Product Focus | Feature
Firewalls and Filtering Tools
Social media and mobile devices are forcing major changes in how institutions protect their networks and their users. And the battle is only getting started.
Until recently, internet security was like a castle with a moat: a crude perimeter to keep out attackers and other threats. Gatekeepers could generally tell friend from foe, although they could certainly be fooled.
With the advent of web 2.0 applications and the proliferation of mobile devices, however, internet security has had to evolve rapidly. For higher ed institutions, customization has become an increasingly important aspect of security suites. Firewall and filtering tools must now be flexible enough to serve the varied needs of students, faculty, staff, and guests, and must also address emerging security threats on mobile devices.
"In the old days, firewalls were binary--allow or not allow," says Brian Contos, director of global security strategy and risk management at McAfee, an internet security provider. "Now, it's a lot more like clay than Legos."
Take Facebook, for example. The site is a conduit to hundreds of applications ranging from games to networking, with access points for music and entertainment services. Rather than block Facebook entirely, Contos says, schools may want to target specific apps that open the network up to malware and put a strain on network resources, degrading bandwidth and slowing e-mail.
Indeed, social networking sites provide rich pickings for cybercriminals. In 2010, an ingenious ruse involved shortened URLs. Although these abbreviated URLs are commonly used to link to legitimate web addresses, hackers posted millions of these shortened links on networking sites as part of phishing and malware attacks, according to a recent report by Symantec, an internet security provider.
The attackers leveraged the news-feed capabilities of popular social networking sites to distribute the attacks en masse. By logging onto a compromised account and posting a shortened link to a malicious website, the hackers spread the link to the victim's friends within minutes. The attack was by no means a rare event. Last year, 65 percent of malicious links in news feeds monitored by Symantec used shortened URLs. Of these, 73 percent were clicked 11 times or more, while 33 percent received between 11 and 50 clicks.
To fight against such threats, internet security vendors analyze billions of files, e-mails, and malware to categorize and determine their "reputation" in the cloud, and automatically update the firewall and filters of their customers in response.
Security vs. Access
Schools must balance the need to protect their networks from intrusions, malicious code, and spam e-mail, while still giving their users the freedom to participate in wikis, YouTube, Facebook, Twitter, and other social networking and content-sharing sites.
To that end, experts say, IT staffers should pursue security solutions that allow them to set policies for different groups--faculty, students, and staff--with granular, rather than wholesale, restrictions.
"The goal is to give students an internet life similar to what they could expect in a private apartment with an internet connection from a local ISP," says Seth Shestack, associate director of information security at Temple University in Philadelphia. "We block illegal file-sharing traffic and very little else."
Ideally, schools should also be able to review and grant access to sites on the forbidden list, if students or researchers petition why they need the information. "These tools have the flexibility to give teachers and administrators the ability to override blocked content," says Mike Maxwell, head of state, local, and education public sector issues at Symantec.
For administrative systems at Temple, though, the security bar is set higher. "We don't allow in outside traffic other than what is dictated by absolute business needs," comments Shestack.
Temple takes a multilayered security approach, with various control points inside and outside its Check Point enterprise-level firewall, including Blue Coat PacketShaper and IBM's intrusion-prevention system. Every computer within the university network also runs Symantec's internet security solution, which includes an antivirus engine and desktop firewall that checks the health of the PC.
Students living in residence halls who connect their own computers to the network must run the Symantec product, provided by Temple, which buys the licenses. Regardless of whatever security protections are installed on student devices, wireless access for students is limited to commodity internet, such as web surfing and e-mail--functions that are kept separate from the university's confidential, proprietary data.
The Mobile Threat
Unfortunately, the use of mobile devices to access university networks is becoming a major security headache--and a problem that is only expected to get worse during the next year. On campuses today, IT administrators are contending with a multitude of personal devices--smartphones, tablet computers, and more--used to access sensitive information such as grades, healthcare, and payroll.
"How can organizations rein in devices they don't control?" asks Lenny Zeltser, who leads the security consulting team at Savvis, which provides managed-computing and network-infrastructure solutions.
The general consensus is that mobile devices are vulnerable. Mobile system architecture "hasn't benefited from being battlefield tested for years and years, which is the case with desktop operating systems," explains Zeltser. "When attackers focus on the mobile platform, they get a lot of bang for their buck."
For example, hackers have unleashed malware on phones that allow them to charge for calls that were never made and text messages that were never sent. In the last year, the threats have become more sophisticated, as social media spreads to phones and botnets allow the rapid infection of users' entire contact lists.
"Mobile devices are a natural extension of the campus network," says Gerhard Eschelbeck, chief technology officer at Webroot, an internet security provider. While the threat to colleges and universities remains in the early stages, "the bad guys are working on it."
According to Eschelbeck, schools must have complete coverage on the gateway side, with filtering on inbound traffic. In addition, he advises schools to consider a mandate that security solutions reside on all mobile devices.
Such recommendations come with their own issues: Does the onus for compliance rest with device owners or should the institution purchase licenses to issue users? "It's a difficult challenge, and there's been a lot of discussion," says Temple's Shestack.
Temple is developing its own mobile security, through its academic computing center. Created during the 2010-11 school year and launched this spring, the TUmobile app is available on BlackBerry, Android, and iPhone platforms. For now, functionality is limited to non-proprietary information, such as the shuttle bus schedule, the events page, and athletic schedule; eventually, students may be able to check grades and register for classes.
"That's where the application is headed in the future--it's not there yet, but it's coming," says Shestack. "We have a whole team working on it. We have to be comfortable and confident that our security posture can protect the data on these devices."
Securing a mobile device presents different challenges from the well-established solutions for PCs. For starters, phones have lower processing power and limited battery life, so the security apps must be small. As a result, much of the "heavy lifting" must take place in the cloud, says Alicia diVittorio, director of marketing at Lookout, a startup that currently provides mobile security and antivirus smartphone protection for Android, BlackBerry, and Windows Mobile devices.
Lookout's solution, available free and in a premium version for Android, scans every app for malware and spyware, and offers such features as backup and restoration of data, a phone locator, and a remotely activated lock if the device is lost or stolen.
Schools can also adopt some fairly simple precautions of their own, as well as educate their campus populations about the dangers. For example, schools can insist that users password-protect their phones, and remind students to evaluate mobile apps before downloading them. Users should pay attention to who the developer is, the number of reviews the app has received, and whether the reviews are good.
Finally, users shouldn't log onto password-protected sites--their school's, say--while on a public WiFi network, where they may be vulnerable to eavesdropping sniffers that can read the data they send and receive.
"It's not just about their own personal information, but the entire network's," warns diVittorio.