Securing the Academic Network: Intrusion Prevention

  • By Susan F. Moyer
  • 04/01/04

An academic network is one of the most difficult networks to secure and maintain. It must be open and accessible—much more so than networks in corporate, government, or private sectors. The academic network is designed to facilitate the flow of knowledge. Faculty and students must be able to pursue intellectual inquest with minimal restraint.

This poses a difficult dilemma for campus network administrators. The open nature of academic networks inevitably comes into conflict with the requirements of network security. Campus networks contain highly sensitive information—personnel and financial data on students and their families, academic and administrative records, and high-value research and intellectual property. Network administrators must find the balance point between open access and security.

Striking this balance is critical, but it’s not the only security challenge campus IT departments face. Other high-priority issues include:

  • Liability. The explosive growth of Peer-to-Peer (P-to-P) file sharing on campus has introduced significant security and liability concerns, most notably in the area of copyright infringement. P-to-P networks and file sharing have opened the door to charges of copyright violations and high-profile litigation. Student-launched network attacks also raise liability concerns. Campus IT departments must avoid being found complicit in enabling illegal student activity.
  • Distributed authority. IT staff are directly responsible for information security, yet lack the authority to dictate security policies. Often each academic department creates its own access policies, yet the campus IT group typically bears ultimate responsibility for the security and functioning of the network. The IT group must operate in an environment of decentralized network authority, while maintaining centralized responsibility for the health of the network.
  • Budgets and bandwidth. Growing demand for bandwidth continually strains budgets and resources. Sh'estring IT budgets are the norm on college campuses. Yet the educational process is now dependent on the Internet. With wireless networks sprouting up in dormitories and P-to-P usage increasing exponentially, network management and bandwidth costs are on the rise.
  • Varied skill sets. Campus IT staffs are overwhelmed with responsibilities and typically operate with limited resources and skill-sets. Students are often recruited to help ease the burden, but they may not have the requisite skills or depth of experience.

These challenges must be managed within an
educational culture built on thefree exchange of
information and ideas.

Maintaining the integrity and security of confidential information on the network, while allowing access to thousands or tens of thousands of users, creates unique problems for the campus IT staff and network administrators.

Network Security at Susquehanna
Susquehanna University is located in central Pennsylvania and serves a student body of approximately 1,800. We maintain 30 network servers (file servers, domain controllers, DHCP servers, etc.) with close to 3,000 end-point workstations among students, faculty, and laboratories.

Security is one of the 14-person IT group’s primary concerns. We undergo an extensive third-party audit every two years and continually update our network and policies based on the audit results. Although we have long relied on a firewall to provide basic perimeter security, a recent audit recommended implementing an intrusion detection system (IDS) to better monitor and respond to network attacks and other potentially harmful traffic.

Policies in Perspective

University policy prohibits all music and DVD sharing. This is solely driven by liability and copyright issues. The IT group simply can’t be perceived as fostering an environment that facilitates the duplication and transfer of copyrighted material.
Although we can’t lock down the workstations on our network with the same control non-academic organizations can, we require student-owned machines to meet certain requirements. Before we issue student machines Internet Protocol (IP) address and allow them on the network, their workstations must:

  • Register on the campus network;
  • Conform to a standardized naming convention;
  • Provide us with their unique hardware address.

This gives us the ability to pinpoint any specific problems or suspicious activity and take appropriate action. We also periodically scan all workstations for malicious applications and services, such as hacking software. If any such programs are found, we terminate the network connection to the non-compliant machine.

Intrusion Detection and Prevention
Because we have very little control over student and faculty workstations, we maximize our usage of the firewall and IDS to secure the network. The IDS solution we implemented, StillSecure Border Guard, is both an IDS and an intrusion prevention system (IPS). The IPS features allow us to terminate harmful traffic before it enters or exits the network. It continuously monitors all traffic at our connection to the Internet and can instantaneously identify and terminate attacks and malicious traffic.

Like a firewall, the IDS/IPS system lets us create rules that govern the types of traffic permissible on the network. When impermissible traffic is detected, the system treats it just like an attack and takes appropriate action. This allows us to automatically block any traffic that might expose the university to liability claims, such as file sharing and P-to-P activity.
The IPS also allows us to customize and automate the response to each detected attack or questionable packet of traffic. Depending on the severity of attack or policy violation, we can instantly terminate the traffic, block the machine that is sending or receiving the data, or simply alert network administrators that suspicious activity is occurring.

The system maintains a significant amount of background information on each individual attack, for example, the systems being targeted, the consequences of a successful attack, and the vulnerabilities the attack exploits. This history is extremely beneficial for determining how we should respond to each attack—it gives us the information we need to make the right decision.

Between our firewall and the IDS/IPS, we have been saved from the viruses and attacks that have brought other colleges in the area to their knees.

An Ongoing Battle
Educational institutions are in many respects at greater risk than other organizations. Their limited budgets and resources prohibit the implementation of adequate security measures. The decentralized and diverse nature of collegiate networks present complex IT challenges.

These challenges must be managed within an educational culture built on the free exchange of information and ideas. Successful IT solutions, like intrusion detection/prevention systems, offset stretched or insufficient resources by automating processes, reducing the workload, and increasing staff efficiency.

Featured

  • widescreen computer monitor displaying an AI-powered search engine interface with a search bar and futuristic icons

    Google, Microsoft Expand AI-Driven Search Capabilities

    Recent announcements from Google and Microsoft highlight a slough of AI capabilities for their search tools.

  • illustration of a futuristic building labeled "AI & Innovation," featuring circuit board patterns and an AI brain motif, surrounded by geometric trees and a simplified sky

    Cal Poly Pomona Launches AI and Innovation Center

    In an effort to advance AI innovation, foster community engagement, and prepare students for careers in STEM fields and business, California State Polytechnic University, Pomona has teamed up with AI, cloud, and advisory services provider Avanade to launch a new Avanade AI & Innovation Center.

  • lock with a glowing keyhole integrated with a transparent, layered server stack against a dark background with a subtle grid pattern

    Cohesity Integration Adds Protection for Red Hat OpenShift Virtualization Workloads

    AI-powered data security company Cohesity has expanded its collaboration with Red Hat to enhance data protection and cyber resilience for Red Hat OpenShift Virtualization workloads.

  • modern college building with circuit and brain motifs

    Anthropic Launches Claude for Education

    Anthropic has announced a version of its Claude AI assistant tailored for higher education institutions. Claude for Education "gives academic institutions secure, reliable AI access for their entire community," the company said, to enable colleges and universities to develop and implement AI-enabled approaches across teaching, learning, and administration.