Network Security: Stand & Deliver

• By Matt Villano
• 09/26/06

It’s time to strengthen network defenses, but which solutions really work? Take your cues from these campus technologists, and take notes.

October is national Cyber Security Awareness Month (visit the National Cyber Security Alliance), and for the world of higher education, that means it’s high time to take a look at defense systems and plan for the future.

Clearly, more planning is needed now than ever before. According to the majority of IT market research firms, phishing and identity theft have leapfrogged spam and spyware as top concerns; viruses and e-mail worms are at an all-time high; and other affronts to the network (such as distributed denial of service— DDoS—and zombie, or “botnet,” attacks) are occurring with greater and greater frequency. Even hackers are getting in on the act: A recent USA Today review of 109 computer-related security breaches reported by 76 college campuses since January 2005 found that 70 percent involved hacking of one form or another.

Faced with this multitude of threats, security administrators across higher education are fighting back on four major fronts: the perimeter, inside the network (internal), e-mail, and the administrative level. While perimeter defenses revolve around next-generation firewalls, internal network strategies focus on something called “cooperative enforcement” to make sure endpoints are secure. E-mail security is its own beast altogether, and at the administrative level, security experts are implementing a mix of penetrationtesting and security-event-management tools to identify and repair security problems proactively. These are groundbreaking security strategies that work.

Fortifying the Perimeter

Talk about headaches. Security administrators at West Virginia University were reaching for the aspirin just about every day last year, as the campus network was constantly under attack by unwanted and malicious network traffic, including viruses and worms. Timothy Williams, WVU’s director of telecommunications and network operations, remembers that at one point, his IT team incurred a significant drop in staff productivity due to a required focus on cleaning computer systems of these infections. These technologists needed serious help in fighting the threats they faced, but they didn’t want a solution that would compromise network performance.

Finally, the WVU team settled on three perimeter devices from Fortinet. The devices, FortiGate 3600s, were positioned at the internet gateway to scan all traffic coming into and going out of the campus network. Administrators programmed the tools to flag all traffic with viruses, intrusions, and other security threats. Because the tools are powered by application-specific integrated circuit (ASIC) microchips specifically designed to perform security checks, they were able to parse through web traffic in no time. Williams says his team reaped the benefits of this new approach almost immediately.

“Since deploying the systems, we have reduced the number of [threats],” he says, noting that team members have reduced the number of problem systems from 48 per day, to no more than five. Williams adds that the devices are also saving the IT department “significant time and money in support costs, and allowing us to better focus our efforts on academic pursuits.”

At George Washington University (DC), technologists recently implemented similar technology from Reconnex to ensure that certain internet traffic complied with federal privacy regulations laid out in the Gramm-Leach-Bliley Act of 1999. This tool, dubbed iGuard, sits on the network perimeter and scans all outgoing web traffic for sensitive files or data that could violate the law. In particular, the tool searches e-mails and Microsoft Office files for sensitive information such as Social Security and credit card numbers. If the device identifies something that violates campus policy, it blocks the message and notifies the sender immediately.

As a result of safeguarding this private information, Amy Hennings, assistant director of information security, says iGuard has become the school’s primary defense against identity theft. Because it was installed just this summer, however, the solution is still too new for GWU to determine how well it’s working. Eventually, says Hennings, the tool will make the network more secure by keeping private information from passing over the network perimeter. In the meantime, she notes, campus skeptics have questioned whether the school is invading the very privacy it’s trying to protect. Her team has worked hard to fight this perception.

“We want to make sure that everyone knows we’re not interested in reading their e-mails,” she says. “We just want to make sure all of the e-mails satisfy compliance requirements.”

Securing the Interior

Blocking certain traffic at the perimeter is one thing; administering security protocols inside the network is something else entirely. At the University of California-Berkeley, officials in the department of electrical engineering and computer sciences recently piloted a network access control (NAC) appliance from FireEye to determine which users could gain access to certain portions of the campus network. Network Manager Fred Archibald says the FireEye 4200 tool mirrors network traffic and quarantines any machine it suspects to be a security threat, until that device can prove it is safe.

Also in the San Francisco Bay Area, in the Contra Costa Community College District, technologists recently have launched a different type of quarantine effort, courtesy of a secure sockets layer (SSL) virtual private network (VPN) from NeoAccel. The product, dubbed SSL VPNPlus, scans outside users as they log in to the campus network through the VPN, and disallows access to those machines that do not carry all of the latest antivirus and anti-spyware technology. The system then pushes these tools onto the users’ computers and forces them to upgrade before granting access. According to Katherine Ogden, network technology manager, the process has made the entire network safer.

“We haven’t had any kind of virus outbreak on our network since we started using it,” she says, noting that the product has been running for about a year. “Another benefit: Our users appreciate being told that they have these issues—issues that will affect the security of their machines.”

IT officials at Colby-Sawyer College (NH) are embracing similar strategies to secure the inside of their network, but because the college operates on a limited budget, officials have turned to less expensive technologies. In fact, Scott Brown, information security analyst at the 1,000-student school, says the department recently put forth a concerted effort to ditch all of its big-name security vendors and embrace innovative, off-the-beaten-path companies.The effort replaced a popular antivirus product with software called Nod32 from ESET; it also involved a trio of new products from PA-based developer/reseller Classic Networking.

