Securing the Academic Network: Intrusion Prevention -- Campus Technology

Share this Page

Securing the Academic Network: Intrusion Prevention

By Susan F. Moyer
04/01/04

An academic network is one of the most difficult networks to secure and maintain. It must be open and accessible—much more so than networks in corporate, government, or private sectors. The academic network is designed to facilitate the flow of knowledge. Faculty and students must be able to pursue intellectual inquest with minimal restraint.

This poses a difficult dilemma for campus network administrators. The open nature of academic networks inevitably comes into conflict with the requirements of network security. Campus networks contain highly sensitive information—personnel and financial data on students and their families, academic and administrative records, and high-value research and intellectual property. Network administrators must find the balance point between open access and security.

Striking this balance is critical, but it’s not the only security challenge campus IT departments face. Other high-priority issues include:

Liability. The explosive growth of Peer-to-Peer (P-to-P) file sharing on campus has introduced significant security and liability concerns, most notably in the area of copyright infringement. P-to-P networks and file sharing have opened the door to charges of copyright violations and high-profile litigation. Student-launched network attacks also raise liability concerns. Campus IT departments must avoid being found complicit in enabling illegal student activity.
Distributed authority. IT staff are directly responsible for information security, yet lack the authority to dictate security policies. Often each academic department creates its own access policies, yet the campus IT group typically bears ultimate responsibility for the security and functioning of the network. The IT group must operate in an environment of decentralized network authority, while maintaining centralized responsibility for the health of the network.
Budgets and bandwidth. Growing demand for bandwidth continually strains budgets and resources. Sh'estring IT budgets are the norm on college campuses. Yet the educational process is now dependent on the Internet. With wireless networks sprouting up in dormitories and P-to-P usage increasing exponentially, network management and bandwidth costs are on the rise.
Varied skill sets. Campus IT staffs are overwhelmed with responsibilities and typically operate with limited resources and skill-sets. Students are often recruited to help ease the burden, but they may not have the requisite skills or depth of experience.

These challenges must be managed within an
educational culture built on thefree exchange of
information and ideas.

Maintaining the integrity and security of confidential information on the network, while allowing access to thousands or tens of thousands of users, creates unique problems for the campus IT staff and network administrators.

Network Security at Susquehanna

Susquehanna University is located in central Pennsylvania and serves a student body of approximately 1,800. We maintain 30 network servers (file servers, domain controllers, DHCP servers, etc.) with close to 3,000 end-point workstations among students, faculty, and laboratories.

Security is one of the 14-person IT group’s primary concerns. We undergo an extensive third-party audit every two years and continually update our network and policies based on the audit results. Although we have long relied on a firewall to provide basic perimeter security, a recent audit recommended implementing an intrusion detection system (IDS) to better monitor and respond to network attacks and other potentially harmful traffic.

Policies in Perspective

University policy prohibits all music and DVD sharing. This is solely driven by liability and copyright issues. The IT group simply can’t be perceived as fostering an environment that facilitates the duplication and transfer of copyrighted material.
Although we can’t lock down the workstations on our network with the same control non-academic organizations can, we require student-owned machines to meet certain requirements. Before we issue student machines Internet Protocol (IP) address and allow them on the network, their workstations must:

Register on the campus network;
Conform to a standardized naming convention;
Provide us with their unique hardware address.

This gives us the ability to pinpoint any specific problems or suspicious activity and take appropriate action. We also periodically scan all workstations for malicious applications and services, such as hacking software. If any such programs are found, we terminate the network connection to the non-compliant machine.

Intrusion Detection and Prevention

Because we have very little control over student and faculty workstations, we maximize our usage of the firewall and IDS to secure the network. The IDS solution we implemented, StillSecure Border Guard, is both an IDS and an intrusion prevention system (IPS). The IPS features allow us to terminate harmful traffic before it enters or exits the network. It continuously monitors all traffic at our connection to the Internet and can instantaneously identify and terminate attacks and malicious traffic.

Like a firewall, the IDS/IPS system lets us create rules that govern the types of traffic permissible on the network. When impermissible traffic is detected, the system treats it just like an attack and takes appropriate action. This allows us to automatically block any traffic that might expose the university to liability claims, such as file sharing and P-to-P activity.
The IPS also allows us to customize and automate the response to each detected attack or questionable packet of traffic. Depending on the severity of attack or policy violation, we can instantly terminate the traffic, block the machine that is sending or receiving the data, or simply alert network administrators that suspicious activity is occurring.

The system maintains a significant amount of background information on each individual attack, for example, the systems being targeted, the consequences of a successful attack, and the vulnerabilities the attack exploits. This history is extremely beneficial for determining how we should respond to each attack—it gives us the information we need to make the right decision.

Between our firewall and the IDS/IPS, we have been saved from the viruses and attacks that have brought other colleges in the area to their knees.

An Ongoing Battle

Educational institutions are in many respects at greater risk than other organizations. Their limited budgets and resources prohibit the implementation of adequate security measures. The decentralized and diverse nature of collegiate networks present complex IT challenges.

These challenges must be managed within an educational culture built on the free exchange of information and ideas. Successful IT solutions, like intrusion detection/prevention systems, offset stretched or insufficient resources by automating processes, reducing the workload, and increasing staff efficiency.