Securing the Academic Network: Intrusion Prevention
- By Susan F. Moyer
An academic network is one of the most difficult networks to secure and maintain.
It must be open and accessible—much more so than networks in corporate,
government, or private sectors. The academic network is designed to facilitate
the flow of knowledge. Faculty and students must be able to pursue intellectual
inquest with minimal restraint.
This poses a difficult dilemma for campus network administrators. The open
nature of academic networks inevitably comes into conflict with the requirements
of network security. Campus networks contain highly sensitive information—personnel
and financial data on students and their families, academic and administrative
records, and high-value research and intellectual property. Network administrators
must find the balance point between open access and security.
Striking this balance is critical, but it’s not the only security challenge
campus IT departments face. Other high-priority issues include:
- Liability. The explosive growth of Peer-to-Peer (P-to-P) file sharing on
campus has introduced significant security and liability concerns, most notably
in the area of copyright infringement. P-to-P networks and file sharing have
opened the door to charges of copyright violations and high-profile litigation.
Student-launched network attacks also raise liability concerns. Campus IT
departments must avoid being found complicit in enabling illegal student activity.
- Distributed authority. IT staff are directly responsible for information
security, yet lack the authority to dictate security policies. Often each
academic department creates its own access policies, yet the campus IT group
typically bears ultimate responsibility for the security and functioning of
the network. The IT group must operate in an environment of decentralized
network authority, while maintaining centralized responsibility for the health
of the network.
- Budgets and bandwidth. Growing demand for bandwidth continually strains
budgets and resources. Sh'estring IT budgets are the norm on college campuses.
Yet the educational process is now dependent on the Internet. With wireless
networks sprouting up in dormitories and P-to-P usage increasing exponentially,
network management and bandwidth costs are on the rise.
- Varied skill sets. Campus IT staffs are overwhelmed with responsibilities
and typically operate with limited resources and skill-sets. Students are
often recruited to help ease the burden, but they may not have the requisite
skills or depth of experience.
These challenges must
be managed within an
educational culture built on thefree exchange of
information and ideas.
Maintaining the integrity and security of confidential information on the network,
while allowing access to thousands or tens of thousands of users, creates unique
problems for the campus IT staff and network administrators.
Network Security at Susquehanna
Susquehanna University is located in central Pennsylvania and serves a student
body of approximately 1,800. We maintain 30 network servers (file servers, domain
controllers, DHCP servers, etc.) with close to 3,000 end-point workstations
among students, faculty, and laboratories.
Security is one of the 14-person IT group’s primary concerns. We undergo
an extensive third-party audit every two years and continually update our network
and policies based on the audit results. Although we have long relied on a firewall
to provide basic perimeter security, a recent audit recommended implementing
an intrusion detection system (IDS) to better monitor and respond to network
attacks and other potentially harmful traffic.
Policies in Perspective
University policy prohibits all music and DVD sharing. This is solely driven
by liability and copyright issues. The IT group simply can’t be perceived
as fostering an environment that facilitates the duplication and transfer of
Although we can’t lock down the workstations on our network with the same
control non-academic organizations can, we require student-owned machines to
meet certain requirements. Before we issue student machines Internet Protocol
(IP) address and allow them on the network, their workstations must:
- Register on the campus network;
- Conform to a standardized naming convention;
- Provide us with their unique hardware address.
This gives us the ability to pinpoint any specific problems or suspicious activity
and take appropriate action. We also periodically scan all workstations for
malicious applications and services, such as hacking software. If any such programs
are found, we terminate the network connection to the non-compliant machine.
Intrusion Detection and Prevention
Because we have very little control over student and faculty workstations, we
maximize our usage of the firewall and IDS to secure the network. The IDS solution
we implemented, StillSecure Border Guard, is both an IDS and an intrusion prevention
system (IPS). The IPS features allow us to terminate harmful traffic before
it enters or exits the network. It continuously monitors all traffic at our
connection to the Internet and can instantaneously identify and terminate attacks
and malicious traffic.
Like a firewall, the IDS/IPS system lets us create rules that govern the types
of traffic permissible on the network. When impermissible traffic is detected,
the system treats it just like an attack and takes appropriate action. This
allows us to automatically block any traffic that might expose the university
to liability claims, such as file sharing and P-to-P activity.
The IPS also allows us to customize and automate the response to each detected
attack or questionable packet of traffic. Depending on the severity of attack
or policy violation, we can instantly terminate the traffic, block the machine
that is sending or receiving the data, or simply alert network administrators
that suspicious activity is occurring.
The system maintains a significant amount of background information on each
individual attack, for example, the systems being targeted, the consequences
of a successful attack, and the vulnerabilities the attack exploits. This history
is extremely beneficial for determining how we should respond to each attack—it
gives us the information we need to make the right decision.
Between our firewall and the IDS/IPS, we have been saved from the viruses and
attacks that have brought other colleges in the area to their knees.
An Ongoing Battle
Educational institutions are in many respects at greater risk than other organizations.
Their limited budgets and resources prohibit the implementation of adequate
security measures. The decentralized and diverse nature of collegiate networks
present complex IT challenges.
These challenges must be managed within an educational culture built on the
free exchange of information and ideas. Successful IT solutions, like intrusion
detection/prevention systems, offset stretched or insufficient resources by
automating processes, reducing the workload, and increasing staff efficiency.