Colleges cram for test of new security plans

Bushwhacked last fall by computer worms, network managers at U.S. colleges have taken steps to make sure it won't happen again next month when the new academic year begins.

The steps include embracing Microsoft's Windows XP Service Pack 2, installing new intrusion-detection software, scanning every PC that tries to connect to the campus network, and working harder to convince faculty and students that they have a stake in network security.

But the steps are part of a larger shift in network security awareness: treating every client as a potential threat and continuously monitoring a client's behavior once it authenticates.

"The big priority is security. It kind of drowns out everything else," says Brad Noblet, director of technical services at Dartmouth College in Hanover, N.H. "We continue to get pounded by viruses, and it eats up an awful lot of manpower, as well as disrupting people's lives."

The worm attacks of fall 2003 coincided with a new strategic planning effort unfolding at Ohio State University (OSU) to make security a priority. "We're paying vastly increased attention to security," says Charles Morrow-Jones, director of security and enterprise networking at the school in Columbus.

The change is reflected in the chain of command: Security used to be part of the enterprise networks group, but now Morrow-Jones reports directly to the CIO.

Other changes include centralized anti-virus and anti-spam software, instead of relying on PC applications. OSU selected Clam AntiVirus, an open source program, which can tie into e-mail applications; and Roaring Penguin's CanIt anti-spam software, a commercial application. Finally, OSU will launch a half-day training program for non-technical managers in departments such as finance and human resources on how to secure and protect PCs and data.

Changes like this are evidence that security is being seen as an increasingly broad issue, affecting how, and whether, services are delivered to network users. McGill University in Montreal is deploying a full-blown identity management system based on Novell's Nsure Identity Manager, Novell eDirectory and related products.

"We have students, in-house staff, faculty, alumni," says Gary Bernstein, McGill's director of networks and communications services. "We have to keep track of all of them in terms of their [network] rights and privileges, which are often changing. We want to capture this data and make it available for authorization as well as authentication."

"This is more than convenience," he says. "This is becoming the foundation for almost all network operations in any organization."

Dartmouth has not gone that far, but this fall it will introduce Aladdin Knowledge Systems' eToken, which is a small device that plugs into a USB port on a PC and manages a digital certificate. The certificate is part of an open source public-key infrastructure created by researchers at Dartmouth's PKI Lab, a big step toward creating a secure, single sign-on for users instead of juggling numerous username/password combinations.

The eToken will be handed out to students with their Dartmouth photo ID cards. Initially, the token will be used for user authentication. Eventually, Noblet wants to upgrade the college's applications to support digital certificates and eliminate passwords.

Many institutions are introducing specific products for security, either creating new capabilities or beefing up current products.

One of the most popular is intrusion-prevention systems (IPS), which watch network or application use to report on suspected attacks or unauthorized activity. IPS devices can be configured to block traffic patterns that are known or suspected to be problematic.

Northeastern University in Boston is deploying TippingPoint Technologies' UnityOne IPS. "These devices sit on the net, so we can drop [suspect] traffic before it even becomes a problem," says Richard Mickool, executive director information services.

"You have to be careful as you put all your traffic through these devices," Mickool says. "You don't want to create a single point of failure, and you have to be careful what traffic you block."

Tufts University in Medford, Mass., is focusing on hardening the edge of the network by installing McAfee IntruShield. There are two goals, says Marc Jimenez, manager of network engineering and security: harden the network edge to block attacks from outside the university and detect internal hosts that have been taken over to launch attacks elsewhere. "This will give us another tool in locating internal hosts that have been compromised," he says.