The first of these products, Classic Networking’s own Client Assessment Tool (CAT), scans remote computers to make sure they comply with all of the school’s latest security policies. Next, a tool called the ResNet Policy Manager from MSI Software provides the school with the ability to register users and enforce the school’s policy for Windows Updates, antivirus and anti-spyware efforts, and more. Completing Colby-Sawyer’s new triad is the NitroGuard intrusion prevention system (IPS) from NitroSecurity, which uses a correlation engine to identify security threats within the network and isolate anomalous network activity before problems can occur.

“While we spent hours configuring our system under the old approach, our new solutions take care of almost everything automatically,” says Brown. “That each of these products can retrieve information from the others is a great benefit.”

Protecting E-mail

Because so many security threats travel via e-mail, one of the best ways to secure a network is to make certain that e-mail is safe. In the interest of simplifying management and cost, many schools handle this by opting for unified threat management (UTM) appliances from vendors such as Check Point Software Technologies and Internet Security Systems. These tools combine anti-spam and antivirus technologies with firewall, VPN, IPS, and intrusion detection systems (IDS) to provide an all-in-one solution. By and large, they are worthwhile methods of defending e-mail and a variety of other network functions.

Other schools, however, opt for standalone appliances to handle nothing but e-mail. At Winthrop University (SC), technologists recently installed a Razor- Gate MailHurdle e-mail appliance from Mirapoint to scan for all sorts of viruses and spam. According to Jim Hammond, associate VP of IT, the device also enables administrators to scan for “graylisted” e-mails, or e-mails that may be of suspicious origin. Based upon preset heuristics, if the tool suspects a sender may be a spammer, it will automatically send a “challenge” e-mail that requires response before the message is processed. Most spam systems cannot respond to this request. “Legitimate e-mail systems have automatic retries written into them,” explains Hammond. “Graylisting is a way to make sure the sender is legitimate.”

There’s more than one way to guarantee e-mail traffic is secure, and at the University of Wisconsin-Madison, academic technologists have tethered their efforts to an encryption technology known as public key infrastructure (PKI). In general, PKI systems are run by a certificate authority (CA) server that issues digital certificates to authenticate the identity of organizations and individuals over the network. Nick Davis, the school’s PKI administrator, says that at UW, these certificates also are used to sign messages digitally, a process that proves and ensures system e-mail messages have not been tampered with.

Wisconsin’s PKI infrastructure is a hodgepodge of homegrown and vendor solutions. After building certain components of the system themselves, the IT department started issuing digital certificates in September 2005 with the True Credentials system from GeoTrust. Today, the certificates are available to roughly 450 faculty and staff users. While these users are not required to use certificates, the school has developed a policy that encourages users to do so under certain circumstances. Davis notes that those who send mass e-mails, for instance, are asked to sign the notes digitally as proof that the blasts are not spam.

“We’ve taught our users to understand that when an e-mail comes in with a red exclamation point that says it’s not trusted, they ignore it or throw it away,” he says, adding that each user’s certificate is good for one year, and that GeoTrust also provides off-site certificate escrow to keep track of which certificates go where. “This takes trusted e-mail to a whole new level,” says Davis.

Managing the Whole

The assumption with technologies such as PKI is that nothing is safe unless proven otherwise. Many schools, however, take the opposite approach, assuming that systems are safe unless they can find a hole. The act of finding these weaknesses usually revolves around processes such as vulnerability management and penetration testing. In both scenarios, network administrators deploy security tools to act like hackers and scour a network for chinks in its armor. The open source movement has led to the development of a number of free tools for this purpose (see “Behind the DShield,”and “Tools of the Trade”), but a variety of vendors sell proprietary solutions as well.

One of those for-profit solutions is Core Impact from Core Security Technologies. At the University of North Florida, technologists recently deployed this tool to automate the penetration testing methods previously carried out by hand. In the past, this process was essentially a full-time job. Today, the Core Impact device continuously pings servers and firewalls on the network to discover weaknesses. Jeff Durfee, assistant director of information security, says that when the new system discovers a weakness, it alerts network administrators and suggests patches to make the defenses as good as new.

“Fixing problems still rests with us,” says Durfee. “But knowing this product is constantly testing our network to find [problems] makes us feel more comfortable with the defenses we have.”

Up Next…

Many schools see tools such as vulnerability assessment apps falling into a new category of security solutions: security event management (SEM) software. Generally, this technology combines vulnerability assessment with packet monitoring, intrusion detection and prevention, and a reporting engine to present findings coherently. Still, like penetration testing tools, SEM tools only find problems; they don’t fix them. Yet, when SEM software is working adequately, it can centralize a number of security features, making it easier for network administrators to manage a variety of functions.

Recent reports from Gartner indicate that it can cost up to $400,000 to implement an off-theshelf SEM system. At Boston College (MA), however, technologists recently took matters into their own hands, developing their own system to manage security events. The new product is built in XML and Java. David Escalante, director of computer policy and security, says that while it isn’t perfect yet, it has improved visibility of security events across the network as a whole, enabling IT administrators to be more proactive about the enhancements they choose to make.

“If you’re securing your network adequately, you’ve got a bunch of machines generating a ton of data almost every hour,” Escalante says. “We’re just trying to manage this information constructively, and hope to figure out a way to make it more useful than ever before.”

WEBEXTRA :: More on the perennial fight against viruses and spam, click here.