 students, employees and graduates of the Tepper School of Business. This incident, which happened in early April and was made public almost two weeks later, is only one of a slew in higher education.
Protecting data is the main challenge at colleges and universities, says Rodney Petersen, security task force policy analyst for EDUCAUSE. "It is no longer about just securing a mainframe on campus. Now with servers and clients and the ability to download, it is really the information that is critical." In the early days if IT--which dates back to the early- to mid-1990s--data storage was monolithic. Security was addressed in a uniform manner.
"The magic solution to everyone's security issues was having a strong perimeter firewall." Today, information is distributed and decentralized. "A perimeter firewall isn't going to do it--not by itself." Some IT security systems are counting on "personal" firewalls to protect individual computers. This takes protection against viruses and worms to the most granular level. Still, though, it will be a while before the personal firewall is mainstream.
Petersen and the EDUCAUSE Security Task Force call for IHEs to conduct routine analyses of their networks. Getting a clear idea of an IT system's security weaknesses is what the EDUCAUSE Security Task Force calls doing "defense in depth." (The Security Task Force outlines its recommendations on the EDUCAUSE website. EDUCAUSE's Center for Applied Research (ECAR) suggests the risk assessment process be divided into three phases:
An analysis that lists all constituent user groups: academic (including research), administrative, clinical and residential.
A look at critical areas and practices, taking into account backup procedures in the wake of natural disasters.
A review of risk assessment in relation to the entire institution.
Granted, it will take time to do such assessments, and to build in the scheduling to keep reviewing security. But the higher education sector must start creating such standards, says Petersen.
Meanwhile, colleges and universities have turned to various systems and software suites to help secure their data.
Coppin State University (Md.), a historically black university with 4,000 students, added several safeguards to its security system with Nortel Networks' Threat Projection System (www.nortelnetworks.com). Coppin's IT team beta tested the system before purchasing it earlier this year. Prior to the Nortel installation, Coppin relied only on a firewall to filter data coming into its system, says Ahmed El-Haggan, vice president of IT.
Nortel's technology not only monitors what is supposed to be happening on the system, but it also offers "remediation." By this, El-Haggan means that the system can self-monitor, identifying an intrusion and shutting down all or part of the system if needed. "Prior to this beta test we didn't have this type of intrusion protection," he says. "We saw problems after they happened." Datalogs would list worm and virus attacks after the fact.
In one instance, a worm from a student's laptop infected other machines, until significant damage was done to the residence hall IT network. "We had to clean the system," says El-Haggan. The new threat protection can spot such problems before they can do damage.
Nortel charges a flat rate per system. Its TPS-2050-Intrusion Sensor starts at $14,995. The TPS-2070-Defense Center costs $24,995. TPS-2070-Intrusion Sensor is priced at $29,495. The company charges annually for technical support, patches, updates and new releases.
The University of Miami (Fla.) protects its wireless network, installed in 2000, with a multi-tiered authentication system. The precautions are necessary, especially for a university-based system. Higher ed systems typically provide access to a large number of mobile users who also, in turn, use their own equipment. It isn't uncommon for a small number of IT staffers to support hundreds, or thousands, of users.
Wireless networks are known for "bleeding over to all areas," observes Buddhi Abeysekera, manager of network engineering for the University of Miami. "Because of the nature of the medium, we were worried about hacking," he acknowledges. Which is why it is important for the network to be protected by a good identification system, allowing only registered students, administrators and faculty to access specific data.
If a wireless network is not secured, unauthorized users also can piggyback on it. Abeysekera saw this firsthand when the university's wireless network was still in its beta test. "Someone could go to the TGIF restaurant across the street and use the wireless network," he acknowledges.
Adding to the challenge is the U of M's wireless network for its School of Medicine. Hospital networks are similar to university networks in that they, too, support large numbers of users who access data with their own PCs or other devices. This particular wireless network is affiliated with five local Miami hospitals, which employ a total of 13,000 medical professionals and administrators. Students, visitors and patients also are users.
"We're a city of Miami hotspot for the whole hospital community," says Frank Rodriguez, network manager for the U of M's School of Medicine.
Abeysekera and staff use EdgeWall by Vernier Networks (www.verniernetworks.com) to protect its wireless networks. Vernier offers a multi-tiered authentication system, he notes.
Wireless network users--including administrators, students and faculty--must register the MAC addresses, also know as media access control addresses, of their PCs and PDAs. Each MAC address is a unique identifier. Registered users are then redirected to a secure portal every time they long on to the wireless network. An encrypted webpage that asks each user for a name and password.
Abeysekera adds that EdgeWall also checks for viruses, locks out inappropriate users and performs other security tasks.
Rutgers University (N.J.) relies on an application called the Bluesocket (www.bluesocket.com) to protect its wired and wireless networks. Ken LeCompte, systems programmer and administrator, describes the device's utility in simple terms. Bluesocket creates a secure gateway between the university's wired and wireless environment, he says. Authorized users can log on at any point on campus and access the network.
Basically, the Bluesocket monitors all traffic. Rutgers has two goals in providing such security. First off, the university is protecting users from each other, shutting out any user who introduces a virus or worm in the system. More importantly, the application ensures user privacy. "It is not that we have a bunch of criminals on campus, but we do have curious people," he says. "Kids in high school sniff systems to find e-mail passwords, or sniff traffic on the wireless network."
The Bluesocket utility also allows the Rutgers IT department to monitor who is using the network. "This is important because universities have a big problem with file sharing," says LeCompte. University IT directors put up barriers to inappropriate file sharing, but users will always look for ways to push beyond them, he says. "At Rutgers we've said we are going to use our best efforts to put a limit on use."
If users move more than 2.5 gigabytes of information during a seven-day period, they are shut down. LeCompte notes that this is a large amount of data. It would take a user downloading 800 MP3 files in a seven-day period to trip the alarm. Such quotas, enforced in 2003, ensure quick network speed for everyone.