Blocking Cyber Attacks, Increase Bandwidth

• By Thomas Danford
• 10/31/03

Founded in 1850, the University of Dayton is the largest, private university in Ohio and one of the top 10 largest Catholic universities in the United States. The university has over 70 academic programs for its 10,000 students, and is one of the most wired campuses in the country. All university housing is connected for high-speed Internet access, and all students are required to own computers.

The Problem
Like most universities, University of Dayton needed to provide open network access to students, faculty and staff. This type of exposure makes it almost impossible to stop attacks, such as Code Red and Nimda that bypass the firewall on port 80 and other well-known ports. In the early stages of the Code Red worm spreading, it was discovered that as few as five infected machines could overwhelm the core campus router. This was further complicated in that there was no way to determine if the network was under attack. The only valid strategy of blocking attacks was to apply patches before a server or workstation—allowed on the network.

Additionally, file sharing is prevalent with students using Peer-to-Peer applications to download copyrighted music and video files. This can cause legal and security risks as well as absorb significant bandwidth. University of Dayton estimates that they received a dozen letters per month threatening legal action for piracy.

The Implementation
The University of Dayton installed TippingPoint Technologies’ UnityOne Intrusion Prevention Appliance, a high-speed intrusion prevention system that blocks malicious traffic and illegal P-to-P files on the network. We immediately viewed attacks being blocked on the security management console’s attack log. Since the implementation in early 2003, the university estimates that more than one million worms, viruses, and attacks have been blocked each month. The Digital Vaccine service, which allows administrators to download new security filters to the system to protect against the latest vulnerabilities, buys administrators additional time to patch their systems.

University of Dayton’s Network Systems and Security Officer Ronnie Wagers said, “The UnityOne gives me peace of mind. I am no longer comfortable with the idea of running our perimeter defense without it.”

The intrusion prevention enables customers to block P-to-P traffic uni-directionally or bi-directionally. The University of Dayton chose to allow students to be able to retrieve shared files from outside the university network, but blocked people outside the university network from retrieving shared files located within the university. With the implementation, reports show over 1 million shared files are blocked per month, augmenting the organization’s bandwidth availability. Results from the University of Dayton show that after blocking P-to-P traffic uni-directionally, bandwidth consumption dropped from a peak of 30Mbps to a low of 17Mbps within the first 30 minutes, giving a 43 percent increase in bandwidth availability.

Value Proposition
Organizations can greatly increase their security and bandwidth availability while reducing the legal risk of piracy by blocking P-to-P file sharing applications. TippingPoint’s Peer-to-Peer Piracy Prevention feature is included in all UnityOne Intrusion Prevention Appliances and Systems. The system performs deep packet inspection through Layer 7, providing immediate protection against known threats and vulnerabilities.

The cost savings from avoiding an attack could easily reach well into the six-figure range. When calculating return on investment from an intrusion prevention solution; administrators should take into account the time required to patch a system and reboot, the time required for emergency patching (the same day as a vulnerability or exploit is published), remediation time, time to test to make sure the machine is fixed, the opportunity cost of what tasks are neglected due to remediation, decreased productivity, overtime charges or outsourced staff expenditures required to fix the infection, and damages caused from the actual attack.

All of these factors would be multiplied by the number of infected machines, which can range into the hundreds or thousands depending on the size of the organization. Our intrusion prevention system has proved to be a good investment.